CA SiteMinder Federation Security Services

Transcription

1 CA SiteMinder Federation Security Services Federation Endpoint Deployment Guide r6.0 SP 5 Fourth Edition

2 This documentation and any related computer software help programs (hereinafter referred to as the Documentation ) is for the end user s informational purposes only and is subject to change or withdrawal by CA at any time. This Documentation may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in part, without the prior written consent of CA. This Documentation is confidential and proprietary information of CA and protected by the copyright laws of the United States and international treaties. Notwithstanding the foregoing, licensed users may print a reasonable number of copies of the Documentation for their own internal use, and may make one copy of the related software as reasonably required for back-up and disaster recovery purposes, provided that all CA copyright notices and legends are affixed to each reproduced copy. Only authorized employees, consultants, or agents of the user who are bound by the provisions of the license for the Product are permitted to have access to such copies. The right to print copies of the Documentation and to make a copy of the related software is limited to the period during which the applicable license for the Product remains in full force and effect. Should the license terminate for any reason, it shall be the user s responsibility to certify in writing to CA that all copies and partial copies of the Documentation have been returned to CA or destroyed. EXCEPT AS OTHERWISE STATED IN THE APPLICABLE LICENSE AGREEMENT, TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION AS IS WITHOUT WARRANTY OF ANY KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO THE END USER OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE, DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED OF SUCH LOSS OR DAMAGE. The use of any product referenced in the Documentation is governed by the end user s applicable license agreement. The manufacturer of this Documentation is CA. Provided with Restricted Rights. Use, duplication or disclosure by the United States Government is subject to the restrictions set forth in FAR Sections , , and (c)(1) - (2) and DFARS Section (b)(3), as applicable, or their successors. All trademarks, trade names, service marks, and logos referenced herein belong to their respective companies. Copyright 2008 CA. All rights reserved.

3 CA Product References This document references the following CA products: CA etrust SiteMinder CA etrust SiteMinder SAML Affiliate Agent CA etrust SiteMinder Policy Server Option Pack CA etrust SiteMinder Web Agent Option Pack Contact Technical Support For online technical assistance and a complete list of locations, primary service hours, and telephone numbers, contact Technical Support at

4

5 Contents Chapter 1: SiteMinder Federation Endpoint Implementation 11 Using the SiteMinder Federation Endpoint SAML 1.x Federation Endpoint Terminology Abbreviations Used in this Guide Prerequisites for the Federation Environment Known Issues SMFE Sample Applications Not Supported by Internet Explorer User Store Search Limitation for SAML 1.x <SubjectConfirmation> Element Required in Assertion Statements Additional SAML 1.x Attributes Cannot Be Used by the SMFE Error Messages that Can Be Ignored SMFE Treats the SAML 2.0 Issuer and Audience as the Same Entity Chapter 2: Deploying Federation Using the FSS Sample Application 19 Federation Sample Application Overview Prerequisites for Using the FSS Sample Application Sample Federation Network for the Sample Application How To Execute the Sample Application Modify the FederationSample.conf File FederationSample.conf File Settings Modify the SMFEConfig.conf File SMFEConfig.conf File Settings SetupFederationSample.pl Command Options Deploy the Sample Application with SMFE as the IdP Deploy the Sample Application with the SMFE as the SP Test SSO with the FSS Sample Application Test Single Logout with the FSS Sample Application Review SMFE Objects Generated by the FSS Sample Application Chapter 3: Deploying Federation without the Sample Application 35 Manual Deployment Overview for SMFE-FSS Networks Prerequisites for a Manual SMFE Deployment Sample Data Used for Deloyment Examples FSS Sample Data SMFE Sample Data Contents 5

6 Chapter 4: FSS and SMFE Configuration Settings that Must Match 41 SAML 1.x Settings that Must Match SAML 2.0 Settings that Must Match Chapter 5: SAML 1.x SSO with SiteMinder FSS 45 SiteMinder FSS as the SAML 1.x Producer Install the Policy Server and Policy Server Option Pack Create a SAML 1.x Affiliate Domain Add the SMFE to the SAML 1.x Affiliate Domain Install the Web Agent and Web Agent Option Pack Protect Federation Web Services Protect the Authentication URL (SAML 1.x) Create a Page with SAML 1.x Links to the SMFE Consumer Configure the Key Database to Sign POST Responses Protect the SAML 1.x Assertion Retrieval Service (Artifact only) SiteMinder FSS as the SAML 1.x Consumer Install the Policy Server and the Policy Server Option Pack Protect the Federation Web Services Application Install the Web Agent and Web Agent Option Pack Set-up the smkeydatabase for Artifact Single Sign-on (Optional) Configure Signing Verification for POST Profile Configure the SAML 1.x Authentication Schemes Protect the Resource with the SAML 1.x Authentication Scheme SAML 1.x SSO Verification Chapter 6: SAML 1.x SSO with the SMFE 61 SMFE as the SAML 1.x Producer Configure the SMFE to Accept Artifact Requests Start the SMFE and Login to the Administrative Console Configure the Local Settings for the Producer Configure the SP Connection Deploy the IdP Sample Application (SAML 1.x) SMFE as the SAML 1.x Consumer Start the SMFE and Login to the Administrative Console Configure the Local Settings for the Consumer Deploy the SMFE SP Sample Application SAML 1.x SSO Verification Chapter 7: SAML 1.x SSO Testing 87 Test SAML 1.x SSO with FSS as the Producer Federation Endpoint Deployment Guide

