CA SiteMinder® Federation Standalone Guide › Federation System Administration › Deployment Settings

Deployment Settings

The Deployment Settings let you do the following:

• View the FIPS mode setting.
• View the CA SiteMinder® Federation Standalone deployment mode (standalone or proxy).
• Specify valid federation domains.
• Configure the CA SiteMinder® Connector if CA SiteMinder® Federation Standalone is operating with the CA SiteMinder® Connector enabled.
• Modify the CA SiteMinder® Federation Standalone session cookie names.

Deployment Modes and FIPS Settings

The Deployment Settings shows the status of the deployment mode and FIPS mode that you selected when installing and configuring CA SiteMinder® Federation Standalone. Additionally, you can specify valid federation domains, and can set a prefix to protect HTTP headers in proxy mode.

The process for modifying each setting differs.

Valid Federation Domains and HTTP Header Prefix

Modify the Valid Federation Domains and HTTP Header Prefix entries from the UI. Changing these settings is optional.

Follow these steps:

1. Enter values for the fields, if necessary.
2. Click Save in the right corner of the section.

FIPS Mode Changes

To change the FIPS Mode, run the Installation wizard again and choose a new setting.

Important! Anytime you change the FIPS mode, restart CA SiteMinder® Federation Standalone.

Deployment Mode Changes

To change the Deployment Mode, run the Configuration wizard again and change the mode.

More information:

Encryption and Decryption Algorithms

HTTP Header Protection for a Proxy Mode Deployment at the Relying Party

In a proxy mode deployment at the relying party, CA SiteMinder® Federation Standalone passes identity attributes from the SAML assertion to backend applications using HTTP headers. In most cases, the headers are secure. However, if an unauthorized user knows an assertion attribute name they can set this name as a header in a browser and gain access to the target application. The target application sees an expected header value and grants access to the resource without CA SiteMinder® Federation Standalone consuming an assertion.

By specifying a value for the HTTP Header Prefix setting, you can protect against the following scenario:

1. An unauthorized user learns the names of HTTP headers. These header names include prefixes.
2. The malicious user sends an incoming request, including the headers, to CA SiteMinder® Federation Standalone.
3. CA SiteMinder® Federation Standalone recognizes that the headers containing prefixes come from an incoming request and are not generated internally so it removes these headers.
4. Before CA SiteMinder® Federation Standalone passes its own legitimate headers to the target application, it adds the specified prefix to each header and passes the headers to the target application.

To set the HTTP Header Prefix

1. Navigate to Infrastructure, Deployment Settings.
2. Enter any valid string as a prefix in the HTTP Header Prefix field.

   You only see this field if you enabled Proxy Mode when installing CA SiteMinder® Federation Standalone.

3. Save your changes.

CA SiteMinder® Connector Settings

The CA SiteMinder® Connector lets CA SiteMinder® Federation Standalone integrate with a CA SiteMinder® environment for federated communication.

At the asserting party, the CA SiteMinder® Connector can work with CA SiteMinder® as a third-party WAM for delegated authentication. At the relying party, CA SiteMinder® can protect the server where the target resources reside. If CA SiteMinder® is performing access control, the CA SiteMinder® Connector contacts the Policy Server to establish a CA SiteMinder® session so that CA SiteMinder® grants the user access to the target resource.

For CA SiteMinder® Federation Standalone to operate with CA SiteMinder®, configure the CA SiteMinder® Connector settings in the Administrative UI.

All partnerships that use the CA SiteMinder® Connector use a single configuration and connect to a single CA SiteMinder® environment. Define the Connector configuration in the Deployment Settings of the Administrative UI. To enable the Connector for a given partnership, enable it at the partnership level. Disable the Connector at the partnership level or globally by disabling it in the Deployment Settings.

Important! If the Connector is disabled at the global level, CA SiteMinder® Federation Standalone ignores the check box at the partnership level.

Follow these steps:

1. Log in to the Administrative UI.
2. Select a partnership from the Federated Partnerships list.

   The Partnership dialog opens.

