Previous Topic: Cookie Method for Passing User IdentityNext Topic: Third-party WAM Configuration for Cookie Delegated Authentication

CA SiteMinder® Federation Standalone GuideDelegated AuthenticationHow the Third Party WAM Passes the User IdentityQuery String Method for Passing User Identity

Query String Method for Passing User Identity

A third-party WAM system can pass a user identity to CA SiteMinder® Federation Standalone by appending a query string on the redirect URL that sends the user from the WAM system to CA SiteMinder® Federation Standalone. For this method to work, the third-party WAM system has to configure a URL that redirects federated users to CA SiteMinder® Federation Standalone after they are authenticated.

Important! Do not use the query string method in a production environment. The query string redirection method is only for a testing environment as a proof of concept.

Notes:

If authentication is initiated at the WAM system, the transaction flow for delegated authentication using a query string is as follows:

  1. The third-party WAM system receives an authentication request.
  2. The user is authenticated.
  3. The third-party WAM system constructs a redirect URL and adds the login ID and hashed login ID values to the query string in the format LoginID=LoginID&LoginIDHash=hashed_LoginID.

    Important! The LoginID and LoginIDHash parameters are case sensitive. Be sure to include them in the redirect URL as shown in the example.

    The hashing mechanism allows CA SiteMinder® Federation Standalone to verify that the user ID has been received unchanged.

    Example of a Redirect URL

    http://idp1.example.com:9090/affwebservices/public/saml2sso?SPID=FmSP&ProtocolBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST&LoginID=jdoe&LoginIDHash=454d3bd5cb839168eeffcf060ae0b9c28ed6eec0

  4. The WAM system redirects the browser to CA SiteMinder® Federation Standalone.
  5. CA SiteMinder® Federation Standalone extracts the login ID and hashed login ID from the URL, validates the identifier using the hashed value, and locates the user in its user directory.
  6. CA SiteMinder® Federation Standalone creates a user session.
  7. After the session is created, federated communication with the relying party proceeds.

The following graphic illustrates the query string method when authentication is initiated at the asserting party.

Graphic showing the delegated authentication query string method

Delegated Authentication Configuration

Delegated authentication is configured at the asserting party, where an assertion is generated based on an authenticated user identity.

To configure delegated authentication

  1. Determine which method (cookie or query string) the third-party WAM uses to pass the user identity.

    Note: The query string does not produce a FIPS-compliant partnership.

  2. Go to the appropriate step in the partnership wizard to set up delegated authentication.

Important! To use the SDK-created open-format cookie, the third party must install a CA SiteMinder® Federation Standalone SDK. The SDK is a separately installed component. The installation kit contains the documentation that describes how to use the SDK for delegated authentication.

More information

Deployment Settings

Cookie Delegated Authentication Sample Setup

The following sample configuration is from the perspective of a SAML 2.0 IdP > SP partnership. The delegated authentication settings are on the SSO and SLO step of the partnership wizard.

This sample configuration reflects a SAML 2.0 configuration. The Identity Provider is http://idp1.xyz.com and the third-party WAM system is http://wamservice.xyz.com.

To configure cookie delegated authentication

  1. Create a partnership or edit an existing one.

    Note: To edit a partnership, deactivate it first.

  2. Navigate to the SSO and SLO step in the Partnership wizard.
  3. In the Authentication section, set the fields as follows:
    Authentication Mode

    Delegated

    Delegated Authentication Type

    Open format cookie

    For use with a web access management application. You can use a CA SiteMinder® Federation Standalone SDK to create a Java or .NET application. Alternatively, you can use an application written in another language, provided you build the open-format cookie manually.

    If you require FIPS 140-2 encryption, create the open-format cookie using the CA SiteMinder® Federation Standalone Java or .NET SDK.

    Delegated Authentication URL

    http://wamservice.xyz.com

    The URL of the third-party WAM system that authenticates users and uses a CA SiteMinder® Federation Standalone SDK to create the cookie.

    Authentication Class

    Enter the authentication method that is used at the third party. For example:

    urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos

  4. Communicate all the open-format cookie settings to the third-party WAM system.

    CA SiteMinder® uses these values in the creation of the cookie.

  5. Continue with partnership configuration.

Query String Delegated Authentication Sample Setup

The following sample configuration is from the perspective of a SAML 2.0 IdP > SP partnership. The delegated authentication settings are on the SSO and SLO step of the partnership wizard.

Note: The query string method does not produce a FIPS-compliant partnership.

This sample configuration reflects a SAML 2.0 configuration. The Identity Provider is http://idp1.xyz.com and the third-party WAM system is http://wamservice.xyz.com.

Important! Do not use the query string method in a production environment. The query string redirection method is only for a testing environment as a proof of concept.

To configure query string delegated authentication

  1. Create a partnership or edit an existing one.

    Note: To edit a partnership, deactivate it first.

  2. Navigate to the appropriate step in the partnership wizard.
  3. In the Authentication section, set the fields as follows:
    Authentication Mode

    Delegated

    Delegated Authentication Type

    Query String

    Delegated Authentication URL

    http://wamservice.xyz.com

    The URL of the third-party WAM system that authenticates users and constructs the redirect URL back to CA SiteMinder® with the query parameters.

    Hash Secret

    FederatedAuth1

    The third-party WAM system uses this secret to hash the login ID.

    Confirm Hash Secret

    FederatedAuth1

    Authentication Class

    Enter the authentication method that is used at the third party. For example:

    urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos

  4. Continue with partnership configuration.