7 Test SAML 1.x SSO with the SMFE as the Producer Chapter 8: SAML 2.0 SSO with SiteMinder FSS 89 Set-up SiteMinder FSS as the Identity Provider Install the Policy Server and the Policy Server Option Pack Create a SAML 2.0 Affiliate Domain Add the SMFE to SAML 2.0 Domain Setup the Back Channel for SAML 2.0 Artifact Binding Install the Web Agent and Web Agent Option Pack Protect Federation Web Services Protect the Authentication URL (SAML 2.0) Configure the Key Database to Sign POST Responses Protect the SAML 2.0 Artifact Resolution Service (Artifact only) Setup the SMFE as the Service Provider Set-up SiteMinder FSS as the Service Provider Install the Policy Server and the Policy Server Option Pack Install the Web Agent and Web Agent Option Pack Protect Federation Web Services Set-up the smkeydatabase for Artifact Single Sign-on (Optional) Configure Signing Verification for POST Profile Configure the SAML 2.0 Authentication Scheme (Artifact and POST) Protect the Target Resource at the SP SAML 2.0 SSO Testing Chapter 9: SAML 2.0 SSO with the SMFE 107 SMFE as the Identity Provider Configure the SMFE to Accept Artifact Requests Start the SMFE and Login to the Administrative Console Configure the Local Settings for the IdP Configure the SP Connection Deploy the SMFE Java Sample Application Test Single Sign-on with the FSS Sample Application SMFE as the Service Provider Start the SMFE and Login to the Administrative Console Configure the Local Settings for the SP Set Up the IdP Connection Deploy the SMFE SP Sample Application SAML 2.0 SSO Testing Contents 7

8 Chapter 10: SAML 2.0 Single Sign-on Testing 133 Test SAML 2.0 SSO with FSS as the Identity Provider Test SAML 2.0 SSO with SMFE as the Identity Provider Chapter 11: Configure Single Logout with SiteMinder FSS 139 Configure SLO at the FSS Identity Provider Prerequisite for SAML 2.0 SLO Configure the Session Server for SLO Enable Persistent Sessions for the Realm with Target Resources Configure SLO at the FSS Identity Provider Configure SLO at the FSS Service Provider Setup the SAML 2.0 Authentication Scheme Configure the Session Server for SLO Enable SLO (POST or Artifact) at the FSS SP Chapter 12: Configure Single Logout with the SMFE 145 Configure SLO at the SMFE Identity Provider Prerequisite for SLO Start the SMFE and Login to the Administrative Console Set-up the SMFE SP Connection for SLO Test Single Logout Configure SLO at the SMFE Service Provider Prerequisite for SLO Start the SMFE and Login to the Administrative Console Configure the IdP Connection for SLO Test Single Logout Chapter 13: Single Logout Testing 155 Test Single Logout from the IdP or the SP Chapter 14: IdP Discovery with FSS 157 FSS Identity Provider Discovery Overview Configure FSS for IdP Discovery Profile Chapter 15: Identity Provider Discovery with the SMFE 159 SMFE IdP Discovery Overview Configure IdP Discovery at the SMFE Federation Endpoint Deployment Guide

9 Chapter 16: IdP Discovery Testing 163 Test IdP Discovery from the FSS IdP Test IdP Discovery with the SMFE as the IdP Contents 9

10

11 A Chapter 1: SiteMinder Federation Endpoint Implementation This section contains the following topics: Using the SiteMinder Federation Endpoint (see page 11) SAML 1.x Federation Endpoint Terminology (see page 13) Abbreviations Used in this Guide (see page 13) Prerequisites for the Federation Environment (see page 14) Known Issues (see page 15) Using the SiteMinder Federation Endpoint This deployment guide is for administrators configuring the SiteMinder Federation Endpoint (SMFE) to operate with SiteMinder Federation Security Services (FSS) to enable the following SAML profiles: SAML 1.x single sign-on SAML 2.0 profiles, including Single sign-on Single logout Identity Provider Discovery The SMFE can act in either of the following roles: SMFE as the Consumer/Service Provider -- The SMFE is configured as a SAML consumer/service Provider while SiteMinder FSS, installed with the Policy Server and Web Agent Option Packs, is the SAML producer/identity Provider. Chapter 1: SiteMinder Federation Endpoint Implementation 11

12 Using the SiteMinder Federation Endpoint The following picture illustrates these roles. SAML 1.x Producer/ 2.0 Identity Provider SAML 1.x Consumer/ 2.0 Service Provider Policy Server + Option Pack Single sign-on Federation Endpoint Web Agent + Option Pack Target Application Domain A Domain B SMFE as the Producer/Identity Provider -- The SMFE is the SAML producer/identity Provider while SiteMinder FSS, installed with the Policy Server and Web Agent Option Packs, is the SAML consumer/service Provider. The following picture illustrates these roles. SAML 1.x Producer/ 2.0 Identity Provider SAML 1.x Consumer/ 2.0 Service Provider Single sign-on Policy Server + Option Pack Federation Endpoint Target app. Web Agent + Option Pack Domain A Domain B 12 Federation Endpoint Deployment Guide

13 SAML 1.x Federation Endpoint Terminology SAML 1.x Federation Endpoint Terminology For the SAML 1.x protocol, the SiteMinder Federation Endpoint Administrative Console and accompanying documentation use different terms to refer to similar concepts described in the SiteMinder Policy Server User Interface and the Federation Security Services Guide. The following table lists the differences in SAML 1.x terminology so you can successfully configure the software and use the SMFE and FSS documentation. SAML 1.x FSS Term Producer Consumer Assertion Retrieval Service Equivalent SAML 1.x SMFE Term Identity Provider Service Provider Artifact Resolution Service Abbreviations Used in this Guide The following abbreviations are used throughout this guide. Term Identity Provider Service Provider SiteMinder Federation Security Services SiteMinder Federation Endpoint Single Sign-on Single Logout Identity Provider Discovery Abbreviation IdP SP FSS SMFE SSO SLO IdP Discovery Chapter 1: SiteMinder Federation Endpoint Implementation 13

