Previous Topic: Considerations for the Asserting Party Configuration

Next Topic: User Identification Based on an Assertion Attribute

SiteMinder Agent for SAP Web AS GuideConfiguration for Federation Mode with Federation ManagerHow To Configure the Relying Party in a Federation Partnership

How To Configure the Relying Party in a Federation Partnership

Use the Federation Manager user interface to configure partnerships. The following process establishes a Federation Manager partnership. Some of the steps in this process require specific settings for the SiteMinder Agent for SAP Web AS. For the settings relevant to the Agent for SAP Web AS, more detailed configuration instructions follow this general process.

To learn more about Federation Manager and partnership creation, see the CA Federation Manager Guide.

Important! Configure the Agent for SAP Web AS in Federation mode for the SiteMinder Agent for SAP Web AS to operate with Federation Manager.

The deployment in this chapter has Federation Manager and the SiteMinder Agent for SAP Web AS at the relying party. Therefore, the following configuration process is only for the relying party. The administrator at the remote asserting party must configure that party properly for federated communication. Although the asserting party configuration process is beyond the scope of this chapter, there are configuration issues to consider.

Follow these steps:

  1. Log in to the Federation Manager.
  2. Identify the federation entities (the local and remote partners) that make up the partnership.

    In this partnership, the SiteMinder Agent for SAP Web AS is the local relying party and the partner is the remote asserting party. The Federation Manager UI provides an entity wizard to guide you through this process.

  3. Create a partnership. The Federation Manager Partnership Wizard guides you through the necessary steps.

    The SiteMinder Agent for SAP Web AS is the local relying party, so you must create, for example, a SAML2 SP ->Idp partnership.

    Configure the following partnership details:

    1. Partnership name and participating entities
    2. Federation users
    3. User identification.

      The user identification step is where you specify the identity of the user on the SAP Web AS.

    4. Single sign-on (SSO).

      The single sign-on configuration is where you define whether the assertion is passed using HTTP-Artifact or POST as the single sign-on profile. You also define the target resource that the user wants to access.

    5. Single logout (SLO) – SAML 2.0 only.

      Enables the simultaneous end-of-user sessions within the browser that initiated the session.

    6. Digital signing of assertions and assertion responses.
    7. Encryption of assertions and assertion content– SAML 2.0 only
  4. Configure the identity cookie information for Federation mode.

    The Agent needs its FEDZone and FEDPassword settings to match the cookie zone and password settings for Federation Manager. The values must be shared during an out-of-band communication.

  5. (Optional) If the assertion sent by the asserting partner contains attributes, the application on the SAP server has to retrieve these attributes. Review the instructions on assertion attribute retrieval for details on how to accomplish this task.