WS-Federation Entity Configuration

casso10
HID_wsfed-entity
Contents
Most of the following settings are common to local and remote WS-Federation entities.
  • Entity ID
    Identifies the federation entity to a partner. The Entity ID is a universal identifier like a domain name. If the Entity ID represents a 
    remote partner,
     this value must be unique. If the Entity ID represents a 
    local partner,
     it can be reused on the same system. For example, if the Entity ID represents a local asserting party, this same ID can be used in more than one partnership.
    An Entity ID that represents a remote partner can only belong to a single active partnership
    Value: 
    URI (URL recommended)
    Note the following guidelines:
    • The entity ID must be a URI, but an absolute URL is recommended.
    • If the entity ID is a URL:
      • The host part of the URL must be a name rooted in the primary DNS domain of the organization.
      • The URL must not contain a port number, a query string, or a fragment identifier.
    • Do not use the ampersand (&) in the Entity ID because it is recognized as a separate query parameter.
    • Do not specify a URN.
    • The entity ID for a remote partner be globally unique to avoid name collisions within and across the federation.
      Examples of Valid Entity IDs
Names the entity object for in the policy store. The Entity Name must be a unique value. 
CA Single Sign-On
 uses the Entity Name internally to distinguish an entity at a particular site. This value is not used externally and the remote partner is not aware of this value.
The Entity Name can be the same value as the Entity ID, but the value is not shared with any other entity at the site.
Value: 
An alphanumeric string
Example:
 Partner1
  • Description
Specifies additional information to describe the entity.
Value: 
An alphanumeric string up to 1024 characters
  • Base URL
Specifies the base location of the server that is visible to the intended users of the federation. This server is typically where 
CA Single Sign-On
 is installed. The server can also be the URL of the server that hosts federation services. The base URL enables 
CA Single Sign-On
 to generate relative URLs in other parts of the configuration, making configuration more efficient.
You can edit the Base URL. For example, you can possibly configure virtual hosts for the 
CA Single Sign-On
 system. One virtual host handles the Administrative UI communication. The other virtual host handles the user traffic that the embedded Apache Web Server processed. In this case, you can edit the Base URL to point only to the server and HTTP port of the Apache Web Server.
Value:
 valid URL
Note the following important guidelines for modifying this field:
    • If you modify the base URL, do not put a forward slash at the end of the base URL. A final slash results in two slashes being appended to other URLs that use this base URL.
    • For failover support, the value of this field is the host name and port of the system managing failover to the other systems. This system can be a load balancer or proxy server.
  • Disambiguation ID (local IP and RP entities)
    Set this ID only when there are multiple partnerships between the same IP and RP. The disambiguation ID is useful when multiple business units in an organization have their own relationship with a remote partner, but each unit relies on a shared federation infrastructure.
    You cannot have multiple partnership with the same IP or RP ID. If a remote partner uses a single RP ID,
    CA Single Sign-On
    must be able to distinguish single sign-on requests. The disambiguation ID enables the system to differentiate partnerships with a unique logical path suffix for the federation service URLs, such as the SSO service.
    For example, the sales and finance divisions want partnerships with ForwardInc.com. Both partnerships use the same RP ID for ForwardInc.com. For the local entity in each partnership, add a disambiguation ID of "sales" and "finance" respectively.
    Example SSO URL:
    http://
    server:port
    /affwebservices/public/wsfeddispatcher?RPID=http://forwardinc.com
    becomes the following URLs in two different partnerships:
    http://server:port/affwebservices/public/wsfeddispatcher/sales?RPID=http://forwardinc.com
    http://server:port/affwebservices/public/wsfeddispatcher/finance?RPID=http://forwardinc.com
    Only one SSO service exists, but the suffix and the RP ID create a unique partnership lookup key.
    The existence of two partnerships also impacts the Assertion Consumer URL provided by the RP. Handle the configuration of this URL in one of the following ways:
    • Use the same IP ID in both partnerships. One local IP can be bound to multiple remote RPs. For this configuration, the RP must provide two different assertion consumer URLs, so it knows which tenant the assertion is for. Example:
      https://casales.salesforce.com/public/wsfedConsumer
      https://cafinance.salesforce.com/public/wsfedConsumer
    • Uses different IP IDs for each partnership. The RP can then provide the same assertion consumer URL because the IP ID distinguishes the sender of the assertion.
    Value:
    Enter an alphanumeric string but do not use any special characters.
  • Remote Passive Requester Service (remote IP)
    Identifies the URL of the passive requester service at the remote IP. Passive requesters are web browsers or applications that support the HTTP protocol. This service provides the security tokens that verify that the claimed requester is legitimate.
  • Sign-Out Confirm URL (local IP)
    Specifies the URL at the Identity Provider that performs sign-out.
    Default:
    http://
    ip_server:port
    /affwebservices/signoutconfirmurl.jsp
    ip_server:port
    Specifies the server and port number of the Identity Provider system. The system is hosting the Web Agent Option Pack or the SPS federation gateway, depending on which component is installed in your federation network.
    The signoutconfirmurl.jsp is included with the Web Agent Option Pack or SPS federation gateway. Move this page from the default directory and place it where the servlet engine for the Federation Web Services can access the page.
     