14 Prerequisites for the Federation Environment Prerequisites for the Federation Environment This deployment guide assumes that you have set up the following components and that they are operational. For SiteMinder FSS, the following prerequisites must be met SiteMinder is installed with the associated Policy Server and Web Agent Option Packs. ServletExec or a supported application server is installed for the Federation Web Services application, which is a component of the Web Agent Option Pack. Federation Web Services configured as a web application and deployed with ServletExec or a supported application server. You have a target resource on the FSS consumer-side web server. This is the resource that will be protected by a SiteMinder policy. This is only applicable when Federation Security Services is deployed at a consumer/sp site. For details on setting up FSS, see the SiteMinder Federation Security Services Guide. For the SMFE, the following prerequisites must be met A license key should have been obtained prior to installing the SMFE; the endpoint requires a license key to operate. A license key file, pingfederate.lic, should have been ed to you. If it has not, please contact your CA sales representative or contact CA Technical Support. Important! If you have a single license key, you need a license for each role the SMFE serves. You need one license if the SMFE is acting as the consumer and one license if the SMFE is acting as the producer. Compliance with the system requirements documented in the "Installation" chapter of the SiteMinder Federation Endpoint Administrator's Manual. SiteMinder Federation Endpoint is installed. You have made adjustments to the run.properties file to determine the mode of operation for the SMFE. The operational mode should be STANDALONE and the default ports the SMFE uses are: pf.http.port=9030 (used for http traffic) pf.https.port=9031 (used for https traffic) 14 Federation Endpoint Deployment Guide

15 Known Issues You have specified a secondary port in the run.properties file to handle SAML artifact requests. The idp/soap.ssaml1 is the SMFE servlet that retrieves the assertion.you cannot use the default port of 9031 for artifact requests. For the deployment in this guide, port 8443 is the secondary port being used. You know how to start SMFE and log-in to the Administrative Console. You have downloaded and set up the Apache Jakarta Tomcat servlet container used by the Java sample applications in the SMFE integration kit. You have a target resource on the FSS consumer-side web server. This is the resource that will be protected by a SiteMinder policy. This is only applicable when Federation Security Services is deployed at a consumer/sp site. For details on completing these steps, read the SiteMinder Federation Endpoint Quick Start Guide and the SiteMinder Federation Endpoint Administrator's Manual. Known Issues The following are known issues for this release of the SiteMinder Federation Endpoint. SMFE Sample Applications Not Supported by Internet Explorer The sample applications supplied by the SMFE integration kits, SpSample and IdpSample, are not supported with Internet Explorer on Windows Server 2003, XP, or Win 2K. Firefox is the recommended browser. Note: The SMFE Administrative Console does work with Internet Explorer. The URL to the application server where the sample application resides is not set following SSO or SLO transactions. Instead, the URL is set to the federation server's URL. This results in an HTTP File Not Found error. There is a Microsoft Hot Fix resolution for this problem, documented at the Microsoft Support site. Another workaround is to specify the host name and port in the request object rather than reading it from the request in a web application. In other words, the request object in a web application can contain the host name and port for the URL. Preferably, these should not be used and the URL should be created from a fixed host name and port. Chapter 1: SiteMinder Federation Endpoint Implementation 15

16 Known Issues User Store Search Limitation for SAML 1.x If you are using the value of the NameIdentifier element to authenticate a user at a SAML 1.x consumer, be aware that there is a limitation if you use SiteMinder out of the box. Out of the box, SiteMinder acting as a SAML 1.x producer cannot customize or change the contents of the SAML NameIdentifier element in the assertion that is consumed by the SMFE. If SiteMinder authenticates the user against an LDAP directory, then the contents of the NameIdentifier element is the user's full DN string. If SiteMinder authenticates the user against an ODBC database, then the NameIdentifier contains the user name. At the consumer, the SMFE can perform searches on LDAP and ODBC user stores to return data from these local sources. If the searches are based on the NameIdentifier returned by SiteMinder, it will be difficult to handle in the case of LDAP. NOTE: SiteMinder can use the Assertion Generator plug-in to customize the assertion content on the producer side. If the consumer side is using any other attribute than the NameIdentifier for authentication, then this limitation is not applicable. <SubjectConfirmation> Element Required in Assertion Statements For SAML 1.0 interoperability, the SMFE requires that a <SubjectConfirmation> element is included in the <Attribute> and <Authentication> statements of the SAML assertion for artifact and POST profiles. To satisfy this requirement, an Assertion Generator plug-in is available with SiteMinder Federation Security Services. SiteMinder, acting as the SAML 1.0 producer, requires this plug-in for producer- or consumer-initiated single signon. Note: For the SAML 1.x, only producer-initiated single sign-on is supported by the SMFE. 16 Federation Endpoint Deployment Guide