3. Do one of the following:
   1. At the relying party, navigate to the User Identification step in the Partnership wizard.
   2. At the asserting party, navigate to the Federation Users step in the Partnership wizard.
4. Select the Enable SiteMinder Connector check box.

   The configuration fields become available.

5. (Optional) Select the Enforce UserDN Comparison check box. Selecting this check box forces a comparison of the UserDN and UserDirectory Name entries between the user directory at CA SiteMinder® Federation Standalone and the directory at CA SiteMinder®.

   If you select this check box, the user directory for the CA SiteMinder® Federation Standalone deployment and the CA SiteMinder® deployment must be the same physical directory. The name for both of these directories must be the same for user store lookups. If you clear the check box, CA SiteMinder® Federation Standalone uses the Universal ID to find the user record so the directories do not have to be the same. If you rely on the Universal ID, each user must have a unique Universal ID. If the Universal IDs are not unique, the system accessing the user record can retrieve the wrong record.

6. Save your changes.
7. Navigate to the Infrastructure tab.
8. From the Infrastructure tab, select Deployment Settings.

   The Configure Deployment Settings dialog opens.

9. Fill in all the fields in the CA SiteMinder® Connector Settings section.

   Note: Click Help for a description of fields, controls, and their respective requirements.

10. Select Register Host and provide the administrator credentials for the CA SiteMinder® Policy Server.

    This step registers CA SiteMinder® Federation Standalone as an Agent with the CA SiteMinder® Policy Server.

    Note: You can configure failover support for the host registration process by specifying more than one Policy Server. If the registration with the primary Policy Server fails, CA SiteMinder® Federation Standalone moves to the next Policy Server specified until the registration process completes successfully.

11. Select Save in the SiteMinder Connector Settings section of the dialog.

    Selecting Save in the CA SiteMinder® Connector Settings section is necessary after registering the host.

12. Restart the federation services according to your operating environment.
    • Windows

      Use the stop and start shortcuts as follows. If you logged in as a network user and not a local administrator, right-click the shortcut and select Run as administrator.

      1. Start, All Programs, CA, Federation Standalone, Stop services
      2. Start, All Programs, CA, Federation Standalone, Start services
    • UNIX

      a. Open a command window.

      b. Run the following scripts:

      federation_install_dir/fedmanager.sh stop

      federation_install_dir/fedmanager.sh start

      Note: Do not stop and start the services as the root user.

The CA SiteMinder® Connector configuration is complete.

Cookie Settings for Session and Identity Cookies

CA SiteMinder® Federation Standalone supports single sign-on security zones. Single sign-on security zones provide configurable trust relationships between groups of applications within the same cookie domain.

Although single sign-on is enforced within the same zone, a user may be rechallenged when entering a different zone, depending on the trust relationship defined between the zones. Security zones included in a trusted relationship do not rechallenge a user that has a valid session in any zone in the group.

Security zone affiliation is reflected in cookie names. For CA SiteMinder® Federation Standalone, the default session and identity cookies are named FEDSESSION and FEDPROFILE.

Your federation partner possibly has an application that uses its own session or identity cookie. The names of the partner cookies can conflict with the names of CA SiteMinder® Federation Standalone's cookies. For example, if you are communicating with a CA SiteMinder® site, cookies named FEDSESSION and FEDPROFILE may exist because CA SiteMinder® generates its own session and identity cookies. In this case, you can change the global cookie zone prefix for CA SiteMinder® Federation Standalone so its cookies get renamed.

Note: If you have an application that is using a CA SiteMinder® Federation Standalone SDK, the values configured for the Global Cookie Zone and Encryption Password settings must match what the SDK uses. Be sure to share the values of these settings with the appropriate parties in your organization. At the asserting party, the SDK and web access management system need these values. At the relying party, CA SiteMinder® Federation Standalone and the target system that hosts the application need to know these values.

For additional information, see the CA SiteMinder® Federation Standalone Java SDK Guide or the .NET SDK Guide.