  • Remote Sign-out URL (remote RP)
    Specifies the URL of the remote RP sign-out service. The default URL is:
    https://
    rp_service:port
    /affwebservices/public/wsfeddispatcher
    The WSFedDispatcher Service receives all incoming WS-Federation messages and forwards the request processing to the appropriate service based on the query parameter data. Although there is a wsfedsignout service, use the wsfeddispatcher URL for the SignoutURL.
  • Remote Security Consumer Token Service URL (remote RP)
    Specifies the URL of the token service at the remote Resource Partner. This service receives security token response messages and extracts the assertion. The default location for the service is:
    https://
    rp_server:port
    /affwebservices/public/wsfeddispatcher
    rp_server:port
    Identifies the web server and port at the Resource Partner hosting the Web Agent Option Pack or SPS federation gateway. These components provide the Federation Web Services application.
    The WSFedDispatcher Service receives all incoming WS-Federation messages and forwards the request processing to the appropriate serviced based on the query parameter data. Although there is a wsfedsecuritytokenconsumer service, the wsfeddispatcher service is recommended for the entry in this field.
Signature Settings
The Signature Options define the signing behaviors for single sign-on. This section contains the different settings, depending on the entity.
  • Signing Private Key Alias (local IP only)
    (Optional) Specifies the alias that is associated with a specific private key in the certificate data store. By completing this field, you are indicating which private key the asserting party uses to sign assertions.
    If the key you want to use is not already in the certificate data store, you can click Import to import it before proceeding.
    Note:
    The private key must already be in the certificate data store before you specify its associated alias in this field.
    Value:
    Select from the drop-down list.
     
  • Verification Certificate Alias (remote IP and RP)
    (Optional) Specifies the alias that is associated with a specific certificate (public key) in the certificate data store. The alias that you provide tells the Policy Server which certificate to use to verify signed assertions.
    To import a certificate if the desired key is not available, click Import or select an alias from the pull-down list.
    Note:
    The certificate must be in the certificate data store before you specify its associated alias.
    Value:
    Select from the drop-down list.
Supported NameID Formats and Attributes
casso10
The Supported Name ID Formats and Attributes section has two functions:
  • Specifies the Name ID formats that the entity supports.
    The Name Identifier names a user in a unique way in the assertion and specifies which attributes to include in the assertion. The format of the Name Identifier establishes the type of content that is used for the ID. For example, the format can be the User DN so the content can be a uid.
  • For the asserting party, you specify attributes to include in an assertion.
    Attributes added to an assertion can further identify a user and enable an application using the assertion to be customized for each user.
Supported Name ID Formats and Attributes
From the list of options, select all the formats that apply. To select all formats, select Select Name ID Formats.
For a description of each format, see the specification for the SAML or WS-Federation profile.
  • Supported Assertion Attributes
    Specifies the attributes that the producer includes in the assertion. Click Add to include an attribute in the table. The table includes the following columns:
  • Assertion Attribute
    Indicates the specific attribute in the assertion.
    Value:
    name of a valid assertion attribute
  • Namespace
    Designates a collection that uniquely identifies names.
    Value:
    Any namespace name
  • Delete
    Click the icon and the entry is removed from the table.