17 Known Issues The SiteMinder FSS distribution includes a samlassertionplugin.zip archive that contains the following files: AssertionSAML10.jar This is the jar file for the plug-in AssertionSample.java This is a customized version of the sample SDK code that adds the <SubjectConfirmation> element to the <Attribute> and <Authentication> statements.this sample code can be used as is or customized for any assertion generation code that you might produce. To add the <SubjectConfirmation> element to <Attribute> and <Authentication> statements 1. Copy the AssertionSAML10.jar file from the zip file into a local directory on the system where the Policy Server and Policy Server Option Pack resides. 2. In the JVMOptions.txt file, specify the fully qualified path to the AssertionSAML10.jar file in the -Djava.class.path property. The JVMOptions.txt file is located in policy_server_home/config/ directory. 3. Log on to the Policy Server User Interface. 4. Access the Affiliate Properties dialog for the consumer with which you are federating. 5. Select the Advanced tab in the Affiliate Properties dialog. The Assertion Customization Plug-in dialog is displayed. 6. Complete the following fields with the values shown: Full Java Class Name com.netegrity.assertiongenerator.assertionsample Parameter Artifact or POST Specify the appropriate string for the profile you are using for single sign-on. 7. Click OK to save the configuration. Additional SAML 1.x Attributes Cannot Be Used by the SMFE If the SiteMinder FSS, acting as the producer, adds SAML 1.x attributes to an assertion, these attributes cannot be used by the SMFE because the SAML 1.x assertion generated by FSS adds user information in a format that the SMFE cannot interpret. Chapter 1: SiteMinder Federation Endpoint Implementation 17

18 Known Issues The FSS adds attributes as XML nodes within a single <Attribute> element of a SAML assertion. The SMFE treats this data as a single set of XML data, which includes such data as the SiteMinder session timeout values, the SiteMinder Session ID, the User DN and Username, as well as any additional header or cookie attributes. The SMFE cannot distinguish these individual values as discrete data and instead treats it as one large block of XML code. There are two possible solutions to this issue: Add a custom SAML Assertion Generator plug-in as part of the affiliate object in the SiteMinder policy store that identifies the SMFE. This custom plug-in would have to rewrite the assertion in a format that the SMFE can interpret so it can use the attributes. Code specific LDAP searches using the LDAP SDK included with the SMFE to parse the XML code to retrieve the desired data from a local data store. Error Messages that Can Be Ignored You may see the following warning messages as you use SiteMinder and SMFE together: A message from smfe.sp.com:8080 indicating that a connection supporting the SP initiated SSO is not available because the browser does not recognize the single sign-on certificate Disregard this message. A warning message stating that there is No Idp Connection. This message is displayed because the SMFE provides a Web service that the sample application uses for SP-initiated single sign-on, which is not supported at this release. SMFE Treats the SAML 2.0 Issuer and Audience as the Same Entity The SMFE considers the SAML 2.0 Issuer and Audience to be the same entity within a federated network. This affects the configuration at the SiteMinder FSS Identity Provider when you add the SMFE as a Service Provider to an affiliate domain. Note: SiteMinder FSS treats these entities separately. You define the SMFE Service Provider in the SAML Service Provider Properties dialog of the Policy Server User Interface. The value you enter for the SP ID field on the General tab must be the same value you enter for the Audience field on the SSO tab. Additionally, these values should match the value specified in the SAML v2.0 Entity ID field in the Federation Info settings at the SMFE consumer. 18 Federation Endpoint Deployment Guide

19 Chapter 2: Deploying Federation Using the FSS Sample Application This section contains the following topics: Federation Sample Application Overview (see page 19) Prerequisites for Using the FSS Sample Application (see page 21) Sample Federation Network for the Sample Application (see page 22) How To Execute the Sample Application (see page 23) Modify the FederationSample.conf File (see page 24) Modify the SMFEConfig.conf File (see page 26) SetupFederationSample.pl Command Options (see page 27) Deploy the Sample Application with SMFE as the IdP (see page 28) Deploy the Sample Application with the SMFE as the SP (see page 30) Test SSO with the FSS Sample Application (see page 31) Test Single Logout with the FSS Sample Application (see page 34) Review SMFE Objects Generated by the FSS Sample Application (see page 34) Federation Sample Application Overview The easiest way to become familiar with the SiteMinder Federation Endpoint is to deploy the SiteMinder FSS sample application and use it to test SAML 2.0 single sign-on and single logout. After running the sample application, you can look at the objects it creates at the SiteMinder Federation Endpoint to accomplish single sign-on and logout. Finally, you can use the sample application objects as a basis for configuring your own federation environment. Note: The FSS sample application cannot be used with SAML 1.x. In a deployment that includes the SiteMinder Federation Endpoint (SMFE) and SiteMinder Federation Security Services (SiteMinder FSS), ideally one system should be the IdP while the other acts as the SP. The FSS sample application automates all the configuration tasks you would perform manually to test SAML 2.0 single sign-on and single logout. Chapter 2: Deploying Federation Using the FSS Sample Application 19

20 Federation Sample Application Overview The sample application contains the following components: Configuration files for creating SiteMinder policy objects and SMFE objects FederationSample.conf FederationSample.conf contains configuration settings that define the IdP and SP-side SiteMinder policy objects. The information in this file is also used to create sample web pages to test single sign-on and single logout using several local and one partner environment settings. SMFEConfig.conf SMFEConfig.conf contains information used to create SMFE objects, such as the SP and IdP connection settings for SMFE-to-FSS communication. The information in this file is also used to create sample web pages to test single sign-on and single logout using local environment settings. Important! You must configure the FederationSample.conf and the SMFEConfig.conf files at the SMFE and the FSS partner for the FSS sample application to work correctly. SetupFederationSample.pl Perl script SetupFederationSample.pl is a Perl script that executes the FSS sample application. This script creates the objects needed for the IdP and SP sites. The script also creates the necessary web pages required to initiate single sign-on and single logout between the IdP and the SP. The script relies on the information in the FederationSample.conf and SMFEConfig.conf files to operate. Note: By default, the script assumes an FSS-to-FSS connection. Web pages to Test Single Sign-on and Single Logout The sample application installs web pages with HTML links to trigger SAML 2.0 single sign-on and single logout transactions between the IdP and SP. When you install the sample application at the SMFE, the directories with these HTML pages are copied to the webapps directory. The IdP web pages are in the idpsample directory. These pages include: index.jsp Index.jsp is the first web page the user accesses at the IdP for Idpinitiated single sign-on. This page provides the link to the protected target resource at the sp.demo partner site. This page also provides a single logout link. Note: The single logout link is displayed only if FSS is the IdP and an SMSESSION cookie is in the request headers. SLOConfirm.jsp SLOConfirm.jsp displays a message that the user has successfully logged out from idp.demo and sp.demo domains. 20 Federation Endpoint Deployment Guide

