CA SiteMinder® Federation Standalone Guide › Getting Started with a Simple Partnership › Configure the IdP Partner

Configure the IdP Partner

The configuration process that follows is from the perspective of an administrator at IdP1. Therefore, IdP1 is the local IdP.

The following process establishes the IdP partner:

1. Log on to the Administrative UI.
2. Establish a user directory connection.
3. Identify the IdP and SP entities.
4. Click Create Partnership, SAML2 IdP->SP.
5. Follow the Partnership wizard and configure the minimum required settings.

Establish a User Directory Connection

Before you can establish a partnership, define a connection to a user directory.

The procedures that follow illustrate a connection to an ODBC user directory using the default data source that is installed with the product.

Important! The CA FedManager Data Source is where federation system policies are stored. For this example, use this data source as a user directory; however, in a production environment use a different data source.

To use this data source:

• Set up the schema for the sample users for the data source.
• Establish a connection to the directory.

Set up the Sample Users for the Data Source

Set up the sample users for the data store by importing the ODBC schema and sample data.

The product provides script files to create the schema and data for storing sample users in the CA FedManager data source. You can store this data in the same SQL Server or Oracle database that you specified when installing CA SiteMinder® Federation Standalone.

Follow these steps:

1. Navigate to the following directory:

   Windows (default location): federation_install_dir\siteminder\db\SQL

   UNIX: federation_install_dir/siteminder/db/sql

2. Import the necessary schema files to populate the database with sample users. Use the tool for your database to perform the import.

   Import the following files:

   • smsampleusers_sqlserver.sql

     Creates the schema for sample users in a SQL server database and populates the database with sample users.

   • smsampleusers_oracle.sql

     Creates the schema for sample users in an Oracle database and populates the database with sample users.

   For example, if you look in the script, you can see a sample user named GeorgeC with a password of siteminder.

3. After the schema is imported, connect to the directory.

Connect to the ODBC Directory

After you import the proper schema to populate the ODBC user directory, establish the connection to the user directory.

Follow these steps:

1. Log in to the Administrative UI by opening up a web browser and entering the following URL:

   http://idp1.example.com:8888/ca/federation/adminui

   CA SiteMinder® Federation Standalone is installed with idp1.example.com as the server name. In the browser, map this host name to the IP address where CA SiteMinder® Federation Standalone is installed.

   Note: Verify that JavaScript is enabled in the browser to open the Administrative UI.

2. Select the User Directory tab from the Administrative UI.

   The View User Directories dialog displays.

3. Click Connect to ODBC.

   The Connect to ODBC dialog opens.

4. Complete the following required fields in the Configure ODBC User Directory group section:

   Directory Name

   FedSQL

   Data Source

   CA FedManager Data Source

5. Complete the following fields in the Connection Credentials group section:

   Require Credentials to Connect

   Select check box

   User Name

   Enter the name used to access your database.

   Password

   Enter the password used to access your database.

   Confirm Password

   Enter the database password again.

6. Complete the following field in the Directory Fields group section:

   Universal ID Column

   Enter the name of the ODBC directory attribute used as the Universal ID. This value can be passed to other applications that communicate with CA SiteMinder® Federation Standalone to maintain the identity of the user. This field is required when the CA SiteMinder® Connector is enabled.

7. Click Save.

   You return to the View User Directories dialog.

8. Select Action, Test Connection to help ensure that CA SiteMinder® Federation Standalone can connect to the user directory.

   You receive a message indicating whether the connection is successful.

Continue by configuring the IdP and SP entities.

Configure the Partnership Entities

After establishing the user directory connection, you should identify the local and remote sides of the partnership. In the Administrative UI, each partner is referred to as an entity.

The following procedures tell you what values to provide for the local and remote entities. However, in a real network configuration, it may be common that each side creates a local entity, exports the local entity to a metadata file, then exchanges the files so that each side can define the remote entity.

Follow these steps:

1. From the Federation tab, select Entities.
2. Click Create Entity.
3. Make the following selections in the first step of the entity wizard then click Next.

   Entity Location

   Local

   New Entity Type

   SAML2 IDP

4. Complete the fields in the second step of the wizard as follows then click Next.

   Entity ID

   idp1

   This value identifies the entity to the partner.

