CA SiteMinder® Federation Standalone Guide › CA SiteMinder® Integration with CA SiteMinder® Federation Standalone › How to Integrate CA SiteMinder® Federation Standalone and CA SiteMinder®

How to Integrate CA SiteMinder® Federation Standalone and CA SiteMinder®

A deployed CA SiteMinder® system can integrate with CA SiteMinder® Federation Standalone using the CA SiteMinder® Connector, a software component included with CA SiteMinder® Federation Standalone. The Connector enables the following interaction between federation and web access management deployments:

• Establishing an identity to generate an assertion.

  At the asserting party, a user arrives at CA SiteMinder® Federation Standalone but has no session. The Connector communicates with CA SiteMinder® to establish a CA SiteMinder® session. Based on the contents of the CA SiteMinder® session, the Connector creates a federation session. Using this session information, a SAML assertion is generated for the user.

• Establishing an identity for CA SiteMinder® to determine authorization privileges.

  At the relying party, a user authenticates with CA SiteMinder® Federation Standalone and a federation session is generated. The Connector passes on the federation session with the user name to CA SiteMinder®, which generates a CA SiteMinder® session from the federation session. The user is now identified and is not rechallenged for credentials. CA SiteMinder® determines the authorization privileges for the requested resources at the relying party.

The following figure shows the configuration process when integrating with the Connector:

Complete the following configuration steps:

1. Configure a policy to generate a CA SiteMinder® session.
2. Configure the Connector settings.
3. Enable the Connector at the partnership level.

Integrate with CA SiteMinder® using the SiteMinder Connector

The CA SiteMinder® Connector enables the following integrations:

• Establishing an identity to generate an assertion.

  At the asserting party, a user arrives at CA SiteMinder® Federation Standalone but has no session. The Connector communicates with CA SiteMinder® to establish a CA SiteMinder® session. The use of the session information results in a federation session and the generation of a SAML assertion for the user. With this assertion, the user can access protected federated resources at the relying party.

• Determining authorization privileges from the assertion.

  At the relying party, a user authenticates with CA SiteMinder® Federation Standalone and a federation session is generated. The Connector passes on the federation session with the user name to CA SiteMinder®, which generates a CA SiteMinder® session. By establishing this session, these users do not get rechallenged when accessing a protected resource. The user is now identified and access privileges for the user at the relying party can be determined.

The FEDSESSION cookie uses the following timeout settings:

• Idle Timeout: 600 seconds (10 minutes)
• Max Timeout: 900 seconds (15 minutes)

You cannot change these timeout settings in UI.

The Connector requires configuration in the CA SiteMinder® environment and in the CA SiteMinder® Federation Standalone environment, as shown in the following diagrams.

This graphic shows the Connector at the asserting party:

This figure shows the Connector at the relying party.

Configure a Policy to Generate a Session at Each Site

The CA SiteMinder® Connector enables CA SiteMinder® Federation Standalone to work with an existing Policy Server. The first step is to configure a policy. At the asserting party, the policy generates a federation session. At the relying party, the policy generates a CA SiteMinder® session. Though this policy functions as any other policy, its main objective is to trigger a session, not to protect resources.

Note: Configure a policy at the asserting and the relying party.

The policy requires that you configure the typical policy objects; however, you apply a custom CA SiteMinder® Connector authentication scheme. This policy is specific to the Connector setup.

To configure the Policy Server objects, see the Policy Server Configuration Guide.

Important! Complete the following steps at the Policy Server before configuring the Connector.

Follow these steps:

1. Unzip the smauthconnectors.zip archive on your federation system. This archive is included with the federation product kit.
2. Select the correct custom authentication scheme library for your CA SiteMinder® operating environment:
   • Windows: smauthsmconnector.dll
   • Solaris/Linux: libsmauthsmconnector.so

     Note: The name is case-sensitive on UNIX platforms.

3. Copy the library to the appropriate Policy Server directory on the CA SiteMinder® system:
   • Windows: policy_server_home/siteminder/bin
   • Solaris/Linux: policy_server_home/siteminder/lib
4. Log on to the CA SiteMinder® Administrative UI.
5. Create a Web Agent that represents the federation system. For example, name it Federation Agent.

   Important! Do not select the option for supporting 4.x agents.

6. Create an Agent Configuration Object, which specifies the Agent configuration, and specify a value for the DefaultAgentName setting. This setting alone is sufficient for the object.
7. Create a Host Configuration Object.

   The Host Configuration Object defines the connection between a trusted host and the Policy Server. To integrate the federation system and the Policy Server, the Host Configuration Object defines the Policy Server to which the federation system can connect.

   For the federation system to connect to one or more Policy Servers in an existing Host Configuration Object, use that object. Otherwise, create one for the federation-to-Policy Server-connection.

8. Create a custom Connector authentication scheme with the following values:

   Library

   smauthsmconnector

   This value is case-sensitive.

   Secret

   alphanumeric string

   The value for this field must match the value Shared Secret value in the Connector settings in the Administrative UI.

