CA SiteMinder® Federation Standalone Guide › Getting Started with a Simple Partnership › Configure the SP Partner

Configure the SP Partner

The configuration process that follows is from the perspective of an administrator at the SP, in this example, SP1. Therefore, SP1 is the local SP.

The following process establishes the SP partner.

1. Log on to the Administrative UI.
2. Establish a user directory connection.
3. Identify the IdP and SP entities.
4. Click Create Partnership, SAML2 SP->IdP.
5. Follow the Partnership wizard and configure the minimum required settings.

Establish a User Directory Connection

Before you can establish a partnership, define a connection to a user directory.

The procedures that follow illustrate a connection to an ODBC user directory using the default data source that is installed with CA SiteMinder® Federation Standalone.

Important! The CA FedManager Data Source is where CA SiteMinder® Federation Standalone policies are stored. For this example, use this data source as a user directory; however, in a production environment use a different data source.

To use this data source:

• Set up the schema for the sample users for the data source.
• Establish a connection to the directory.

Set up the Sample Users for the Data Source

Set up the sample users for the data store by importing the ODBC schema and sample data.

The product provides script files to create the schema and data for storing sample users in the CA FedManager data source. You can store this data in the same SQL Server or Oracle database that you specified when installing CA SiteMinder® Federation Standalone.

Follow these steps:

1. Navigate to the following directory:

   Windows (default location): federation_install_dir\siteminder\db\SQL

   UNIX: federation_install_dir/siteminder/db/sql

2. Import the necessary schema files to populate the database with sample users. Use the tool for your database to perform the import.

   Import the following files:

   • smsampleusers_sqlserver.sql

     Creates the schema for sample users in a SQL server database and populates the database with sample users.

   • smsampleusers_oracle.sql

     Creates the schema for sample users in an Oracle database and populates the database with sample users.

   For example, if you look in the script, you can see a sample user named GeorgeC with a password of siteminder.

3. After the schema is imported, connect to the directory.

Connect to the ODBC Directory

After you import the proper schema to populate the ODBC user directory, establish the connection to the user directory.

Follow these steps:

1. Log in to the Administrative UI by opening up a web browser and entering the following URL:

   http://idp1.example.com:8888/ca/federation/adminui

   CA SiteMinder® Federation Standalone is installed with idp1.example.com as the server name. In the browser, map this host name to the IP address where CA SiteMinder® Federation Standalone is installed.

   Note: Verify that JavaScript is enabled in the browser to open the Administrative UI.

2. Select the User Directory tab from the Administrative UI.

   The View User Directories dialog displays.

3. Click Connect to ODBC.

   The Connect to ODBC dialog opens.

4. Complete the following required fields in the Configure ODBC User Directory group section:

   Directory Name

   FedSQL

   Data Source

   CA FedManager Data Source

5. Complete the following fields in the Connection Credentials group section:

   Require Credentials to Connect

   Select check box

   User Name

   Enter the name used to access your database.

   Password

   Enter the password used to access your database.

   Confirm Password

   Enter the database password again.

6. Complete the following field in the Directory Fields group section:

   Universal ID Column

   Enter the name of the ODBC directory attribute used as the Universal ID. This value can be passed to other applications that communicate with CA SiteMinder® Federation Standalone to maintain the identity of the user. This field is required when the CA SiteMinder® Connector is enabled.

7. Click Save.

   You return to the View User Directories dialog.

8. Select Action, Test Connection to help ensure that CA SiteMinder® Federation Standalone can connect to the user directory.

   You receive a message indicating whether the connection is successful.

Continue by configuring the IdP and SP entities.

Identify the Partnership Entities

After establishing the user directory connection, you should identify the local and remote sides of the partnership. In the Administrative UI, each partner is referred to as an entity.

The following procedures tell you what values to provide for the local and remote entities. However, in a real network configuration it may be common that each side creates a local entity, exports the local entity to a metadata file, then exchanges the files so that each side can define the remote entity.

Follow these steps:

1. From the Federation tab, select Entities.
2. Click Create Entity.

   The Create Entity dialog displays.

