Symantec Access Management

  • Private Community
 View Only

  • 1.  CA Single Sign On as a Service Provider

    Posted Aug 24, 2016 02:48 PM

    I want to know how to configure CA SSO to act as a SP. Currently we are using CA SSO only for IDP and sending SAML response to SP site (3rd Party) after verifying user at our end. Now we have a resource at our network that we want to expose to 3rd party. Our vendor will send us SAML response (May be from CA SSO or other SSO vendor) after authenticating user from their LDAP user stores and we are supposed to consume that SAML response and provide access to site located at our network.

    I want to add one more thing that we don’t have any user details of 3rd party and even we don’t want it. If user is authenticated from IDP site and SAML is posted to our SP site, we just want to consume that SAML with our CA SSO and if SAML is verified then redirect user to resource site hosted at our SP network.



  • 2.  Re: CA Single Sign On as a Service Provider

    Posted Aug 24, 2016 06:42 PM

    Hi,

    Check following documentation if that help to address your question.

     

    https://docops.ca.com/ca-single-sign-on-12-52-sp1/en/configuring/legacy-federation/configure-a-saml-2-0-service-provider

     

    Regards,

    Kar Meng



  • 3.  Re: CA Single Sign On as a Service Provider

    Posted Aug 25, 2016 12:08 PM

    I already checked that document. This document mainly focus on theory part and when I started working on it, I stuck because of missing practical example.

    I have one more question, can I use same CA SSO environment for IDP and SP for testing ?

    We have following components install on our environment :

    CA Policy server                             - R12.52 SP01 CR05      

    CA Secure Proxy Server                - R12.52 SP01 CR05

    CA Federation gateway                   - r12.52

    CA Directory Server                         - version R12.0 SP12 Build 7338



  • 4.  Re: CA Single Sign On as a Service Provider
    Best Answer

    Posted Aug 25, 2016 07:27 PM

    Hi Vipul,

     

    can I use same CA SSO environment for IDP and SP for testing ?

    R: For testing purpose, yes, you can use the same environment.

    My colleague Kim put out a great efforts to write out the Federation use case as below:

     

    https://communities.ca.com/people/SungHoon_Kim/blog/2016/05/29/federation-starters

    https://communities.ca.com/people/SungHoon_Kim/blog/2016/06/14/federation-starters-2

    https://communities.ca.com/people/SungHoon_Kim/blog/2016/06/15/federation-starters-3

    https://communities.ca.com/people/SungHoon_Kim/blog/2016/06/16/federation-starters-4

     

    Hope that helps.

     

    Regards,

    Kar Meng



  • 5.  Re: CA Single Sign On as a Service Provider

    Posted Aug 25, 2016 07:27 PM

    Hi Vipul,

     

    For testing, you can use SPS as IdP and another Federation Gateway as your SP.

     

    So in the Federation Partnership setup, you will SPS as both local IdP and remote IdP while have the other Federation Gateway as local SP and remote SP. Then create IdP->SP and SP->IdP partnerships accordingly.



  • 6.  Re: CA Single Sign On as a Service Provider

    Posted Aug 24, 2016 09:22 PM

    Hi Vipul,

     

    To achieve SSO with no local user, configure every user to map to a single user account, making the single user essentially an anonymous user. Hence, create a user directory with a single user record or create a user directory using the Policy server API that returns the same user record.

     

    The user identification configuration for the partnership must specify a custom user search specification that looks up a single user. For example, if the user directory is LDAP, the search specification is uid=user1.

     

    With that, the SP will consume the assertion from IdP. After successful assertion validation (check against the assertion validity and issuer ID), user will be allowed to access the resource.