CA SiteMinder® Federation Standalone Guide › Getting Started with a Simple Partnership › Set Up the Artifact Profile for SSO

Set Up the Artifact Profile for SSO

The basic partnership began with HTTP-POST binding for single sign-on. However, your partnership can use the SAML 2.0 Artifact profile.

The configuration for the HTTP-Artifact binding is the same as the configuration for POST binding, until the SSO and SLO steps in the wizard.

Configure Artifact SSO at the IdP

This procedure shows you how to configure HTTP-Artifact profile for SSO.

Follow these steps:

1. From the Administrative UI, click the Federation tab and select Partnerships.
2. Select Action, Deactivate next to the entry for TestPartnership.

   Deactivation is required before editing.

3. Click Action, Modify next to the entry for TestPartnership.

   The dialog for the first step of the partnership wizard opens.

4. Click the SSO and SLO step.
5. Keep the existing settings in the Authentication group box.
6. In the SSO group box, do the following:
   1. Check HTTP-Artifact for the SSO Binding field.
   2. Change the binding in the Assertion Consumer Service URLs table to HTTP-Artifact. The URL can remain the same as was used for POST profile.
7. In the Back Channel group box, select the following:

   Authentication Method

   No Auth

8. Skip the SLO and IDP Discovery group boxes.
9. Click the Confirm step and review the configuration.
10. Click Finish to complete the configuration.

Artifact binding is now configured at Idp1.

Configure Artifact SSO at the SP

This procedure describes how to configure the HTTP-Artifact profile for SSO.

Follow these steps:

1. From the Administrative UI, click the Federation tab and select Partnerships.

   The View Federation Partnerships window displays.

2. Select Action, Deactivate next to the entry for Demo Partnership.

   Deactivate a partnership before you edit it.

3. Click Action, Modify next to the entry for DemoPartnership.

   The dialog for the first step of the Partnership wizard opens.

4. Click the SSO and SLO step.
5. In the SSO group box, do the following tasks:
   1. Check HTTP-Artifact for the SSO Binding field.
   2. Select No Data for the Redirect Mode field. The URL can remain the same as was used for POST profile.
   3. Do not change the settings for the SSO Service URL.
6. In the SOAP Artifact Resolution URLs group box, click Add Row and enter the following URL to indicate that no authentication is required for the back channel:

   http://idp1.example.com:9090/affwebservices/
   saml2artifactresolutionnoauth

   Be sure to select this entry by clicking the radio button in the Select column of the table.

7. In the Back Channel group box, select the following option:

   Authentication Method

   No Auth

8. Skip the SLO and Status Redirect URL group boxes.
9. Click the Confirm step and review the configuration.
10. Click Finish to complete the configuration.

Artifact binding is configured at SP1.

Test the Partnership (Artifact SSO)

When each side of the partnership is operating, test single sign-on between the two partners.

When IdP1 receives the request, it generates the artifact. The artifact is then sent to the SP1.

After SP1 receives the artifact, it redirects the request back to IdP1. The IdP retrieves the assertion and returns it to SP1.

Create a Web page to Initiate Single Sign-on (Artifact)

For testing purposes, create your own html page with a link that initiates single sign-on. You can initiate single sign-on from the IdP or SP. This example illustrates SP-initiated single sign-on.

Follow these steps:

1. Create the sample HTML page at the SP site and include a hard-coded link to the AuthnRequest service at the SP, as follows:

   <a href="http://sp1.demo.com:9091/affwebservices/public/
   saml2authnrequest?ProviderID=idp1.example.com:9090&
   ProtocolBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact>
   Link for ARTIFACT Single Sign-on</a>

   This link instructs the AuthnRequest Service to redirect the user to the specified Identity Provider to retrieve the user authentication context.

2. Save the web page under the name testartifact.html.
3. Copy testartifact.html to the web server document root directory, under the subfolder /spsample.

   For this sample network, the target web server is http://spapp.demo:80.

Create a Target Resource

The last step that is required to test single sign-on is to create a target resource.

Follow these steps:

1. Create the sample HTML page at the SP site and include a message, such as:

   <p>Welcome to SP1</p>

   <p>Single Sign-on is successful</p>

2. Save the web page under the name welcome.html.
3. Copy welcome.html to the web server document root directory, under the subfolder /spsample.

   For this sample network, the target web server is http://spapp.demo.com:80.

Test Artifact Single Sign-on

After you have set up the sample web pages, test single sign-on and verify that the partnership configuration is successful.

Follow these steps:

1. Verify that both sides of the partnership are activated.
2. Open up a browser.
3. Enter the URL for the web page that triggers single sign-on, as follows:

   http://spapp.demo.com:80/spsample/testartifact.html

   Note: In this sample network, CA SiteMinder® Federation Standalone is deployed in standalone mode, therefore, the target web server is a different server than the one where CA SiteMinder® Federation Standalone resides.

   When entering the URL, a page is displayed with a link that reads Link to Test ARTIFACT Single Sign-on.

4. Click Link to Test ARTIFACT Single Sign-on and single sign-on is initiated.

   The user is redirected from the AuthnRequest Service at the SP to the Single Sign-on Service at the Identity Provider.

After the Identity Provider establishes a session, it directs the user back to the target resource at the Service Provider, which is welcome.html. You see the sample welcome page you created at the SP, letting you know that single sign-on was successful.