CA SiteMinder® Federation Standalone Guide › Single Sign-on Configuration

Single Sign-on Configuration

This section contains the following topics:

Single Sign-on Configuration (Asserting Party)

Single Sign-on Configuration (Relying Party)

Assertion Validity for Single Sign-on

Session Validity at a Service Provider

Status Redirects for HTTP Errors (SAML 2.0 IdP)

SAML 2.0 Entities Allowed to Initiate Single Sign-on

Back Channel Authentication for Artifact SSO

How to Enable SAML 2.0 Attribute Query Support

How to Retrieve User Attribute Values from a Third-Party Source

How to Get User Consent to Send an Assertion

Enhanced Client or Proxy Profile Overview (SAML 2.0)

IDP Discovery Profile (SAML 2.0)

SAML 2.0 HTTP-POST Binding Configuration

Single Sign-on Configuration (Asserting Party)

When you configure single sign-on at the asserting party, you specify how the asserting party delivers an assertion to a relying party.

Only one single sign-on session is persisted in a browser. The session information is stored in the FEDSESSION cookie. If you access another partnership in the same browser, the FEDSESSION cookie is not valid, unless the underlying user directory is the same as the previously accessed partnership during the same browser session.

The FEDSESSION cookie uses the following timeout settings:

• Idle Timeout: 3600 seconds (1 hour)
• Max Timeout: 7200 seconds (2 hours)

You cannot change these timeout settings in UI.

Follow these steps:

1. Begin at the appropriate step in the Partnership wizard.

   SAML 1.1

   Single Sign-On

   SAML 2.0

   SSO and SLO

   Note: Click Help for a description of fields, controls, and their respective requirements.

2. Select an option for the Authentication Mode in the Authentication group box.

   Authentication Mode

   Select Local or Delegated

   • Click Local if the federation system is handling user authentication.
   • Click Delegated if a third-party web access management (WAM) system is handling user authentication.

3. Select the Authentication Type for the authentication mode you chose. The options change depending on whether you are using local or delegated authentication.

   Local Authentication Type (Local Mode only)

   Select Basic or Form based

   If you are using CA SiteMinder® Federation Standalone that is localized for Japanese or French users, select Forms based authentication scheme. Basic authentication is not supported for localized users.

   For forms authentication, sample log-in forms are available for Japanese and French. The forms are in the directory federation_install_dir/secure-proxy/proxy-engine/examples in the folders formsja (Japanese) and formsfr (French).

   To use the localized forms

   1. Navigate to federation_install_dir/secure-proxy/proxy-engine/examples.
   2. Make a backup copy of the forms folder.
   3. Rename the folder for your language (formsja for Japanese or formsfr for French) to forms.

   Delegated Authentication Type

   Select Legacy Cookie, Query String, Open-format Cookie

   Note: The open format cookie is the only FIPS-compatible option for delegated authentication.

4. For Delegated Authentication only, configure the required parameters for the type of delegated authentication you chose.

   Legacy Cookie

   If user identity information is being passed from the third-party WAM in a cookie, configure the Delegated Authentication URL. This URL redirects the request to the WAM system if the user comes to CA SiteMinder® Federation Standalone first. The URL does not apply when the user visits the WAM first.

   Query String

   If user identity information is being passed from the third-party WAM in a query string, configure the following settings:

   • Delegated Authentication URL

     This URL redirects the request to the WAM system when the user comes to CA SiteMinder® Federation Standalone first. The URL does not apply when user goes to the WAM first.

   • Hash Secret
   • Confirm Hash Secret

   Open-format Cookie

   If user identity information is being passed from the third-party WAM in a FIPS-encrypted cookie, configure the Delegated Authentication URL. The open format cookie is the only FIPS-compatible option for delegated authentication. This URL redirects the request to the WAM system if the user comes to CA SiteMinder® Federation Standalone first. The URL does not apply when user goes to the WAM first.

   Note: If you select Legacy Cookie or Open-format Cookie as the Delegated Authentication Type, configure the required global cookie settings. Locate the deployment settings by navigating to Infrastructure, Deployment Settings.

5. Complete the Authentication Class field by entering a URI for the user authentication method you want to use. This URI is placed in the AuthnContextClassRef element in the assertion to describe how a user is authenticated.

   Guidelines:

   • If the user is going to authenticate locally, accept the default URI for Password.
   • If the user is going to authenticate at a remote third party, edit this field to reflect the authentication method.
6. Complete the required fields in the SSO group box to configure how single sign-on operates:

   Be aware of the following guidelines:

   • If you select Artifact binding, select an artifact encoding (URL or FORM). The encoding defines how the artifact comes back to the relying party. If you select the URL option, the artifact is sent back as a query parameter in a URL. If you select FORM, the artifact is posted as form data.
   • You can select both bindings for SAML 2.0—the local entity determines the sequence in which the bindings are tried.

     Note: For artifact binding, the assertion is sent over a secure back channel. Therefore, configure the settings in the Back Channel group box.

   • When you select an SSO binding, configure at least one Assertion Consumer Service with a matching binding. If you select Enhanced Client and Proxy Profile, you need an Assertion Consumer Service with the PAOS binding.
   • The SSO Validity Duration and the Skew Time determine when the assertion is valid. Read the information about assertion validity to understand how these settings work together.
7. Specify the URL for the Assertion Consumer Service. This service is the service at the relying party that processes received assertions.

Any values defined during the creation or import of the remote relying party are already filled in.

This procedure completes SSO configuration for the asserting party.

More information:

Assertion Validity for Single Sign-on

Delegated Authentication

Customize the Auto-POST form for HTTP-POST SSO

You can customize the auto-POST form sent to the relying party in a SAML response to improve the user experience.

To use a customized form, enter the name of the form in the Custom Post Form field of the SSO section of the SSO and SLO step of the wizard. The system uses the form you specify in the response. The product includes a form named defaultpostform.html.

Note: Enter only the name of the form, not the path to the form.

The physical page must reside in the directory federation_install_dir\customization, where federation_install_dir is the installed location of the product.

Authentication Options using Partnership Federation

Standalone partnership federation lets you select the authentication mode for federated single sign-on. You select the mode as part of the single sign-on configuration at the asserting party.

• Local authentication mode

  Local authentication happens at the local federation system. For local authentication, you can select Basic or Forms as the authentication schemes. These options are the only two methods available locally.

• Delegated authentication mode

  Delegated authentication forwards the authentication task to a third-part web access management (WAM) system. The method by which the third party authenticates a user depends on the authentication schemes the third party supports. After the third-party WAM authenticates the user, it returns the federated user identity to the entity originally asked to authenticate the user.