Layer7 Access Management

Expand all | Collapse all

R12 Federation setup

Jump to Best Answer
  • 1.  R12 Federation setup

    Posted 04-08-2014 07:18 AM

    Hi,

    We have a requirement to have SAML2.0 SSO with 3rd party application. Currently, we are having the SiteMinder setup at our end.

    We are planning to have to Federated SSO setup in place in which our organization will be acting as IDP(Identity provider) and 3rd party as SP(Service provider). As far as I know, we need to have following setup in place to achieve SAML2.0 SSO-

    1. Install Webagent option pack on a same/separate server. Deployt it on Application server i.e. Weblogic

    2. Policy server option pack is not required as we are using SiteMinder R12 policy server.

    3. 3rd Party application needs to have SAML2.0 toolkit like ADFS, SiteMinder to consume the assertion.

    Please let me know if I have correct understanding.

    I still have below questions -

    1. If we have separate server on which we have WAOP installed & deployed on weblogic server, then do we need to install any webagent on that server? If yes, then what this agent will be protecting ?

    2. On Policy server, we need to create the affiliate domain to protect the 3 party application. How this domain settings made available to FSS deployed on Weblogic ?

    It would be better if someone can share the document that can detail out simple federation setup with activity flow diagram and components required.

    Appreciate your quick response in this.

    Regards,

    Vishal



  • 2.  RE: R12 Federation setup

    Posted 04-16-2014 03:53 PM
    vishal-nord:

    Hi,

    We have a requirement to have SAML2.0 SSO with 3rd party application. Currently, we are having the SiteMinder setup at our end.

    We are planning to have to Federated SSO setup in place in which our organization will be acting as IDP(Identity provider) and 3rd party as SP(Service provider). As far as I know, we need to have following setup in place to achieve SAML2.0 SSO-

    1. Install Webagent option pack on a same/separate server. Deployt it on Application server i.e. Weblogic

    2. Policy server option pack is not required as we are using SiteMinder R12 policy server.

    3. 3rd Party application needs to have SAML2.0 toolkit like ADFS, SiteMinder to consume the assertion.

    Please let me know if I have correct understanding.

    I still have below questions -

    1. If we have separate server on which we have WAOP installed & deployed on weblogic server, then do we need to install any webagent on that server? If yes, then what this agent will be protecting ?

    2. On Policy server, we need to create the affiliate domain to protect the 3 party application. How this domain settings made available to FSS deployed on Weblogic ?

    It would be better if someone can share the document that can detail out simple federation setup with activity flow diagram and components required.

    Appreciate your quick response in this.

    Regards,

    Vishal


    Hi All,

    Any input here for Vishal?

    Thanks!

    Chris



  • 3.  RE: [CA SiteMinder General Discussion] RE: R12 Federation setup
    Best Answer

    Posted 04-16-2014 05:26 PM
    Hello vishal-nord,

    Answers in line as below.


    1. Install Webagent option pack on a same/separate server. Deployt it on Application server i.e. Weblogic --> Yes, you could use any supported (review the Platform Support Matrix on the support site) application server

    2. Policy server option pack is not required as we are using SiteMinder R12 policy server. ---> Correct

    3. 3rd Party application needs to have SAML2.0 toolkit like ADFS, SiteMinder to consume the assertion. ---> Correct

    Please let me know if I have correct understanding.

    I still have below questions -

    1. If we have separate server on which we have WAOP installed & deployed on weblogic server, then do we need to install any webagent on that server? If yes, then what this agent will be protecting ?

    ---> WebAgent is not required on the same server but when it is on a separate server, this would be the webagent/webserver which would forward the requests to Affwebservices/FWS/WAOP on the WebLogic. Therefore you would need the webserver configured to handle that. This agent would protect the default FEderationWebservices realm that gets installed when you install the SMPS (embedded PSOP or SMPS option pack). You could call this agent as Federation agent and also this agent would protect the authentication URL(auth-url) for your SAML 2.0 IDP configuration, so that if an user does not have preexisting SMSESSION FWS/WAOP can redirect to this auth-url for login challenge and generate SMSESSION. FWS/WAOP does not generate SMSESSION, it only consumes it or validates and therefore the auth-url logic is required in case SMSESSION is not present for the user wanting to federate over.

    2. On Policy server, we need to create the affiliate domain to protect the 3 party application. How this domain settings made available to FSS deployed on Weblogic ?

    ----> Nope, as SiteMinder IDP you do not protect the 3rd party app. You would just create the partnership in which your local side is IDP and your partner is SP (Partnership model r12.5 version and above). In Legacy Federation (prior to r12.5), you would create Affiliate domain and create Service Provider object. This object and configuration is responsible for authorizing pre-authenticated users for federating over (or generating assertion). Authentication for the users wanting to federate over either happens through another SiteMinder protected resource/application and therefore when they click on Federation link the user would already have the SMSESSION that FWS/WAOP can validate. OR, if user directly came to the Federation link or URL (in case of SAML 2.0 samlsso service or http://fqdn:port/affwebservices/public/saml2sso), they would get redirected by FWS to the auth-url (http://fqdn:port/siteminderagent/redirectjsp/redirect.jsp) for that logic. You would need to create realm, rule, policy for the auth-url too.



    Hope this helps and Federation flow charts should be in the bookshelf and you can refer to the r12.52/latest bookshelf for that if you like or even older versions.

    Thanks & Regards,
    ------ Manjari

    From: CA Security Global User CommunityMessage Boards [mailto:CommunityAdmin@communities-mail.ca.com]
    Sent: Wednesday, April 16, 2014 2:53 PM
    To: mb_message.2253364.113326796@myca-email.ca.com
    Subject: [CA SiteMinder General Discussion] RE: R12 Federation setup

    vishal-nord:

    Hi,

    We have a requirement to have SAML2.0 SSO with 3rd party application. Currently, we are having the SiteMinder setup at our end.

    We are planning to have to Federated SSO setup in place in which our organization will be acting as IDP(Identity provider) and 3rd party as SP(Service provider). As far as I know, we need to have following setup in place to achieve SAML2.0 SSO-

    1. Install Webagent option pack on a same/separate server. Deployt it on Application server i.e. Weblogic

    2. Policy server option pack is not required as we are using SiteMinder R12 policy server.

    3. 3rd Party application needs to have SAML2.0 toolkit like ADFS, SiteMinder to consume the assertion.

    Please let me know if I have correct understanding.

    I still have below questions -

    1. If we have separate server on which we have WAOP installed & deployed on weblogic server, then do we need to install any webagent on that server? If yes, then what this agent will be protecting ?

    2. On Policy server, we need to create the affiliate domain to protect the 3 party application. How this domain settings made available to FSS deployed on Weblogic ?

    It would be better if someone can share the document that can detail out simple federation setup with activity flow diagram and components required.

    Appreciate your quick response in this.

    Regards,

    Vishal

    Hi All,

    Any input here for Vishal?

    Thanks!

    Chris
    Posted by:Chris_Hackett
    --
    CA Communities Message Boards
    113329336
    mb_message.2253364.113326796@myca-email.ca.com<mailto:mb_message.2253364.113326796@myca-email.ca.com>
    https://communities.ca.com


  • 4.  RE: [CA SiteMinder General Discussion] RE: R12 Federation setup

    Posted 04-25-2014 06:36 AM

    Thanks Manjari for your inputs.

    Regards,

    Vishal