CA Single Sign-On Configuration Properties
When creating or editing a CA Single Sign-On configuration, the CA Single Sign-On Configuration Properties dialog is displayed. This dialog is used to manage the CA Single Sign-On Agent configuration settings, to enable the to communicate with a CA Single Sign-On Policy Server.
When creating or editing a CA Single Sign-On configuration, the CA Single Sign-On Configuration Properties dialog is displayed. This dialog is used to manage the CA Single Sign-On Agent configuration settings, to enable the
API Gatewayto communicate with a CA Single Sign-On Policy Server.
To minimize the number of calls to the Policy Server, the Gateway has several built-in caches for improved performance. The following caches can be configured in the "Cluster Settings" section of the configuration properties:
- Resource cache:Set theresourceCache.sizeandresourceCache.maxAge.
- Authentication cache:Set theauthenticationCache.sizeandauthenticationCache.maxAge.
- Authorization cache:Set theauthorizationCache.sizeandauthorizationCache.maxAge.
(1) Caching is enabled by default. The cache default settings are stored in the cluster properties under WS Management API do not support these caching properties. (3) If your environment has previous CA SiteMinder caching hotfixes applied, they will be superseded by the new caching mechanism.
To access the properties for a CA Single Sign-On configuration:
- Run the Manage CA Single Sign-On Configurations task.
- Add or edit a CA Single Sign-On configuration. The CA Single Sign-On Configuration Properties appear.
- When adding a new CA Single Sign-On configuration, it is recommended that you click [Register] and complete the parameters in the CA Single Sign-On Registration Properties.Registration populates most of the Agent Configuration fields for you. If you do not use the Register button, you can manually enter the Agent Configuration, including the shared secret.When editing an existing CA Single Sign-On configuration, using [Register] will re-register the CA Single Sign-On Agent with the Policy Server. This may invalidate previous registrations, so use this option carefully. A safe alternative is to manually edit the fields in the CA Single Sign-On Configuration Properties.Complete the fields in the dialog box as shown below. All fields are required.SettingDescriptionAddressEnter the address of the CA Single Sign-On Policy Service, either as an IP address or hostname.Host NameEnter the name of the registered host. This can be theAPI Gatewayname or any other symbolic name used to distinguish the host.Host ConfigurationEnter the CA Single Sign-On Policy Server host configuration used by the agent.FIPS ModeChoose the FIPS mode supported by the CA Single Sign-On Policy Server. The available values are:COMPAT (default)MIGRATEONLYUser NameEnter the user name of the CA Single Sign-On administrator.PasswordChoose the stored password to use from the drop-down list.Only stored passwords may be specified here—you cannot type in a password. To define a stored password, click [Manage Passwords]. For more information, see Manage Stored Passwords.
- Click [OK] to register the trusted host once all the required fields are filled. Upon successful registration, the agent configuration and server settings are populated in the CA Single Sign-On Configuration Properties dialog.
