Previous Topic: Partnership Creation and ActivationNext Topic: User Identification at the Relying Party

CA SiteMinder® Federation Standalone GuideFederated User Identification for a Partnership

Federated User Identification for a Partnership

This section contains the following topics:

Federation Users Configuration at the Asserting Party

User Identification at the Relying Party

Federation Users Configuration at the Asserting Party

The Federation Users dialog is the second step in the partnership wizard when the local entity is the asserting party. This step lets you specify which users are authorized to access target resources at the remote site. Additionally, you can enable the CA SiteMinder® Connector for CA SiteMinder® Federation Standalone integration with CA SiteMinder®.

The CA SiteMinder® Connector is a software component that enables a deployed CA SiteMinder® system to integrate with CA SiteMinder® Federation Standalone. If CA SiteMinder® Federation Standalone is at the asserting party, the CA SiteMinder® Connector can create a CA SiteMinder® Federation Standalone session from a CA SiteMinder® session. To establish the CA SiteMinder® session, CA SiteMinder® authenticates the user first and then the user visits the asserting party.

You can enable the CA SiteMinder® Connector on a per-partnership basis; however, only one global connector configuration applies to all partnerships. The connector is available only when the check box in the Deployment Settings is selected and a configuration is defined. You access the Deployment Settings from the Infrastructure tab in the UI. After enabling the Connector globally, CA SiteMinder® Federation Standalone evaluates the partnership configuration to determine whether the Connector is enabled. The partnership uses the global Connector configuration.

To disable the Connector for the partnership, clear the check box at the partnership level. To disable the Connector globally, disable it in the Deployment Settings.

Important! If the Connector is disabled at the global level, CA SiteMinder® Federation Standalone ignores the check box at the partnership level.

Configure Federation Users

Federation users are those users that are allowed to access protected federated resources.

Follow these steps:

Note: Click Help for a description of fields, controls, and their respective requirements.

  1. Select a user directory from the list in the Directory column of the table of the Federated Users group box.

    The pull-down list consists of one or more directory entries, depending on the number of directories you specified in the previous dialog.

  2. Select the user class in the User Class column. This entry specifies a category of individual users or groups of users that can be authenticated. The options for this field depend on the type of user directory (LDAP or ODBC). Refer to the User Class tables for an explanation and example of each user class.
  3. Enter a name or filter in the User Name/Filter By column. The value in this column lets the system locate the user or user group from which to authenticate federated users. This entry is dependent on the value you select for the User Class column. For examples of names and filters, see the tables at the end of this procedure.
  4. (Optional) You can select Exclude for an entry to indicate that you want to exclude this user class. The default is to include all users in the directory.

    Note: An exclude criteria always takes precedence over an include criteria in case the two criteria conflict.

  5. (Optional) Click Add Row to specify another user class for the same directory or another user directory.
  6. (Optional) Configure the CA SiteMinder® Connector settings:
    1. If CA SiteMinder® Federation Standalone is integrating with an existing SiteMinder deployment, enable the CA SiteMinder® Connector by selecting the check box.
    2. (Optional) Clear the Enforce UserDN and Directory Name Comparison so that the CA SiteMinder® Federation Standalone or CA SiteMinder® uses a Universal ID to retrieve a user record. The Universal ID enables the user directories to be physically different and of different types. Use of the Universal ID is sufficient to regard the retrieved user record as the correct record.

      Note: If you rely on the Universal ID, each user must have a unique Universal ID. If the Universal IDs are not unique, the system accessing the user record can retrieve the wrong record.

      If you leave the check box selected (the default), CA SiteMinder® Federation Standalone and CA SiteMinder® must use the same physical directory. The name for both of these directories must be the same for user store lookups. The entity authenticating the user compares the information that the user provides against the UserDN and the Directory Name of the user record.

    The selection of users is complete.

  7. Click Next.

    The Assertion Configuration dialog displays.

Examples of User Class Entries

LDAP Examples

Use the LDAP filter syntax when specifying entries.

User Class

Valid Entry

User

Distinguished name of a user.

Example:

uid=user1,ou=People,dc=example,dc=com

Group

Group chosen from the list.

Example: ou=Sales,dc=example,dc=com

Organization Unit

Organizational unit chosen from the list.

Example: ou=People,dc=example,dc=com

Filter User Property

LDAP filter. The current user is the starting point for the search.

Example 1: mail=user@example.com

Example 2: (|(mail=*@.example.com)(memberOf=cn=Employees,ou=Groups,dc=example,dc=com))

Filter Group Property

LDAP filter. The current user gets authorized if they are a member of one of the groups matching the filter. The objectclasses for groups as configured in the SiteMinder registry are combined with the filter.

Example 1: To authorize users that are members of a group with a business category of "CA Support", enter: businessCategory=CA Support

Example 2: To authorize users that are members of a group with a description containing "Administrator" and a business category of "Administration", enter: (|(description=*Administrator*)(businessCategory=Administration))

Note: Not all attributes of a group work as a search criterion.

Filter OU Property

LDAP filter. The current user gets authorized if they belong to an organizational unit that matches the filter. The objectclasses for organizational units as configured in the SiteMinder registry are combined with the filter.

Example 1: To authorize users within an organizational unit with a postal code of "12345", enter: postalCode=12345

Example 2: To authorize users in an organizational unit with a preferred delivery method ending with "phone" and a locality of "London", enter: (|(preferredDeliveryMethod=*phone)(l=London))

Filter Any

LDAP filter. The current user gets authorized if they match the filter.

Example 1: To authorize users with a department of "CA Support", enter: department=CA Support

Example 2: To authorize users who are members of the group "Administrators" and have a department number of "123" or "789", enter: (&(memberof=cn=Administrators,ou=Groups,dc=example,dc=com)(|(departmentNumber=123)(departmentNumber=789)))

ODBC Examples

Use the SQL syntax when specifying queries.

User Class

Valid Entry

User

Value of the Name column for a user. The current user gets authorized if they match the entry.

Example: user1

Group

Value of the Name column of a user group. The current user gets authorized if they are a member of the group that matches the query.

Example: Administrators

Query

A SQL SELECT statement. The current user gets authorized if they match the query.

Example 1: With a userid of user1:

Entry: SELECT * FROM SmUser

Resulting query: SELECT * FROM SmUser WHERE Name = 'user1'

Example 2: With a userid of user1:

Entry: SELECT * FROM SmUser WHERE Status LIKE 'Active%'

Resulting query: SELECT * FROM SmUser WHERE Status LIKE 'Active%' AND Name = 'user1'

Example 3: With a userid of user1:

Entry: SELECT * FROM SmUser WHERE Location IN ('London', 'Paris')

Resulting query: SELECT * FROM SmUser WHERE Location IN ('London', 'Paris') AND Name = 'user1'