   Entity Name

   idp1

   This value identifies the entity object internally in the CA SiteMinder® Federation Standalone database. The partner is not aware of this value.

   Base URL

   http://idp1.example.com:9090

   Leave the other settings as they are.

   Note: The Entity Name can be the same value as the Entity ID, but the value must then not be shared with any other entity at the site.

5. Review the settings in the last step and click Finish.

You return to the View Federation Entities window. Configure the remote partner.

To create the Remote SP Entity

1. Begin at the View Federation Entities window.
2. Click Create Entity in the Federation Entity List.

   The Create Entity dialog displays.

3. Make the following selections in the first step of the entity wizard then click Next.

   Entity Location

   Remote

   New Entity Type

   SAML2 SP

4. Complete the fields in the second step of the wizard as follows then click Next.

   Entity ID

   sp1

   This value identifies the entity to the partner.

   Entity Name

   sp1

   This value identifies the entity object internally in the CA SiteMinder® Federation Standalone database. The partner is not aware of this value.

   Assertion Consumer Service URL Group Box

   Index

   0

   Binding

   HTTP-Post

   URL

   http://sp1.demo.com:9091/affwebservices/public/
   saml2assertionconsumer

   Default

   Select the checkbox in this column for the entry row.

   Leave the other settings as they are.

5. Review the settings in the last step and click Finish.

The remote SP entity is configured.

After the local and remote entity are configured, you can now create a partnership.

Create the IdP-to-SP Partnership

After creating the partnership entities, follow the partnership wizard to configure the IdP ->SP partnership. The first is to provide the name and other basic information for the partnership.

Follow these steps:

1. Select the Federation tab.
2. Click Create Partnership, SAML2 IdP -> SP.

   Selecting this option indicates that you are the local IdP.

   You come to the first step in the partnership wizard.

3. Complete the fields with the following values:

   Partnership Name

   TestPartnership

   Local IDP ID

   idp1

   (selected from the pull-down list)

   Remote SP ID

   sp1

   (selected from the pull-down list)

   Base URL

   http://idp1.example.com:9090

   This value should be provided by default.

   Skew Time (Seconds)

   Accept the default

4. Move the ODBC directory (FedSQL) from the Available Directories box to the Selected Directories box.
5. Click Next to go to the Federation Users step.

Specify Federation Users for Assertion Generation

In the Federation Users dialog, select the users for which the IdP generates assertions.

Follow these steps:

1. Accept the defaults.
2. Click Next to continue.

By accepting the defaults, you indicate that CA SiteMinder® can generate assertions for all users in the user directory.

Add a Name ID to the Assertion

The Assertion Configuration step lets you specify the format and value of the NameID and the attributes that identify a user. These attributes are included in the assertion.

Note: NameID is always included in the assertion.

In this configuration, specify only the Name ID. Do not add any other attributes.

Follow these steps:

1. From the Assertion Configuration step, enter values for the following fields:

   Name ID Format

   Unspecified

   Name ID Type

   Static

   Value

   GeorgeC

2. Click Next to move on and set up single sign-on (SSO).

Set Up Single Sign-on

To establish single sign-on between partners, configure the SSO settings.

Follow these steps:

1. Begin at the SSO and SLO step in the partnership wizard.
2. Accept the default (Basic) for the Local Authentication Type and Authentication Class fields.
3. Select HTTP-POST for the SSO Binding field.
4. Assuming you created the remote SP entity already, the value for the Assertion Consumer URL is filled in.
5. Click Next to move to the Signature and Encryption step.

Disable Signature Processing

For the purposes of this simple partnership, disable signature processing. However, in a production environment, the Identity Provider must sign assertions.

Follow these steps:

1. From the Signature and Encryption step, select Disable Signature Processing.
2. Click Next to move to the next step.

Confirm the IdP-to-SP Partnership Settings

You have completed the partnership definition for one side of the federation partnership. Verify the settings.

Follow these steps:

1. In the Confirm dialog, review the settings for the partnership.
2. To modify a setting, click Modify in any of the sections.
3. Click Finish when you are satisfied with the configuration.

The IdP side of the partnership is complete. Define the SP side of the partnership on a different system than the IdP system.