21 Prerequisites for Using the FSS Sample Application The SP web pages are in the spsample directory. These pages include: index.jsp Index.jsp is the first web page the user accesses at the SP for SPinitiated single sign-on. This page provides a link to the protected target resource with the user's credentials at the idp.demo partner site. This page also provides single logout link. Note: The single logout link is displayed only if FSS is the IdP and an SMSESSION cookie is in the request headers. target.jsp Target.jsp a protected page at the sp.demo partner site, located in /spsample/protected directory. When FSS is acting as the SP, the target.jsp is protected by the SAML 2.0 authentication scheme. A user sees this page when single sign-on between the IdP and SP is successful. SLOConfirm.jsp SLOConfirm.jsp displays a message that the user is successfully logged out from the idp.demo and sp.demo domains. Note: For details about configuring the FSS sample application at an FSS system, see the SiteMinder Federation Security Services Guide. Prerequisites for Using the FSS Sample Application Before you run the FSS sample application, you must satisfy the following SiteMinder Federation Endpoint requirements: Extract the files from the SMFE archive and install and configure the SMFE system. The FSS sample application components are included SMFE archive and are extracted to a directory called FSS_Sample_App Install and configure an Apache Tomcat server. Copy the SMFE sample application installed by the SMFE product to the Tomcat server. Do not confuse this with the FSS sample application. Assuming that the SMFE and SiteMinder FSS are installed on different machines, make sure that you have installed the FSS sample application on each machine. Do not confuse the FSS sample application with the SMFE sample application. Chapter 2: Deploying Federation Using the FSS Sample Application 21

22 Sample Federation Network for the Sample Application Use the Perl interpreter shipped with the FSS sample application to run the sample application. The Perl interpreter is located in the following directories: Windows: \FSS_Sample App\Perl\Windows\bin Solaris: \FSS_Sample App\Perl\Solaris\bin Important! Ensure that the Perl binary bundled with the SiteMinder Policy Server Option Pack is the first or only such binary in the PATH so that the bundled Perl binary is invoked, not another Perl binary. (Optional) If you want to see the assertion generated by the FSS IdP after testing single sign-on, you have to enable FSS trace logging so that the FWSTrace.log file is generated. You enable logging in the LoggerConfig.properties file, located in the directory web_agent_home/affwebservices/web-inf/classes. The user running the Perl script must have read/write permissions to the web server's document root directory. Note: For instructions on installing and configuring the SMFE and associated components, see the SiteMinder Federation Endpoint Quick Start Guide and the SiteMinder Federation Endpoint Administrator's Manual. Sample Federation Network for the Sample Application The sample Web sites in the SiteMinder federated network are an Identity Provider named idp.demo, and a Service Provider named sp.demo. There is a business partnership between idp.demo and sp.demo. 22 Federation Endpoint Deployment Guide

23 How To Execute the Sample Application The following illustration shows the sample federated network. Idp.demo Sp.demo Policy Server + Option Pack Single sign-on or Single logout Federation Endpoint Web Agent + Option Pack Target Application Domain A Domain B How To Execute the Sample Application After all the prerequisites are completed on the one or two systems in your federation network, you can run the sample application. To use the FSS sample application, complete the following process 1. Modify the settings in the FederationSample.conf and SMFEConfig.conf files for your environment at both the FSS system and the SMFE system. 2. Copy the SMFE sample application to the Tomcat webapps directory. The FSS sample application is copied to the Tomcat server automatically when you run the sample application script. 3. Run the SetupFederationSample.pl script for the Idp and SP. Important! If SiteMinder FSS and SMFE are installed on one system, you must run the SetupFederationSample.pl script twice, once for the Idp entity and once for the SP entity. 4. Test single sign-on and single logout. Chapter 2: Deploying Federation Using the FSS Sample Application 23

24 Modify the FederationSample.conf File Modify the FederationSample.conf File The FederationSample.conf file holds the settings for the local environment, such as your web server port, and user directory. It also contains one setting for the partner site. At the FSS site, the information in this file is used to create IdP and SP SiteMinder policy objects, such as policy domains and SAML Service Provider objects. At the SMFE site, the information in this file is used to create IdP and SP connection objects. To modify the FederationSample.conf file at the SMFE system 1. Go to smfe_home/quickstart/fss_sample_app/federation. 2. Open the FederationSample.conf file. 3. Modify the settings in the file. 4. Save the file. FederationSample.conf File Settings You must configure the FederationSample.conf settings at the FSS and SMFE sites. At the SMFE site, you must configure the following FederationSample.conf settings: WEB_SERVER_DOC_ROOT WEB_SERVER_PORT PARTNER_WEB_SERVER_PORT For the FSS site, you must configure all the settings. The settings for the FederationSample.conf file are as follows: USER_DIRECTORY Name of an existing user directory object specified in the Policy Server User Interface. This directory must contain at least one user entry. If no value is specified for this setting, the sample application script reads the user directory information from the policy store, provided there is only one user directory listed. If more than one user directory is listed, the sample application script asks the user to enter the user directory name in this file. There is no default value. 24 Federation Endpoint Deployment Guide

