Previous Topic: Configure Local Account Linking (SAML 2.0)Next Topic: Delivery of Assertion Data to the Provisioning Application

CA SiteMinder® Federation Standalone GuideApplication Integration at the Relying PartyDynamic Provisioning of a User Identity at the Relying PartyRemote Provisioning

Remote Provisioning

Remote provisioning employs a third-party provisioning application to create a new user account. The application then passes the necessary information back to the CA SiteMinder® Federation Standalone system. The federation system uses the data to create a user credential.

The following figure shows how a remote provisioning setup can be configured.

Provisioning set up at the relying party

The high-level provisioning process is as follows:

  1. The Policy Server at the relying party receives a request for a resource along with an assertion. However, the user cannot be found in the user directory.
  2. With provisioning enabled, the Policy Server processes an active response containing assertion data and generates a cookie with the assertion data. Additionally, a cookie that keeps state is generated to indicate a provisioning request is in place.
  3. The browser is redirected with an open-format cookie or headers to a provisioning application.
  4. The provisioning application typically prompts the user to log in. After the user logs in, the application reads the cookie or the headers. The application uses the assertion data and the login credentials to establish a user account.

    The provisioning application can consume the open-format cookie using the CA SiteMinder® Federation Standalone Java or .NET SDK.

  5. The browser redirects the user back to the assertion consumer service at the relying party after an account has been provisioned. A cookie that maintains state information about provisioning is examined to verify that the user has been provisioned. A credential is created and passed to the authentication scheme.

    Note: The provisioning application must know the URI of the assertion consumer service at the relying party. For example, the SAML 2.0 URI for CA SiteMinder® as the relying party is https://sp_server:port/affwebservices/public/saml2assertionconsumer.

  6. The Policy Server attempts user disambiguation a second time. Assuming that provisioning is successful, the user is authenticated and cookies or headers are sent to the target application.

    The redirect mode that you select for the target application determines the data delivery method to the target application.

  7. The user is redirected to the target resource.