A third-party WAM system and CA SiteMinder® Federation Standalone at the asserting party communicate the login ID in a query string. The WAM system must add the following two attributes to the query string in the redirect URL:
Specifies the value used to identify the user to the third-party WAM system.
A hash of the LoginID.
To generate the LoginIDHash value, the LoginID is prepended to a Hash Secret and the entire value is then run through a SHA-1 hashing algorithm. The Hash Secret is specified in the CA SiteMinder® Federation Standalone configuration at the asserting party.
When CA SiteMinder® Federation Standalone retrieves the credentials from the query string, it also combines these values and hashes them. If the hashes are equal, CA SiteMinder® Federation Standalone considers the login ID to be valid and continues with the federation request.
Important! The LoginID and LoginIDHash parameters are case sensitive.
The third-party WAM system must configure its federated application to construct a redirect URL that sends the user back to the CA SiteMinder® Federation Standalone Single Sign-on service. Therefore, the CA SiteMinder® Federation Standalone Administrator has to communicate the Single Sign-on service to the third party in an out-of-band communication.
Important! After the third-party WAM system receives an authentication request from CA SiteMinder® Federation Standalone, it must remember to capture and resend any existing query string it receives as part of the incoming authentication request. If the incoming request has CA SiteMinder® Federation Standalone request information within the query string it must be passed along unchanged.
The syntax of the query string is as follows:
?existing_query_string&LoginID=LoginID&LoginIDHash=hashed_LoginID
Example
https://johndoe3227.b.com/affwebservices/public/saml2sso?SPID=sp1& LoginID=user1&LoginIDHash=de164152ed6e8e9a7f760e47d135ecf0c98a 3e4e&ProtocolBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact
|
Copyright © 2013 CA.
All rights reserved.
|
|