Resource Partner--General Settings

This dialog  is where you specify identity information for the Account Partner and Resource Partner.
casso126
HID_wsfed-rp-general
This dialog  is where you specify identity information for the Account Partner and Resource Partner.
General Settings
The General page contains the following settings:
  • Name
    Name of the Resource Partner. This name must be unique across all affiliate domains.
  • Resource Partner ID
    Specifies a URI that uniquely identifies the Resource Partner, such as, rp.example.com.
  • Authentication URL
    Specifies a protected URL that federation uses to authenticate users and create a session when a protected resource is requested. If the authentication mode is set to local and a user has not logged in at the asserting party, users are sent to this URL. This URL must point to the redirect.jsp file, unless you select the Use Secure URL check box. Example: http://
    myserver.idpA.com
    /siteminderagent/redirectjsp/redirect.jsp 
    myserver
    Identifies the web server with the Web Agent Option Pack or the SPS federation gateway. The redirect.jsp file is included with the Web Agent Option Pack or SPS federation gateway that is installed at the asserting party.
     Protect the Authentication URL with an access control policy. For the policy, configure an authentication scheme, realm, and rule. To add session store attributes to the assertion, enable the Persist Authentication Session Variables check box, which is a setting in the authentication scheme.
  • casso126
    Active
    Indicates whether the legacy federation configuration is in use for a particular partnership. If the Policy Server is using the legacy federation configuration, confirm this check box is selected. If you have recreated a federated partnership with similar values for identity settings, such as source ID, clear this check box before activating the federated partnership.
    CA Single Sign-On
    cannot work with a legacy and partnership configuration that use the same identity values or a name collision occurs.
  • Skew Time
    Specifies the number of seconds to subtract from the current time to account for Resource Partners whose clocks are not synchronized with the Account Partner.
    Enter the number of seconds as a positive integer.
  • Description
    (Optional) a brief description of the Resource Partner.
  • Account Partner ID
    Specifies a URI that uniquely identifies the Account Partner, such as ap-ca.com. This ID becomes the Issuer field in the SAML assertion.
  • Application URL
    (Optional) Protected URL for a custom web application that is used to supply user attributes to the single sign-on service. The application can be on any host in your network.
    Attributes from the web application specified in this field are placed in the SAML assertion by an Assertion Generator plug-in. Write and integrate the plug-in with
    CA Single Sign-On
    .
    The FWS application supplies the sample web applications that you can use as a basis for your web application.
    These applications are located as follows:
    http://
    ap_server:port
    /affwebservices/public/sample_application.jsp
    http://
    ap_server:port
    /affwebservices/public/unsolicited_application.jsp
    ap_server:port
    Specifies the server and port number of the system at the Account Partner. The system is hosting the Web Agent Option Pack or the SPS federation gateway, depending on which component is installed in your federation network.
  • Use Secure URL
    This setting instructs the single sign-on service to encrypt only the SMPORTALURL query parameter. An encrypted SMPORTALURL prevents a malicious user from modifying the value and redirecting authenticated users to a malicious website. The SMPORTALURL is appended to the Authentication URL before the browser redirects the user to establish a session. After the user is authenticated, the browser directs the user back to the destination specified in the SMPORTALURL query parameter.
    If you select the Use Secure URL check box, complete the following steps:
    1. Set the Authentication URL field to the following URL: http(s)://
    idp_server:port
    /affwebservices/secure/secureredirect
    2. Protect the secureredirect web service with a policy.
    If the asserting party serves more than one relying partner, the asserting party probably authenticates different users for these different partners. As a result, for each Authentication URL that uses the secureredirect service, include this web service in a different realm for each partner.
    To associate the secureredirect service with different realms, modify the web.xml file and create different resource mappings. Do not copy the secureredirect web service to different locations on your server. Locate the web.xml file in the directory 
    web_agent_home
    /affwebservices/WEB-INF, where 
    web_agent_home
     is the installed location of the web agent.
  • Affiliate Domain
    Lists the affiliate domain where this entity is included.
The General settings also include the following sections:
  • Restrictions
    Lets you configure IP address and time restrictions on the assertion generation policy for the Resource Partner.
    • Time
    • Set
      Opens the Time dialog so you can configure the availability of the Resource Partner. When you add a time restriction, the Resource Partner unctions only during the period specified.
    • Clear
    • IP Addresses
    Lists restricted IP addresses that are configured for the policy for the federation resources. Specify an IP address, range of IP addresses, or a subnet mask of the web server on which a browser must be running for the user to access a Resource Partner.
    • Add
      Opens an empty Add IP Address dialog from where you can create an IP address restriction.
Resource Partner--D-Sig Verification Info
D-Sig Verification Info
Enables digital signing.
  • Disable Signature Processing
    Disables all signature processing for this Resource Partner (signing and verification of signatures).
    Signature processing is required in a production environment. Disabling signature processing only for debugging purposes.
  • Signing Alias
    (Optional) Specifies the alias that is associated with a specific private key in the certificate data store. By completing this field, you are indicating which private key the Account Partner must use to sign assertions and assertion responses.
    Be sure that the private key is in the data store before you specify its associated alias in this field.
    Value:
    An alphanumeric character string.
Resource Partner--Advanced Settings
The Advanced section is where you can configure a custom-developed Assertion Generator plugin. The Assertion Generator Plugin API enables you to develop the plug-in. This task is optional.
The Assertion Generator Plugin has the following fields:
  • Java Class Name
    Specifies the fully qualified Java class name of the Assertion Generator Plugin.
  • Parameters
    Specifies a string of parameters that
    CA Single Sign-On
    passes to the specified plugin.