25 Modify the FederationSample.conf File USER_ATTRIBUTE Value of this attribute becomes the Name Identifier value in the SAML assertion. If no value is specified for this setting, the sample application script chooses a value based on the user directory type. Example of attribute values can include: LDAP: uid or mail ODBC: name or If no value is specified, the sample application chooses one of the following defaults: For LDAP: uid For ODBC: name For ActiveDirectory: cn AGENT_NAME Name of the DefaultAgentName configuration setting for the Web Agent. This setting is specified in the Agent Configuration Object of the Policy Serve User Interface. If no value is specified, the sample application script reads the DefaultAgentName from the policy store, provided only one Agent Configuration Object is found. If more than one Agent configuration object exists, the sample application asks the user to enter the DefaultAgentName value in this file. WEB_SERVER_DOC_ROOT Full path to the web server's document root directory. The default value is C:\Inetpub\wwwroot, the root directory for an IIS Web server. For example, you are using a Sun Java System web server, the path would be server_root/docs. WEB_SERVER_PORT Web server's listening port. The default port is 80. PARTNER_WEB_SERVER_PORT The listening port of the web server on the opposite side of the federation connection. For example, if your site is the IdP, then this is the SP's web server port. The default port is 80. Chapter 2: Deploying Federation Using the FSS Sample Application 25

26 Modify the SMFEConfig.conf File Modify the SMFEConfig.conf File The SMFEConfig.conf file holds the settings for the local environment, such as the SMFE installation directory, the Tomcat port, and the web server port. At the SMFE, the information in this file is used to create SMFE objects, such as the SP and IdP connection settings for SMFE-to-FSS communication. At the FSS site, the information in this file is used to create Service Provider objects and SAML 2.0 authentication scheme objects in the Policy Server User Interface. To access the SMFEConfig.conf file and modify the settings 1. Go to smfe_home/quickstart/fss_sample_app/federation. 2. Open the SMFEConfig.conf file. 3. Modify the settings in the file. At the SMFE site, you are required to complete all the settings. 4. Save the file. SMFEConfig.conf File Settings You must configure the SMFEConfig.conf file at the FSS and SMFE systems. At the FSS site, you must configure the following settings: TOMCAT_PORT SMFE_HTTP_PORT SMFE_HTTPS_PORT SMFE_SECONDARY_HTTPS_PORT At the SMFE site, you must configure all the settings. The settings for the SMFEConfig.conf file are as follows: SMFE_INSTALL_DIR Full path to the directory where the SMFE is installed. The default value is C:\SiteMinder_Federation_Endpoint. SMFE_SAMPLE_APP_DIR Full path to the directory where the SMFE sample application is installed. The default value is C:\apache-tomcat \webapps\SpSample If SMFE is the IdP, specify the full path to the IdPSample directory. Important! SpSample is the sample application provided with the SMFE product, not the SiteMinder federation sample application. 26 Federation Endpoint Deployment Guide

27 SetupFederationSample.pl Command Options TOMCAT_PORT The Tomcat listening port. The default port is SMFE_HTTP_PORT The SMFE HTTP port. The default port is SMFE_HTTPS_PORT The SMFE HTTPS listening port. The default port is SMFE_SECONDARY_HTTPS_PORT The SMFE secondary HTTPS port is used for the SMFE artifact resolution service. The default port is SetupFederationSample.pl Command Options The SetupFederationSample.pl script executes the sample application and sets up the Idp and SP objects that enable single sign-on and single logout. This script is located on the SMFE system in the directory smfe_home/quickstart/fss_sample_app/federation. To run the sample application script, use the following command and the associated command options. The command syntax is: perl SetupFederationSample.pl -command_option value You can specify several command options in a command line. Example: perl SetupFederationSample.pl -idp SMFE -partner FSS Important! All the command line options are case-sensitive. The command options are: -admin Do not use this option when configuring an SMFE system; it is only for configuring a SiteMinder FSS system. -password Do not use this option when configuring the SMFE system; it is only for configuring a SiteMinder FSS system. Chapter 2: Deploying Federation Using the FSS Sample Application 27

28 Deploy the Sample Application with SMFE as the IdP -remove -idp -sp Removes all objects created by the sample application. Creates only the IdP objects in the SMFE database. You cannot use this option and the -sp option together. If you do not specify a value for this option and the -sp option, the sample application assumes a default of FSS-to-FSS communication. The possible values are FSS or SMFE. Creates only SP policy objects in the SMFE database, depending on which system you are configuring. You cannot use this option and the -idp option together. The possible values are FSS or SMFE. -partner (optional) Indicates which application is installed at the partner site. The default is FSS. The possible values are: FSS or SMFE. Do not specify SMFE for this option if you have set the -idp or -sp options to SMFE, that is, the following are invalid commands: perl SetupFederationSample.pl -idp SMFE -partner SMFE perl SetupFederationSample.pl -sp SMFE -partner SMFE Deploy the Sample Application with SMFE as the IdP We recommend installing the FSS sample application on two separate systems, one system acting as the Identity Provider and the other system acting as the Service Provider. The SMFE and SiteMinder FSS can each act as the Identity Provider or the Service Provider. Note: When you run the FSS sample application, it backs up the SMFE sample application files in the \config directory and the SMFE data files in the \data directory. The back-up files are written to the same directories where the original files reside, but the back-up files have the extension.sampleapp.bak appended to their file names. Before you begin, make sure that you have installed the FSS sample application on the SMFE and FSS machines in the network. Important! If SMFE is installed on the same system as SiteMinder FSS, run the SetupFederationSample.pl script twice, once for the Idp entity and once for the SP entity. 28 Federation Endpoint Deployment Guide

