Federation Guides › Partnership Federation Guide › Partnership Creation and Activation

Partnership Creation and Activation

This section contains the following topics:

Partnership Creation

Partnership Definition

Partnership Identification and Configuration

Partnership Confirmation

Partnership Activation

Exporting a Partnership

Partnership Creation

The main purpose of partnership federation is to establish a partnership between two organizations so they share user identity information and facilitate single sign-on (SSO). A partnership consists of two entities at different sites—one local and one remote. Either entity can assume the role of the asserting party, the side which produces assertions or the relying party, the side which consumes assertions.

If CA SiteMinder® is installed at both sites, each site must define a partnership. For each local asserting party-to-relying party partnership at one site, there has to be a reciprocal local relying party-to-asserting party partnership at the partner site. For example, for the partnership configuration at Entity A, Entity A is a local Identity Provider (IdP) and Entity B is the remote Service Provider (SP). For the partnership configuration at Entity B, Entity B is the local Service Provider (SP) and Entity A is its remote Identity Provider (IdP). The perspective is based on the local entity.

The following figure shows the entity relationships for a partnership.

Note: An asserting party can have partnerships with more than one relying party and a relying party can establish partnerships with more than one asserting party.

To create a partnership, a partnership wizard takes you through the required configuration steps.

Partnership Definition

The federation partnership definition specifies which federation partner is local, and which federation partner is remote.

Follow these steps:

1. Log in to the Administrative UI.
2. Select Federation, Partnership Federation, Partnerships.

   The Federation Partnerships dialog is displayed.

3. Click Create Partnership in the Federation Partnership List.

   Note: Click Help for a description of fields, controls, and their respective requirements.

4. Select one of the following partnerships:
   • SAML2 IDP->SP (Identity Provider is local).
   • SAML2 SP->IDP (Service Provider is local).
   • SAML1.1 Producer ->Consumer (Producer is local).
   • SAML1.1 Consumer ->Producer (Consumer is local).
   • WSFED IP->RP (Identity Provider is local).
   • WSFED RP->IP (Resource Partner is local)

The partnership dialog opens at the first step in the partnership wizard.

Partnership Identification and Configuration

In the Configure Partnership step of the wizard, identify the partnership by naming the partnership and specifying the local and remote entities.

Note: Click Help for a description of fields, controls, and their respective requirements.

Follow these steps:

1. Enter a name for the partnership. You can use alphanumeric characters, underscores, hyphens, and periods in the name. Spaces are not allowed.
2. (Optional) Type a description.
3. Select a local entity from the local list if you have already configured an entity. If not, click Create Local Entity.
4. Select a remote entity from the remote list if you have already configured an entity. If not, click Create Remote Entity.

   Note: This step can be deferred if you are planning to create the remote entity by importing metadata later.

5. (Optional) Specify a Base URL.
6. (Optional) Enter the Skew Time in seconds.

   The skew time is the difference between the system time on the local system and the system time on the remote system. Usually, the inaccuracy of system clocks causes this condition. Determine the skew time number by subtracting the number of seconds from the current time.

   The system uses the skew time and the SSO validity duration to determine how long an assertion is valid.

7. Select one or more user directories from the Available Directories list and move them to the Selected Directories list.

   If you configure only one user directory, that directory is automatically placed in the Selected Directories list.

   Important! To use an ODBC database as a user directory, define an SQL Query scheme and valid SQL queries. These steps are necessary before you can select it as a user directory.

8. Click Next to continue through the partnership wizard. The steps of the wizard let you configure various features of a partnership, some features are required, and some are optional. The configuration details for these features are described in subsequent sections of this guide.

Note: If you are editing a partnership, you can click Get Updates next to this field to update the entity information. The latest information from the entity configuration is propagated to the partnership. However, if you edit the entity information directly from the partnership, the changes do not get propagated back to the individual entity configuration.

Editing Entities from the Partnership

You can click Get Updates next to the local and remote entity fields to update information about the entity. When you select Get Updates, the system asks to pull in the latest information from the entity.

After confirmation, the partnership you are editing is refreshed with the latest entity information. Changes are saved when you complete the partnership wizard. If you do not confirm the update, the partnership configuration remains the same.

The Entity Name identifies an entity object for in the policy store. The Entity Name must be the unique identifier because the product uses this value internally to distinguish an entity. This value is not used externally and the remote partner is not aware of this value.

If the Entity ID represents a remote partner, the value must be unique. If the Entity ID represents a local partner, it can be reused on the same system.

Note: The Entity Name can be the same value as the Entity ID, but do not share the value with any other entity.

An entity is a key component of a federation partnership. Changing an entity alters the partnership significantly; therefore, the Administrative UI does not let you replace an entity after it is in a partnership. To replace an entity, create a partnership.

To provide some flexibility within partnership configuration, you can change an entity ID because it does not identify the entity uniquely. Changing the entity ID at the partnership level does not link the partnership to another entity. The original entity in the partnership does not change. Modifications to an entity are a one-way propagation from the entity to the partnership. A change to the entity ID at the partnership does not get propagated back to the original entity.

Regard entity configurations as templates. Partnerships are created based on the entity templates so changing the partnership does not change the original entity template.

Partnership Confirmation

Review the partnership configuration before saving it.

Follow these steps:

1. Review the settings in the Confirm step of the Partnership wizard.
2. Click Modify in each group box to change any settings.
3. Click Finish when you are satisfied with the configuration.

The partnership configuration is complete.

Partnership Activation

After you configure all the required settings for a partnership, activate it to use it. You can also deactivate a partnership using the same process.

Follow these steps:

1. Select Federation, Partnership Federation, Partnerships.

   The Partnerships dialog opens.

2. From the Actions menu, select Activate or Deactivate next to the partnership of interest.

   A confirm dialog displays.

   Note: Activate is only available for a partnership in DEFINED or INACTIVE status. Deactivate is only available for a partnership in ACTIVE status.

3. Click Yes to confirm your selection.

   The status of the partnership is set and the display is refreshed.

Important! Deactivate a partnership before you modify it.

Exporting a Partnership

You can use metadata as a basis for creating remote entities and forming a partnership. Metadata makes partnership configuration more efficient because many aspects of an entity are already defined in the metadata file. The file can then be imported to create partnership or remote entity.

You do not have to complete a partnership before exporting it. You can configure a portion of the partnership and then export it.

In the Administrative UI, you can export metadata from an existing partnership entry.

Note: In the Administrative UI, you can export metadata from an existing local asserting or relying entity. When you export SAML 1.1 data, the terms used in the resulting metadata file are SAML 2.0 terms. This convention is part of the SAML specification. When you import the SAML 1.1 data, the terms are imported correctly using SAML 1.1 terminology.

When exporting from the partnership, the selected partnership is used as the basis of the export. You are not allowed to define a new partnership name. CA SiteMinder® uses the name from the selected partnership.

Follow these steps:

1. Select Federation, Partnership Federation, Partnerships.

   The Partnership dialog displays.

2. Click the Action pull-down menu next to the appropriate entry in the list and select Export Metadata.

   The Export Metadata dialog opens.

3. Complete the fields on the dialog.

   If you are exporting a partnership in ACTIVE status, most of the fields are read-only. Only the Validity Duration field and the alias drop-down list are modifiable.

   Note: Click Help for a description of fields, controls, and their respective requirements.

4. Click Export to finish.
5. A dialog prompting you to open or save the metadata file displays. You can open it to view it.
6. Save the data to an XML file on your local system.

The metadata is exported to the specified XML file.