When you configure single sign-on for a federation partnership, one of your configuration decisions is determining how users are authenticated.
CA SiteMinder® Federation Standalone offers two authentication choices:
CA SiteMinder® Federation Standalone can perform local authentication; however, Basic and HTML forms are the only available authentication schemes.
Delegated authentication lets CA SiteMinder® Federation Standalone use a third-party web access management (WAM) system to perform the authentication of any user who requests a protected federated resource. The third-party WAM system performs the authentication and then forwards the federated user identity to CA SiteMinder® Federation Standalone. After CA SiteMinder® Federation Standalone receives the user identity information, it locates the user in its own user directory and starts the federation process with the relying party.
A delegated authentication request takes place at the asserting party and it can be initiated at the third-party WAM system or at CA SiteMinder® Federation Standalone. An authentication request can initiate at the relying party; however this is not considered delegated authentication.
Authentication can be initiated as follows:
CA SiteMinder® Federation Standalone can initiate an authentication request at an asserting party. If the request is made to CA SiteMinder® Federation Standalone, it is recognized as a delegated authentication request. CA SiteMinder® Federation Standalone then redirects the user to the third-party WAM system.
When a user logs in to a WAM system at the asserting party, an authentication request is initiated. After the WAM system successfully authenticates the user, the identity information is then forwarded to CA SiteMinder® Federation Standalone.
The relying party can initiate an authentication request, but this scenario is not considered delegated authentication. Delegated authentication occurs only at the asserting party.
A request for a federated resource is made directly to the relying party, who then sends an AuthnRequest to CA SiteMinder® Federation Standalone at the asserting party. CA SiteMinder® Federation Standalone recognizes it as a delegated authentication request and redirects the user to the third-party WAM system at the asserting party. The user logs in to the WAM system, which initiates an authentication request. After the WAM system successfully authenticates the user, the identity information is then forwarded to CA SiteMinder® Federation Standalone.
After the third-party WAM system receives the authentication request, it passes the user identity to CA SiteMinder® Federation Standalone. The method the WAM system uses to pass the user identity depends on whether the delegated authentication method is cookie-based or a query string-based.
|
Copyright © 2013 CA.
All rights reserved.
|
|