Configure a SAML 2.0 Service Provider

Contents
sm1252sp1
Contents
2
Service Provider Setup
CA Single Sign-On
or the
CA Access Gateway
can act as a SAML 2.0 Service Provider. The Service Provider uses the assertions that it receives from an Identity Provider to authenticate users and then provide access to the requested federation resources. Assuming that the
CA Single Sign-On
Service Provider has access to a user store at its site, the Service Provider uses the
CA Single Sign-On
SAML 2.0 authentication scheme to authenticate users.
The SAML 2.0 authentication scheme enables cross-domain single sign-on. The Service Provider is able to consume an assertion from an Identity Provider, identify a user, and establish a
CA Single Sign-On
session. After a session is established, the Service Provider can authorize the user for specific resources.
The following illustration shows the components for authentication at the Service Provider.
A site can be both an Identity Provider and a Service Provider.
The major components for SAML 2.0 authentication are shown in the following illustration.
Graphic showing the major components required for SAML 2.0 authentication
sm1252sp1
The
CA Access Gateway
can replace the Web Agent and Web Agent Option Pack to provide the Federation Web Services application functions.
The SAML 2.0 authentication scheme is configured at the Policy Server that resides at the Service Provider site. The authentication scheme invokes the Assertion Consumer Service, a component of the Federation Web Services application, that is installed on the Web Agent or
CA Access Gateway
at the Service Provider site. The service obtains information from the SAML authentication scheme, then uses that information to extract the necessary information from a SAML assertion.
The SAML assertion becomes the user credentials to log in to the Service Provider Policy Server. The user is authenticated and authorized, and if authorization is successful, the user is redirected to the target resource.
The Assertion Consumer Service accepts AuthnRequests that include an AssertionConsumerServiceIndex value of 0. All other values for this setting are denied.
SAML Authentication Request Process
The following illustration shows how the SAML 2.0 authentication scheme processes requests.
 
Graphic showing the SAML 2.0 Authentication Request Process Flow
sm1252sp1
The
CA Access Gateway
can replace the Web Agent and Web Agent Option Pack to provide the Federation Web Services application functions.
The functional flow for authentication is as follows:
  1. A user makes a request for a Service Provider resource. This request goes to the AuthnRequest service at the Service Provider. The request is then redirected to the Identity Provider to obtain a SAML assertion.
  2. The Identity Provider returns a response to the Service Provider.
    For HTTP-POST binding, the response contains the assertion. For the HTTP-Artifact binding, the response contains a SAML artifact.
  3. The Assertion Consumer Service at the Service Provider receives the response message and determines whether the POST or Artifact binding is being used.
    For the HTTP-Artifact binding, the Assertion Consumer Service sends the artifact to the Identity Provider to retrieve the assertion. The Identity Provider returns a response that contains the assertion. The Assertion Consumer Service uses the response with the assertion as credentials to the Policy Server.
  4. The Policy Server invokes the SAML 2.0 authentication scheme by passing the response message with the user credentials to the scheme to be authenticated.
  5. The user disambiguation process begins.
  6. After the disambiguation phase is complete, the SAML 2.0 authentication scheme validates the credentials in the assertion. The scheme also validates the assertion for time validity, and, if applicable, verifies that a trusted Identity Provider signed the assertion.
    For the POST binding, a signature is required. If a signature is not present, authentication fails. For the Artifact binding, a signed assertion is optional because the assertion is obtained over a secure channel between the Service Provider and Identity Provider.
    If single logout is enabled, the SLO servlet redirects the user to a No Access URL.
Prerequisites for a Relying Partner
sm1252sp1
For
CA Single Sign-On
to act as the relying partner, complete following tasks:
  • Install the Policy Server.
  • Install one of the following components:
    • The Web Agent and the Web Agent Option Pack. The Web Agent authenticates users and establishes a session. The Option Pack provides the Federation Web Services application. Be sure to deploy the FWS application on the appropriate system in your network.
    • The
      CA Access Gateway
      , which has an embedded Web Agent and has the Federation Web Services application on the embedded Tomcat web server.
    For more information, see the
    Web Agent Option Pack Guid
    e.
  • Private keys and certificates are imported for functions that require verification and encrypting of messages.
  • An asserting partner is set up within the federated network.
How to Configure a SAML 2.0 Authentication Scheme
Configuring a Service Provider requires the following tasks:
  1. Complete the SAML 2.0 authentication scheme prerequisites.
  2. Configure disambiguation to authenticate users.
Configure a SAML authentication scheme for each Identity Provider that is a federation partner and generates assertions. Bind each scheme to a realm. The realm consists of all the URLs of the target resources requested by users. Protect these resources with a policy.
Tips:
Optional Configuration Tasks for a Service Provider
The optional tasks for configuring
CA Single Sign-On
as a Service Provider are:
Navigating Legacy Federation Dialogs
sm1252sp1
The Administrative UI provides two ways to navigate to the legacy federation configuration dialogs.
You can navigate in one of two ways:
  • Following a wizard to configure a new legacy federation object.
    When you create an object
    ,
    a page displays with a configuration wizard. Follow the steps in the configuration wizard to create the object.
  • Selecting tabs to modify an existing legacy federation object.
    When you modify an existing object, a page displays with a series of tabs. Modify the configuration from these tabs. These tabs are the same as the steps in the configuration wizard.
Select the Authentication Scheme Type
The Service Provider uses the identity information in the assertion to authorize access to protected federated resources. A SAML authentication scheme is used for this process.
Before you can assign a SAML 2.0 authentication scheme to protect resources, configure the scheme.
Follow these steps:
  1. Review the SAML 2.0 Authentication Scheme Prerequisites.
  2. Log in to the Administrative UI.
  3. Navigate to Infrastructure, Authentication, Authentication Schemes.
    The Authentication Scheme page opens at the General settings.
  4. Name the authentication scheme.
  5. In the Authentication Scheme Type drop-down list, select SAML 2.0 Template. You can also select a protection level for this scheme.
    The contents of the Authentication Scheme dialog change to support the SAML 2.0 scheme.
  6. In the Scheme Setup section, click SAML 2.0 Configuration to define the details of the authentication scheme.
    If you are configuring the scheme for the fist time, follow the configuration wizard to set up the authentication scheme.
Specify the General Information for the SAML 2.0 Auth Scheme
Identity the Service Provider and Identity Provider in the General settings for the SAML 2.0 authentication schemes.
Follow these steps:
  1. From the main authentication scheme page, click SAML 2.0 Configuration.
    If you are modifying an existing scheme, click Modify then click SAML 2.0 Configuration.
    The detailed settings for the scheme display.
  2. In the General settings, complete the required fields.
  3. Move on to the User Disambiguation section.