In chapter 8 of the CA CloudMinder Getting Started with SSO manual, https://support.ca.com/cadocs/0/CA%20CloudMinder%20for%20Service%20Providers%201%2052-ENU/Bookshelf_Files/PDF/sso_gettin…, it mentioned about mapping [attributeImmutableId] to eTCustomField04 and [attributeUPN] to eTCustomField05. There is also the mapping of [ruleStringImmutableId] to %UCU04%. Is there any explanation on how these mapping was made.
(responding to this on behalf of CA Secure Cloud product team)
UPN and ImmutableID are required for federation Users. Values for these attributes in the on-premise user directory must match with the values in Office 365 directory. Hence SetUPN and SetImmutableID Policies generate the values for these attributes and store them in the Provisioning Directory.
During this step CA Secure Cloud maps attributes present in the Provisioning Directory to the attributes in user directory. As eTCustomField01 to eTCustomField03 are already mapped to some other User attributes in IM Management Console, CA Secure Cloud uses eTCustomField04 and eTCustomField05 (the available provisioning attributes) for ImmutableID and UPN.
In Office 365 Federation, the UPN is mapped to camOffice365_UPN and ImmutableID is mapped to camOffice365_ImmutableID. These attribute values are included in the assertion sent to the Relying Party during federation.
When setting up Office 365 Connector, the [ruleStringImmutableId] is mapped to %UCU04%. This is a hard coded value to check User’s Custom Field04 which is none other than ImmutableID.
Q: Why do we need to enable Persistent Session?
A: Normally persistent sessions are required where CA Secure Cloud needs the Session information in future. One example for this is Single-Logout where this helps enforcing the session timeout during single-logout.
Q: On top of creating STS on SPS, are there any additional procedures to perform?
A: For WSFed active profile support, you need to create partnership with STS for WSFED Active Profile checkbox checked, see the documentation https://support.ca.com/cadocs/0/CA%20CloudMinder%20for%20Service%20Providers%201%2052-ENU/Bookshelf_Files/HTML/idocs/2348833.html?zoom_highlight=STS and then deploy STS from proxyui as described in the documentation.
Q: About the Metadata Exchange in https://support.ca.com/cadocs/0/CA%20CloudMinder%20for%20Service%20Providers%201%2052-ENU/Bookshelf_Files/HTML/idocs/wsfed-sso-to-office365.html, do we need to do anything special on SPS? Does it require Layer 7 installed and configured?
A: For WSFED related configurations CA Secure Cloud doesn’t require Layer7 configuration. For Metadata exchange you just need to enable the check box in the partnership, no need to do any extra configuration. Passive profile metadata can be accessed through URL, but for an active profile CA Secure Cloud has to send a SOAP request.