29 Deploy the Sample Application with SMFE as the IdP To run the sample application with SMFE as the IdP and FSS as the SP 1. Complete all the core SiteMinder and Federation Security Services prerequisites (see page 21) on one system. 2. Complete SMFE prerequisites (see page 21) on the partner system. 3. Make sure the user running the SetupFederationSample.pl script has read/write permissions to the web server's document root directory. 4. Modify the host file of each system so it recognizes the other system with which it is communicating. On the SMFE IdP system, modify the host file of this system to include the IP address of the SP system. On the FSS SP system, modify the host file of this system to include the IP address of the IdP system. On Windows, the host file is typically located in WINDOWS\system32\drivers\etc\hosts. On Solaris/UNIX, the host file is commonly located in /etc/hosts. 5. (Optional) If you are using a web browser on a system that does not have the correct host mappings for and add these mappings to the system's hosts file. 6. Configure the settings in the FederationSample.conf file at the FSS and SMFE sites. 7. Configuring the settings in the SMFEConfig.conf (see page 26) file at the FSS and SMFE sites. 8. Execute the sample application as follows: On the SMFE IdP system, enter the following command: perl SetupFederationSample.pl -idp SMFE -partner FSS On the FSS SP system, enter the following command: perl SetupFederationSample.pl -admin siteminder_administrator -password administrator_password -sp FSS -partner SMFE 9. At the SMFE IdP system, restart the SMFE service and the Tomcat server. 10. At the FSS SP system, restart the Policy Server. 11. Test single sign-on (see page 133) and single logout (see page 155). Chapter 2: Deploying Federation Using the FSS Sample Application 29

30 Deploy the Sample Application with the SMFE as the SP Deploy the Sample Application with the SMFE as the SP We recommend installing the sample application on two separate systems, one system acting as the Identity Provider and the other system acting as the Service Provider. The SMFE and SiteMinder FSS can act as the Identity Provider or the Service Provider. Note: When you run the FSS sample application, it backs up the SMFE sample application files in the \config directory and the SMFE data files in the \data directory. The back-up files are written to the same directories where the original files reside, but the back-up files have the extension.sampleapp.bak appended to their file names. Make sure that you have installed the sample application on each machine in the network. Important! If SMFE is installed on the same system as SiteMinder FSS, run the SetupFederationSample.pl script twice, once for the Idp entity and once for the SP entity. To run the sample application with SMFE as the SP and FSS as the IdP 1. Complete all the core SiteMinder and Federation Security Services prerequisites (see page 21) on the IdP system. 2. Complete SMFE prerequisites (see page 21) on the SP system. 3. Make sure the user running the SetupFederationSample.pl script has read/write permissions to the web server's document root directory. 4. Modify the host file of each system so it recognizes the other system with which it is communicating. On the SMFE SP system, modify the host file of this system to include the IP address of the FSS IdP system. On the FSS IdP system, modify the host file of this system to include the IP address of the SMFE SP system. On Windows, the host file is typically located in WINDOWS\system32\drivers\etc\hosts. On Solaris/UNIX, the host file is commonly located in /etc/hosts. 5. (Optional) If you are using a web browser on a system that does not have the correct host mappings for and add these mappings to the system's hosts file. 6. Configure the settings in the FederationSample.conf file at the FSS and SMFE sites. 7. Configuring the settings in the SMFEConfig.conf (see page 26) file at the FSS and SMFE sites. 30 Federation Endpoint Deployment Guide

31 Test SSO with the FSS Sample Application 8. Execute the sample application as follows: On the SMFE SP system, enter the following command: perl SetupFederationSample.pl -sp SMFE -partner FSS On the FSS IdP system, enter the following command: perl SetupFederationSample.pl -admin siteminder_administrator -password administrator_password -idp FSS -partner SMFE 9. At the SMFE SP system, restart the SMFE service and restart the Tomcat server. 10. At the FSS IdP system, restart the Policy Server. 11. Test single sign-on (see page 133) and single logout (see page 155). Test SSO with the FSS Sample Application After running the sample application, you can test single sign-on. To test federated single sign-on 1. Open up a browser. 2. Enter the URL for the web page that has links to trigger single sign-on. For IdP-initiated single sign-on, access the index.jsp page at: For SP-initiated single sign-on, access the index.jsp page at: The following figure is the IdP.demo home page: Chapter 2: Deploying Federation Using the FSS Sample Application 31

32 Test SSO with the FSS Sample Application The following figure is the SP.demo home page: 3. Click on one of the single sign-on links. If SiteMinder FSS is the Identity Provider, a login challenge like the following is presented: 32 Federation Endpoint Deployment Guide

33 Test SSO with the FSS Sample Application If SMFE is the Identity Provider, a login challenge like the following is presented: 4. For SMFE -to-fss communication, enter the following credentials in the login dialog: Username: user1 Password: password Be sure that user1 exists in the SMFE and FSS user stores. If single sign-on is successful, you should see the following welcome page: Chapter 2: Deploying Federation Using the FSS Sample Application 33

34 Test Single Logout with the FSS Sample Application Test Single Logout with the FSS Sample Application After you have successfully tested single sign-on, you can test single logout from the SP.demo welcome page. To test single logout On the SP Welcome page, click on the link labeled Single Logout using HTTP Redirect binding. The following page is displayed: If you see this message, single logout is successful. Review SMFE Objects Generated by the FSS Sample Application The FSS sample application automatically creates objects in the SMFE database that enable federated single sign-on and single logout. After successfully signing on, log on to the SMFE Administrative Console and look at the various objects set up by the sample application. Objects to look at include: Local Settings SP Connection settings IdP Connection settings 34 Federation Endpoint Deployment Guide

