At the relying party, the partner must be able to locate a user in the local user directory. Locating the user in the user directory is the process of disambiguation. Configure the identity attribute for user disambiguation in the User Identification dialog.
CA SiteMinder® Federation Standalone can employ one of the following methods for the disambiguation process:
The Xpath query locates and extracts an attribute other than the Name ID from the assertion.
After you determine which attribute is extracted from the assertion, include this attribute in a search specification, which CA SiteMinder® Federation Standalone uses to locate a user in the user store. After a successful disambiguation process, CA SiteMinder® Federation Standalone generates a session for the user.
For SAML 2.0, you can also configure the AllowCreate feature, which lets an asserting party create a user identifier.
Single sign-on can be initiated by the relying party sending an authentication request (AuthnRequest) to the asserting party. In this request, the relying party can ask that the asserting party include a particular user attribute in the assertion. However, the value of the required attribute may not be available in the asserting party user record.
If the authentication request from the relying party includes the Allow/Create attribute and the asserting party is configured to create a new identifier, the asserting party generates a unique value as the NameID. This value is placed in the assertion and sent back to the relying party.
In the User Identification dialog, you can also enable the CA SiteMinder® Connector.
The CA SiteMinder® Connector is a software component included with CA SiteMinder® Federation Standalone. It enables a deployed CA SiteMinder® system to integrate with CA SiteMinder® Federation Standalone. If you integrate CA SiteMinder® and CA SiteMinder® Federation Standalone at a relying party, CA SiteMinder® does not rechallenge users authenticated by CA SiteMinder® Federation Standalone when they request CA SiteMinder®-protected resources. There is no authentication rechallenge because the Connector and a custom CA SiteMinder® authentication scheme at the Policy Server enable the creation of a CA SiteMinder® session for users authenticated by CA SiteMinder® Federation Standalone.
You can enable the CA SiteMinder® Connector on a per-partnership basis; however, only one global SiteMinder Connector configuration applies to all partnerships. The Connector is available only when the check box in the Deployment Settings is selected and a configuration is defined. You access the Deployment Settings from the Infrastructure tab in the UI. After enabling the Connector globally, CA SiteMinder® Federation Standalone evaluates the partnership configuration to determine whether the connector is enabled. The partnership uses the global Connector configuration.
To disable the Connector for the partnership, clear the check box at the partnership level. To disable the Connector globally, disable it in the Deployment Settings.
Important! If the Connector is disabled at the global level, CA SiteMinder® Federation Standalone ignores the check box at the partnership level.
|
Copyright © 2013 CA.
All rights reserved.
|
|