To accomplish remote provisioning, CA SiteMinder® Federation Standalone redirects the browser with the assertion data to the provisioning application.
CA SiteMinder® Federation Standalone can pass the assertion data using one of three methods:
Delivers SAML assertion information in a legacy cookie generated by CA SiteMinder® Federation Standalone. The cookie contains a login ID based on the assertion data. If a legacy cookie is used, then the CA SiteMinder® Federation Standalone Java SDK must be installed on the system with the provisioning application so that the provisioning application can read the legacy cookie.
Note: If you use the legacy cookie, the CA SiteMinder® Federation Standalone system and the remote provisioning system must be in the same domain.
Delivers SAML assertion information in an open format cookie. The cookie contains a login ID based on the assertion data.
Note: If you use the open format cookie, the CA SiteMinder® Federation Standalone system and the remote provisioning system must be in the same domain.
The cookie can be created in one of two ways:
If you select one of the FIPS algorithms (AES algorithms), you are required to use a CA SiteMinder® Federation Standalone SDK to generate the cookie. If you are planning to use the .NET SDK, you are required to use the AES128/CBC/PKCS5Padding encryption algorithm. If the provisioning application uses .NET then the CA SiteMinder® Federation Standalone .NET SDK can be installed on the provisioning server and used to read the open format cookie.
The provisioning application must use the same language as the SDK that it is using to create a cookie. If you are using the CA SiteMinder® Federation Standalone Java SDK, the application must be in Java. If you are using the .NET SDK, the application must support .NET.
To create an open format cookie without using a CA SiteMinder® Federation Standalone SDK, use any programming language to create the cookie. Review the details about the contents of the open format cookie.
The language you use to write the cookie must support UTF-8 encoding and any of the PBE encryption algorithms that CA SiteMinder® Federation Standalone uses for password-based encryptions, which include:
The provisioning application cannot read the open format cookie without an SDK if you select FIPS-compatible (AES) algorithm to encrypt the cookie.
You must also ensure that the open format cookie gets set in the user's browser.
Note: If you installed CA SiteMinder® Federation Standalone in FIPS-only mode, only the open format cookie is available.
If proxy mode is used, this information can also be passed as HTTP headers. If you use HTTP headers, the CA SiteMinder® Federation Standalone system and the remote provisioning system can be in different domains.
The delivery option is configurable in the Application Integration step of the Partnership wizard.
After the user is redirected to the provisioning application, CA SiteMinder® Federation Standalone no longer has control over the process. If provisioning a user account is a time-consuming process, the provisioning application is responsible for handling this situation, for example, by sending a message to the user that provisioning is in process. This information lets the user know not to keep trying to log in before an user account is available.
|
Copyright © 2013 CA.
All rights reserved.
|
|