The other cookie parameters in this group box are the open format cookie settings. The open format cookie settings are used only for the open format cookie method of delegated authentication and apply on a global level not on a partnership basis.

Note: At the relying party, the configuration of this cookie data is done at the partnership level and not at a global level.

To change the cookie settings

1. Log in to the Administrative UI.
2. From the Infrastructure tab, select Deployment Settings.

   The Configure Deployment Settings dialog is displayed.

3. (Optional) Modify all the settings in the Cookie Settings section, as needed.

   Note: Click Help for a description of fields, controls, and their respective requirements.

4. Click Save in the right corner of the section.

How to Configure Federation System Administrators

Several administrators in your company can be responsible for different aspects of federation management. Assign the administration of CA SiteMinder® Federation Standalone to multiple people in your organization to establish accountability and separation of responsibilities.

A default administrator account is always available to manage CA SiteMinder® Federation Standalone. After you add new administrators, optionally, disable the default administrator account.

Create and maintain new administrative users through the Administrative UI.

The following graphic shows the configuration tasks for configuring administrators:

Complete these tasks:

1. Connect to external user directories.
2. Select users as administrators.
3. Change the default administrator password (optional).

Connect to External User Stores

Create the connections to LDAP and ODBC external user stores. This step is required before you configure multiple administrators.

LDAP and ODBC are the two types of directories that the federation system supports.

Follow these steps:

1. Click the User Directory tab.
2. Click Connect to LDAP or ODBC.

   You can select Action, Modify to verify the configuration of an existing directory connection.

3. Configure any required settings in each section. Red dots mark the required parameters.

   Note: Click Help for a description of fields, controls, and their respective requirements.

4. Enter a value for the Universal ID Attribute (LDAP) or Universal ID Column (OCBC). This value is required to configure multiple administrators.

   The universal ID value must be unique to identify individual users in a directory. For example, enter uid as a universal ID for an LDAP directory because each user has a uid. Do not use an attribute such as a job title because many users have the same title.

5. For LDAP directories only, specify values for the Start and End User DN Lookup fields. For example:

   Start User DN Lookup

   (uid=

   End User DN Lookup

   )

6. Click Test Connection to verify that the connection is valid.

   You can click View Contents to list the contents of the user directory.

   Note:

   • For an LDAP directory connection, the View Contents button is displayed only if the Search Root, Start User DN Lookup, End User DN Lookup, and Universal ID Attribute values are set.
   • For an ODBC directory connection, the View Contents button is displayed only if the Universal ID Column value is set.
7. Click Save.

   If your settings are valid, you are redirected to the View User Directories dialog.

   The connection to the directory is configured.

Select Users as Administrators

After you establish connections to external user stores, select users to serve as administrators.

Follow these steps:

1. Log on to the Administrative UI.
2. Navigate to Infrastructure, Administrators.
3. Select Configure Administrative Authentication.
4. To complete these tasks, follow the configuration wizard:
   • Select an external user store.
   • Select one or more users as administrators.
   • Determine the type of access privileges for each administrator. The options are:
     • Super User
     • Federation Administrator
     • Read Only User

     Note: Click Help for a description of each privilege.

   • Decide whether to disable the default administrator. To prevent the use of a central administrator account, disable the default administrator. Without a default administrator, rely on individual administrators that you are able to audit.
5. Log out of the Administrative UI and wait several minutes for the changes to take effect.
6. Log back in to the Administrative UI with the credentials of a new administrator.
7. Return to the Administrators page to see the list of administrators is displayed.
8. (Optional). From the Action menu, modify or view an entry.

   You can change the privileges of the administrator and can enable/disable the administrator.

Multiple administrators are now available to divide ederation management tasks.

Change the Default Administrator Password (Optional)

For security reasons, change the password that gives the default administrator access to the Administrative UI. This task is optional.

Two methods are available to change the administrator password:

• Modify the password from the UI.
• Modify the password from a command line.

  If the administrator user account is locked or the administrator is not available, reset the password from the command line.