This section contains the following topics:
Administrative UI New Look and Feel
Claims Transformation of Assertion Attributes
Session Store Attributes Available for Assertions
WS-Federation Metadata Exchange
SAML 2.0 Attribute Query Support
SAML 2.0 User Attribute Retrieval from a Third-Party Identity Provider
SAML 2.0 Attribute Authority Metadata
Federation System Administration
Log Enhancements to Aid Troubleshooting
Certificate List Cross References Partnerships
The CA SiteMinder® Federation Standalone Administrative UI is now refreshed to meet the CA standard for fonts, colors, icons, and images. The menu navigation for the Administrative UI has new styles but uses the familiar tab interface. The steps in the configuration wizards have a new, more colorful look. The new look improves the navigation and makes configuration tasks easier.
CA SiteMinder® Federation Standalone now lets users get access to a federated resource using their social networking credentials instead of the federation system credentials.
Social sign-on consists of the following features:
The features are independent of each other. You can configure the federation system to implement one or both of them.
12.52 supports SAML 2.0 HTTP POST binding as a method for exchanging requests and responses during authentication and single log-out requests.
Claims transformation manipulates claims during a federated single sign-on transaction. Claims, also known as attributes, help customize the attributes and improve the user experience at a partner.
The software can perform three different modifications to assertion attributes:
Session attributes can be persisted in the session store after a user is authenticated. From the session store, the system can add the attributes to an assertion to customize the requested application.
CA SiteMinder® now supports the WS-Federation 1.2 profile for partnership federation. You can configure single sign-on and sign-out using the WS-Federation profile.
The Policy Server supports the Web Services Metadata Exchange profile for WS-Federation partnerships. This web service enables the CA SiteMinder® local partner to respond to requests from a remote partner for metadata. The exchange occurs as an HTTP request and response.
A CA SiteMinder® IdP supports the SAML 2.0 Assertion Query/Request profile and can respond to attribute queries. The IdP also extends the profile functionality by accepting queries for attributes not in the assertion or in the metadata. When the IdP receives an attribute query, the IdP first checks its user directory to find the attributes. If the attributes are not found, the Policy Server checks the session store.
Note: Only the CA SiteMinder® IdP supports the query profile. A CA SiteMinder® SP as the requesting partner only supports the proxied attribute query feature.
In a SAML 2.0 federated environment, CA SiteMinder® supports a feature referred to as a proxied attribute query. The proxied attribute query is based on the SAML 2.0 Assertion Query/Request profile.
A proxied query enables the Policy Server to contact a third-party Identity Provider and request values for attributes that are not in its session store. The Policy Server can then pass the attributes back to the application at the Service Provider.
When you export metadata from a local SAML 2.0 IdP entity or an IdP-to-SP partnership, the attribute service URL is in the exported metadata. This information is relevant for local IdPs acting as an Attribute Authority, one of the roles necessary for the Attribute Query/Response profile.
Several administrators in your company can be responsible for different aspects of federation management. You can assign the administration of CA SiteMinder® Federation Standalone to multiple people in your organization to establish accountability and separation of responsibilities.
The federation log files FWSTrace.log and the smtracedefault.log now contain checkpoint log messages that indicate what is happening during a transaction. You can search on these checkpoint messages to follow some of the processes occurring during a transaction.
In addition to the checkpoint messages, there are transaction IDs in the log to follow a transaction. If a transaction fails, the checkpoint messages and transaction IDs can help you determine the specific problem.
In the Administrative UI, the Certificate and Private Key List for X509 certificate management now includes a Partnerships column. This column displays the federated partnerships that use each private key/certificate. The partnerships are displayed as a link. If there is only one partnership in the column, the link takes you to a filtered partnership list. The list shows only the one partnership. If there are multiple partnerships in the column, the link takes you to an unfiltered federation partnership list.
|
Copyright © 2013 CA.
All rights reserved.
|
|