- Enter or modify the remaining CA Single Sign-On properties as follows:SettingDescriptionConfiguration NameSpecify the CA Single Sign-On configuration name. This name will be used in the Check Protected Resource Against CA Single Sign-On assertion. This field is required.RegisterClick this button to enter or update the CA Single Sign-On registration parameters.Agent ConfigurationSecretThis is the CA Single Sign-On shared secret used by the agent to establish communication with the Policy Server. This secret can be generated by clicking [Register] or you can paste it from another source. This field is required.The shared secret cannot be copied nor will it be imported during a policy import or exported during a policy export/import.AddressEnter the IP address of the CA Single Sign-On agent. This field is required if the Check IP check box is selected, otherwise it may be left blank.This address is used only when the client application does not supply the IP address.Check IPSelect this check box to have the CA Single Sign-On Policy Server compare the client IP against the address stored in the CA Single Sign-On SSO Token. If they do not match, an error is recorded and the assertion(s) will be considered "falsified."The CA Single Sign-On Policy Server may be configured to restrict certain IP addresses.This will be enforced if IP Check is enabled.Clear this check box to not check the client IP address against the SSO Token. Requests from a different IP address (but with a valid SSO Token) will result in successful authentication/authorization.Host NameEnter the name of the host registered with the CA Single Sign-On Policy Server (for example, the name of theAPI Gateway).This field is required.FIPS ModeChoose the FIPS mode supported by the CA Single Sign-On Policy Server. The available values are:COMPAT (default)MIGRATEONLYIf the Policy Server does not support FIPS mode (for example, CA Single Sign-On Policy Server version 6), choose COMPAT.This field is requiredCluster ThresholdSpecify the percentage of servers within a cluster that must be available for Policy Server requests. When the number of available servers in a cluster falls below this percentage, failover to the next cluster occurs. This field is required.Example: If the failover percentage is "60" and a cluster has five servers, failover occurs when the number of available servers in the cluster falls below three.EnableFailoverSelect this check box to enable failover. In this mode, CA Single Sign-On continually uses one server until it becomes unavailable, at which time it switches to another server.Clear this check box to enable round-robin. In this mode, CA Single Sign-On dynamically distributes requests across all the servers based on the performance capabilities of each server.This setting is meaningful only if the Policy Server has more than one node.Update SSO TokenSelect this check box to update the SSO Token after successful authentication/authorization (provided that the "Use SSO Token from Context Variable" option was selected in the assertions).Clear this check box to not update the SSO Token after authentication/authorization.Cluster SettingsIn this section, you define the additional settings required in order to connect a client application to the Policy Server. You will need to define at least one set of properties.The following cluster settings are available.Note:The "<prefix>" is "server.x.y" where where "x" represents the cluster sequence (since there can be more than one cluster) and "y" represents the server sequence in the cluster.
To add a cluster setting:
- <prefix>.accounting.port: Server accounting port
- <prefix>.address: Server IP address; required
- <prefix>.authentication.port: Server authentication port
- <prefix>.authorization.port: Server authorization port (Tip: Ports 44441 - 44443 are accepted, even when the actual authorization port number is 44443; required)
- <prefix>.connection.max: Maximum number of connections
- <prefix>.connection.min: Number of initial connections
- <prefix>.connection.step: Number of connections to allocate when out of connections
- <prefix>.timeout: Connection timeout (in seconds)
- authenticationCache.maxAge: Maximum age of entries in the Authentication Cache; default is3600000(milliseconds).
- authenticationCache.size: Number of entries to cache in the Authentication Cache; default is10, while0(zero) indicates no caching.
- authorizationCache.maxAge: Maximum age of entries in the Authorization Cache; default is3600000(milliseconds).
- authorizationCache.size: Number of entries to cache in the Authorization Cache; default is10, while0(zero) indicates no caching.
- resourceCache.maxAge: Maximum age of entries in the Resource Cache; default is300000(milliseconds).
- resourceCache.size: Number of entries to cache in the Resource Cache; default is10, while0(zero) indicates no caching.
To modify a cluster setting:
- Click [Add].
- Enter the Name and Value of the setting.
- Click [OK].
To remove a cluster setting:
- Select the setting to edit.
- Click [Edit].
- Modify the Name or Value as necessary.
- Click [OK].
DisableSelect this check box to disable the CA Single Sign-On configuration. This will make the configuration unavailable for use, while preserving all settings.Clear this check box to re-enable the configuration.Security ZoneOptionally choose a security zone. To remove this entity from a security zone (security role permitting), choose "No security zone".For more information about security zones, see Understanding Security Zones.This control is hidden if either: (a) no security zones have been defined, or (b) you do not have Read access to any security zone (regardless of whether you have Read access to entities inside the zones).TestClick this button to test the CA Single Sign-On configuration. You will see a "Validation passed" message if the configuration is correct.
- Select the setting.
- Click [Remove].
- Click [Remove] to confirm.
- Click [OK] when done.The caches are flushed each time you click [OK] to close the properties dialog, regardless of whether there are any changes to save. If you wish to close the dialog box without flushing the caches, click [Cancel] instead.