9. Create a policy domain for the federation product. This domain must contain the necessary realm and resource that you add to the policy to create a CA SiteMinder® session.
10. Add the user directory that is used by the federation system and the Policy Server to the domain you configured.
11. Create a realm with the following values:

    Agent

    Specify the Web Agent from the previous step.

    Resource Filter

    Specify a dummy directory, such as /federation/. This directory does not have to exist on a web server.

    Authentication Scheme

    Enter the name that you gave to the custom authentication scheme created previously.

12. Create a rule with the following values:

    Resource

    *

    Action

    Web Agent—Get and Post

13. Create a policy with the following settings:

    Users

    Specify the users from the user directory that the federation system and CA SiteMinder® share.

    Rules

    Add the rule that is created for the Connector.

You now have a policy that generates a CA SiteMinder® session when communicating with CA SiteMinder® Federation Standalone.

Configure the Connector Settings

For the Connector to interact with CA SiteMinder®, configure the Connector settings in the CA SiteMinder® Federation Standalone Administrative UI. All partnerships that use the Connector use a single configuration and connect to a single CA SiteMinder® environment.

Follow these steps:

1. Log in to the Administrative UI.
2. Navigate to the Infrastructure tab.
3. Select Deployment Settings.

   The Configure Deployment Settings dialog opens.

4. Fill in all the fields in the CA SiteMinder® Connector Settings section. Note the following considerations:
   • To enable or disable the Connector for a given partnership, enable it at the partnership level.
   • To enable or disable the Connector globally, use the check box in the deployment settings.

   Important! If the Connector is disabled at the global level, CA SiteMinder® Federation Standalone ignores the check box at the partnership level.

   Note: Click Help for a description of fields, controls, and their respective requirements.

5. Select Register Host and provide the legacy administrator credentials for the CA SiteMinder® Policy Server. Only legacy administrators can perform host registration.

   This step registers CA SiteMinder® Federation Standalone as an Agent with the CA SiteMinder® Policy Server.

   Note: You can configure failover support for the host registration process by specifying more than one Policy Server. If the registration with the primary Policy Server fails, the registration process tries with the next Policy Server specified until the registration process completes successfully.

6. Click Save.

   Important! Select Save specifically in the CA SiteMinder® Connector Settings section after registering the host.

7. Restart the federation services according to your operating environment.
   • Windows

     Use the stop and start shortcuts as follows. If you logged in as a network user and not a local administrator, right-click the shortcut and select Run as administrator.

     1. Start, All Programs, CA, Federation Standalone, Stop services
     2. Start, All Programs, CA, Federation Standalone, Start services
   • UNIX

     a. Open a command window.

     b. Run the following scripts:

     federation_install_dir/fedmanager.sh stop

     federation_install_dir/fedmanager.sh start

     Note: Do not stop and start the services as the root user.

The CA SiteMinder® Connector configuration is complete.

Enable the Connector at the Partnership Level

Before you enable the Connector, verify:

• The CA SiteMinder® Policy Administrator has configured the policy for federated communication.
• You have configured the Connector-specific settings in CA SiteMinder® Federation Standalone.

Enable the Connector for the partnership where CA SiteMinder® is deployed:

• If CA SiteMinder® is at the asserting party, enable the Connector for an IdP-to-SP or Producer-to-Consumer partnership.
• If CA SiteMinder® is at the relying party, enable the Connector for an SP-to-IdP or Consumer-to-Producer partnership.

Whether you are modifying an existing partnership of configuring a new partnership, the standard partnership configuration steps apply; there are no unique configuration procedures. However, specify the target resources at the relying party in the using the following guidelines:

• If CA SiteMinder® Federation Standalone is deployed in standalone mode, the target resource resides on the web server that the CA SiteMinder® Web Agent protects.
• If CA SiteMinder® Federation Standalone is deployed in proxy mode, the target resource is the URL for the CA SiteMinder® Federation Standalone server because all proxy requests go back to CA SiteMinder®.

Follow these steps:

1. Log in to the Administrative UI.
2. Select a partnership from the Federated Partnerships list or create a new one.

   The Partnership dialog opens.

3. Navigate to one of the following steps in the wizard:
   1. At the relying party, navigate to the User Identification step in the Partnership wizard.
   2. At the asserting party, navigate to the Federation Users step in the Partnership wizard.
4. Select the Enable SiteMinder Connector check box.

   The configuration fields become available.

5. (Optional) Select the Enforce UserDN and Directory Name Comparison check box. Selecting this check box forces a comparison of the UserDN and UserDirectory Name entries between the user directory at CA SiteMinder® Federation Standalone and the directory at CA SiteMinder®.

   If you select this check box, the user directory for the CA SiteMinder® Federation Standalone and the CA SiteMinder® deployment must be the same physical directory. The name for both of these directories must be the same for user store lookups. If you clear the check box, the Universal ID is the attribute that finds the user record. If the Universal ID is used, the directories do not have to be the same. If you rely on the Universal ID, each user must have a unique Universal ID. If the Universal IDs are not unique, the system accessing the user record can retrieve the wrong record.

6. Save your changes.

To disable the Connector, you can do so at the partnership level or globally in the Deployment Settings.