3. Make the following selections in the first step of the entity wizard then click Next.

   Entity Location

   Local

   New Entity Type

   SAML2 SP

4. Complete the fields in the second step as follows then click Next.

   Entity ID

   sp1

   This value identifies the entity to the partner.

   Entity Name

   sp1

   This value identifies the entity object internally in the CA SiteMinder® Federation Standalone database. The partner is not aware of this value.

   Base URL

   http://sp1.demo.com:9091

   Note: The entity ID and name must be the same as you specified for the remote SP entity at the Identity Provider.

5. Review the settings and click Finish.

You return to the View Federation Entities window. Configure the remote partner.

To create the remote IdP

1. Begin at the View Federation Partnerships window.
2. Click Create Entity in the Federation Entity List.

   The Create Entity dialog displays.

3. Make the following selections in the first step of the entity wizard then click Next.

   Entity Location

   Remote

   New Entity Type

   SAML2 IDP

4. Complete the fields in the second step of the wizard as follows:

   Entity ID

   idp1

   This value identifies the entity to the partner.

   Entity Name

   idp1

   This value identifies the entity object internally in the CA SiteMinder® Federation Standalone database. The partner is not aware of this value.

   Note: The entity ID and name must be the same as on the Identity Provider side.

   SSO Service URL Group Box

   Binding

   HTTP-Redirect

   URL

   http://idp1.example.com:9090/affwebservices/public/saml2sso

5. Review the settings and click Finish.

After the local entity and remote entity are configured, you can create a partnership.

Create the SP-to-IdP Partnership

After creating the partnership entities, follow the Partnership wizard to configure the necessary components of the SP -> IdP partnership.

Follow these steps:

1. Select the Federation tab.
2. Click Create Partnership, SAML2 SP->IdP.

   You come to the first step in the Partnership wizard.

3. Complete the fields with the following values:

   Partnership Name

   DemoPartnership

   Local SP ID

   sp1

   Remote IDP ID

   idp1

   Skew Time (Seconds)

   Accept the default

4. Move the ODBC directory (FedSQL) from the Available Directories box to the Selected Directories box.
5. Click Next to go to the User Identification step.

Specify the User Identification Attribute

Designate which attribute from the assertion should be used to identify a user. This identity attribute value is used in the user disambiguation process, that is, the process of locating the user record in the SP's user directory.

Follow these steps:

1. Go to the User Identification step.
2. Accept the default, Use Name ID, in the Choose Identity Attribute from Assertion group box.
3. In the Map Identity Attribute to User Directories group box, enter the following:

   ODBC Search Specification

   Name=%s

   This entry instructs CA SiteMinder® Federation Standalone to replace the variable (%s) with the value of the Name ID attribute from the assertion and match it with the Name column in the sample users database. If a match is found, the user is disambiguated and allowed to access the target resource.

4. Click Next to configure single sign-on.

Configure Single Sign-on

To establish single sign-on between partners, configure the SSO settings.

Follow these steps:

1. Begin at the SSO and SLO step.
2. Select HTTP-POST for the SSO Binding field.
3. Specify the target resource at the SP in the Target field.

   In this sample partnership, this target is http://spapp.demo.com:80/spsample/welcome.html

4. Select No Data for the Redirect Mode field.
5. Assuming you have created the remote IdP, the value for the SSO Service URL is filled in.
6. Click Next to move to the Signature and Encryption step.

Disable Signature Processing

For the purposes of this simple partnership, disable signature processing. However, in a production environment, the Identity Provider must sign assertions.

Follow these steps:

1. From the Signature and Encryption step, select Disable Signature Processing.
2. Click Next to move to the next step.

Confirm the SP Partner Settings

You have completed the partnership for the local SP side of the federation partnership.

Follow these steps:

1. In the Confirm dialog, review the settings for the SP partner.
2. To modify a setting, click Modify in the appropriate section.
3. Click Finish when you are satisfied with the configuration.

The SP side of the partnership is now configured.