Partnership Federation

Federated partnerships enable identity information to be flexible and portable. Partnership federation offers secure single sign-on and single logout across a network of trusted business partners.
Federated partnerships enable identity information to be flexible and portable. Partnership federation offers secure single sign-on and single logout across a network of trusted business partners.
Product and Configuration Overview
CA Single Sign-On
 partnership federation lets customers establish federated partnerships in a flexible way, together with or independent of a web access management system. Partnership federation offers an easy-to-deploy solution for standards-based federation. Using partnership federation, an organization can act as the asserting party or the relying party. The asserting party provides user authentication and assertion of identity. The relying party consumes a user identity to allow access to web resources and services.
Partnership federation supports the following profiles:
  • SAML 1.1
  • SAML 2.0
  • WS-Federation
The following flow chart highlights the general process for configuring partnership federation.
partnership federation config flow
partnership federation config flow
Programmerless Federation
Programmerless federation is an HTTP-based approach for allowing the secure authentication, user disambiguation, inspection, and modification of SAML assertions. The advantage of programmerless federation is that applications can accomplish these tasks without having to use a language-specific SDK or other bindings.
Programmerless federation relies on HTTP/HTTPS requests and responses. These requests and responses are accessible through URLs and HTML-based protocols using web services that are an implementation of Representational State Transfer (REST) system architecture.
Any application can issue HTTP requests, read HTTP responses, and can parse XML to take advantage of the programmerless functionality.
An essential part of programmerless federation is its ability to secure the exchange of data. To secure data, federation uses an open-format cookie. The open-format cookie is a well-defined cookie format that supports strong encryption algorithms. The encrypted cookie secures the response between the federation entity and the local or remote applications. This cookie can be written in any programming language that supports the same encryption and decryption algorithms that are supported by the open-format cookie, such as Perl or Ruby.
The following partnership federation features implement programmerless federation:
  • Delegated Authentication
    Delegated authentication lets the asserting party use a third-party web access management (WAM) system to perform the authentication of any user who requests a protected federated resource. The third-party WAM performs the authentication and then sends the federated user identity back to the asserting party.
    HTTP/HTTPS requests and responses facilitate communication for provisioning.
  • Provisioning at the Relying Party
    Provisioning is the process of creating client accounts with the necessary account rights and access privileges for accessing data and applications. Partnership federation provisioning can establish a new account for a user, or can populate an existing user account with information sent in a SAML assertion.
    Remote provisioning is one of the  provisioning methods. Remote provisioning uses an independent provisioning application to establish a user record. To pass assertion data, federation creates an encrypted cookie containing the data. This cookie is sent to the remote provisioning application, which is responsible for creating the user account.
    HTTP/HTTPS requests and responses facilitate communication for provisioning.
Intended Audience
This page assumes that you understand the following concepts:
  • Basic SAML ans WS-Federation fundamentals
  • Federation bindings.
  • Federated profiles, such as Single Sign-on (SSO), Single logout (SLO), and Single Sign Out
  • Public Key Infrastructure (PKI) fundamentals
  • Secure Socket Layer communication basics
Terminology Used for Federation Content
In addition to standard federated SAML and WS-Federation binding and profile terminology, the following terms are used:
  • Partner Entity Terms
    This guide uses the terms asserting party and relying party to name the sides of a federated partnership.
    Asserting party
    —The party that generates assertions. The asserting party can be any of the following entities:
    • SAML 1.x producer
    • SAML 2.0 Identity Provider (IdP)
    • WS-Federation Identity Provider (IP)
    Relying party
    —The party that consumes assertions for authentication purposes. The relying party can be any of the following entities:
    • SAML 1.x consumer
    • SAML 2.0 Service Provider (SP)
    • WS-Federation Resource Partner (RP)
  • A site can be act as an asserting party (producer/IdP/IP) and a relying party (consumer/SP/RP).
  • Open Format Cookie
    A cookie that contains user identity information. The open-format cookie can be encrypted using FIPS or non-FIPS compatible algorithms, depending on how you generate it. You can create an open-format cookie using a 
    CA Single Sign-On
    Federation SDK or you can create it manually using any programming language that supports UTF-8 encoding.
    If you require a FIPS-encrypted open-format cookie, use an SDK to create the cookie and to read the cookie. The 
    CA Single Sign-On
     Federation Java SDK can encrypt the cookie using a FIPS-compliant (AES) algorithm or a non-FIPS (PBE) algorithm. The 
    CA Single Sign-On
     Federation .NET SDK can encrypt the cookie using only a FIPS-compatible algorithm.
  • Unified Expression Language
    The Unified Expression Language (UEL) is a special Java expression syntax primarily for Java web applications. You can use the UEL for embedding expressions into web pages. For partnership federation, the UEL is the language you must use to define mappings between assertion attributes and application attributes at the relying party.
Navigating the Partnership Federation Dialogs
The Administrative UI provides configuration wizards to create and modify partnership federation objects. Follow the steps in the configuration wizard to navigate through the configuration steps for an object.