CA SiteMinder® Federation Standalone Guide › Federated User Identification for a Partnership › User Identification at the Relying Party

User Identification at the Relying Party

At the relying party, the partner must be able to locate a user in the local user directory. Locating the user in the user directory is the process of disambiguation. Configure the identity attribute for user disambiguation in the User Identification dialog.

CA SiteMinder® Federation Standalone can employ one of the following methods for the disambiguation process:

• Extract the Name ID value from the assertion.
• Use the value of a specific attribute from the assertion.
• Use the value obtained by an Xpath query.

  The Xpath query locates and extracts an attribute other than the Name ID from the assertion.

After you determine which attribute is extracted from the assertion, include this attribute in a search specification, which CA SiteMinder® Federation Standalone uses to locate a user in the user store. After a successful disambiguation process, CA SiteMinder® Federation Standalone generates a session for the user.

For SAML 2.0, you can also configure the AllowCreate feature, which lets an asserting party create a user identifier.

Single sign-on can be initiated by the relying party sending an authentication request (AuthnRequest) to the asserting party. In this request, the relying party can ask that the asserting party include a particular user attribute in the assertion. However, the value of the required attribute may not be available in the asserting party user record.

If the authentication request from the relying party includes the Allow/Create attribute and the asserting party is configured to create a new identifier, the asserting party generates a unique value as the NameID. This value is placed in the assertion and sent back to the relying party.

In the User Identification dialog, you can also enable the CA SiteMinder® Connector.

The CA SiteMinder® Connector is a software component included with CA SiteMinder® Federation Standalone. It enables a deployed CA SiteMinder® system to integrate with CA SiteMinder® Federation Standalone. If you integrate CA SiteMinder® and CA SiteMinder® Federation Standalone at a relying party, CA SiteMinder® does not rechallenge users authenticated by CA SiteMinder® Federation Standalone when they request CA SiteMinder®-protected resources. There is no authentication rechallenge because the Connector and a custom CA SiteMinder® authentication scheme at the Policy Server enable the creation of a CA SiteMinder® session for users authenticated by CA SiteMinder® Federation Standalone.

You can enable the CA SiteMinder® Connector on a per-partnership basis; however, only one global SiteMinder Connector configuration applies to all partnerships. The Connector is available only when the check box in the Deployment Settings is selected and a configuration is defined. You access the Deployment Settings from the Infrastructure tab in the UI. After enabling the Connector globally, CA SiteMinder® Federation Standalone evaluates the partnership configuration to determine whether the connector is enabled. The partnership uses the global Connector configuration.

To disable the Connector for the partnership, clear the check box at the partnership level. To disable the Connector globally, disable it in the Deployment Settings.

Important! If the Connector is disabled at the global level, CA SiteMinder® Federation Standalone ignores the check box at the partnership level.

Configure User Identification at the Relying Party

Configure user identification so the relying party has a method of locating a user in the local user directory.

Follow these steps:

Note: Click Help for a description of fields, controls, and their respective requirements.

1. Select one of the following attributes:
   • Name ID
   • An attribute from a previously populated drop-down list

     If the remote asserting entity was created based on metadata that contained attributes, the list is populated.

   • An attribute you enter

     This option is most likely used when metadata is not available and the remote asserting entity does not include any attributes.

   • An Xpath
2. (Optional—SAML 2.0 only) Select Allow IDP to create user identifier.

   This attribute instructs the asserting party to generate a new value for the NameID, if this feature is enabled at the asserting party. The Name ID format configured at the asserting party must be a persistent identifier. This new value for the NameID is included in the assertion that the asserting party returns to the relying party.

3. Specify an LDAP or ODBC search specification. If both directories are present, configure search specifications for both.

   LDAP Example

   ou=%s,o-ca

   ODBC Example

   name=%s

   In the ODBC search specification field, the value from the user store that replaces the %s in the search string can contain an equals sign (=). If the value contains an equals sign, prepend the value user= at the beginning of the entry. For example, if the value for ElectronicMail in the user store is CN=catechnologies, enter user=ElectronicMail=%s in the ODBC search specification field. The addition of user= enables the policy engine to interpret the string properly.

4. (Optional) Configure the CA SiteMinder® Connector settings:
   1. If CA SiteMinder® Federation Standalone is integrating with an existing SiteMinder deployment, enable the CA SiteMinder® Connector by selecting the check box.
   2. (Optional) Clear the Enforce UserDN and Directory Name Comparison so that the CA SiteMinder® Federation Standalone or CA SiteMinder® uses a Universal ID to retrieve a user record. The Universal ID enables the user directories to be physically different and of different types. Use of the Universal ID is sufficient to regard the retrieved user record as the correct record.

      Note: If you rely on the Universal ID, each user must have a unique Universal ID. If the Universal IDs are not unique, the system accessing the user record can retrieve the wrong record.

      If you leave the check box selected (the default), CA SiteMinder® Federation Standalone and CA SiteMinder® must use the same physical directory. The name for both of these directories must be the same for user store lookups. The entity authenticating the user compares the information that the user provides against the UserDN and the Directory Name of the user record.

5. Click Next to continue with partnership configuration.

Employ AllowCreate for User Identification (SAML 2.0)

The SAML 2.0 AllowCreate feature is an optional setting in the User Identification configuration at the SP. Including an AllowCreate attribute in an authentication request lets an Identity Provider create a user identifier for the SP.

An SP can initiate single sign-on by sending an authentication request to the Identity Provider. As part of the request, a Service Provider can include an attribute named AllowCreate, which is set to true. The Service Provider wants to obtain an identity for the user. Upon receiving the AuthnRequest, the Identity Provider generates an assertion. The Identity Provider searches the appropriate user record for the assertion attribute serving as the Name ID. If the Identity Provider cannot find a value for the NameID attribute, it generates a unique persistent identifier for the NameID. Enable the Allow/Create feature at the Identity Provider for it to generate the identifier. The Identity Provider returns the assertion with the unique identifier back to the SP.

You can enable an AllowCreate query parameter to supersede the value of the AllowCreate attribute. Use of a query parameter lets you override the configured AllowCreate setting without deactivating, editing, and reactivating the partnership. The query parameter makes the implementation of the feature more flexible.