35 Chapter 3: Deploying Federation without the Sample Application This section contains the following topics: Manual Deployment Overview for SMFE-FSS Networks (see page 35) Prerequisites for a Manual SMFE Deployment (see page 35) Sample Data Used for Deloyment Examples (see page 36) Manual Deployment Overview for SMFE-FSS Networks You can accomplish manually what the sample application deploys automatically. The rest of this guide describes the manual deployment tasks for configuring the FSS and SMFE systems to accomplish single sign-on and single logout. Additionally, there are manual configuration steps for setting up Identity Provider Discovery, which is beyond the scope of the sample application. Prerequisites for a Manual SMFE Deployment This deployment assumes you have certain knowledge. For SiteMinder FSS, we assume you know how to do the following: Install and configure the SiteMinder Policy Server and Web Agent and their associated Option Packs. Enable a Web or application server for SSL communication (needed for artifact binding). Work with certificates and understand certificate operation, such as how to request a certificate and have it signed by a certificate authority, know the difference between a private key and a public key. Add users to a user store. For example, if you have a Sun ONE Directory Server, you have to know how to use the Sun ONE Server Console. Set up an ODBC database to be enabled as a session store. For SMFE, we assume you know how to do the following: Install and configure the SMFE product. Install and run a Tomcat server. Work with certificates and understand certificate operation Chapter 3: Deploying Federation without the Sample Application 35

36 Sample Data Used for Deloyment Examples Sample Data Used for Deloyment Examples Throughout this deployment, sample entries are used to illustrate the configuration at the SMFE and FSS systems. To review the sample data, go to: FSS Sample Data (see page 36) SMFE Sample Data (see page 38) FSS Sample Data The following table shows the sample data being used by SiteMinder FSS. SiteMinder FSS Data Web Agent Name Policy store, user store, and session store Sample Value FSS Agent LDAP directory User only for SAML 1.x examples: Name: lisac Password: test User only for SAML 2.0 examples: Name: user1 Audience Password: password SAML 1.x: SAML 2.0: sp.demo Base URL (non-ssl) for the web server hosting Federation Web Services SAML 1.x: SAML 2.0: (producer/idp-side web server with the Web Agent Option Pack) Base URL SSL port for the web server hosting Federation Web Services SAML 1.x: SAML 2.0: (producer/idp-side web server with the Web Agent Option Pack) 36 Federation Endpoint Deployment Guide

37 Sample Data Used for Deloyment Examples SiteMinder FSS Data Assertion Consumer URL- SiteMinder FSS consumer/sp Sample Value SAML 1.x: public/samlcc SAML 2.0: Certificate of Certificate Authority (CA) Certificate of CA: docca.crt DER-encoded cert: docca.der alias: sampleappcertca This CA signs the server-side certificate to enable SSL. Certificate and key for signing POST responses Certificate for signature verification (consumer/sp side) sampleprivkey.pkcs12 and samplecertificate.cer post-cet.crt Issuer DN: CN=Certificate Manager,OU=IAM,O=CA.COM Serial Number: 008D 8B6A D18C 46D8 5B Single Sign-on Service (SAML 2.0) at FSS IdP Single Logout Service for SiteMinder FSS IdP (SAML 2.0) Identity Provider Discovery Profile servlet (SAML 2.0) Assertion Retrieval Service (SAML 1.x) Artifact Resolution Service for the service at SiteMinder FSS public/saml2ipd assertionretriever (SAML 2.0) Sample application for SAML Artifact (SAML 1.x examples) Sample application for SAML POST (SAML 1.x examples) Sample realm created in the Policy Server User Interface containing the sample POST application (SAML 1.x) fss-artifact-app.html fss-post-app.html Name: consumer-post Agent: FSS Agent Resource filter: /saml-samlauthprotected-post Auth. scheme: saml-post Chapter 3: Deploying Federation without the Sample Application 37

38 Sample Data Used for Deloyment Examples SiteMinder FSS Data Sample realm created in the Policy Server User Interface containing the sample artifact application (SAML 1.x) Sample realm created in the Policy Server User Interface containing the sample application (SAML 2.0) Target Value used in the Intersite Transfer URLs (SAML 1.x) Target Value URLs (SAML 2.0) Sample Value Name: consumer-artifact Agent: FSS Agent Resource filter: /saml-samlauthprotected-artifact Auth. scheme: saml-artifact Name: SP Target Page Protection Realm Agent: sp-webagent Resource filter: /spsample/protected.jsp Auth. scheme: Partner Idp.demo Auth Scheme TARGET= TARGET= SMFE Sample Data The following table shows the sample data being used by the SMFE. SMFE Data Administrative Console URL Secondary port specified in run.properties for artifact requests SAML 1.x Source ID Sample Value aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa NOTE: This is just a sample ID SAML v2 Entity ID sp.demo Issuer (SiteMinder is the producer) Base URL for the web server hosting the SMFE application Assertion Consumer URL at the SMFE SAML 1.x: SAML 2.0: Certificate to sign POST responses pingtest_signing_cert.p12 Certificate for signature verification (SAML 2.0 examples) post-cet.crt Issuer DN: CN=Certificate Manager,OU=IAM,O=CA.COM Serial Number: 008D 8B6A D18C 46D8 5B 38 Federation Endpoint Deployment Guide

39 Sample Data Used for Deloyment Examples SMFE Data Certificate for signature verification (SAML 1.x examples) SLO Service (SAML 2.0) Sample Value idp-port-com-signing.cer At the SP: At the IdP: SLO Confirm URL (SAML 2.0) At the SP: At the IdP: Endpoint for SAML 2.0 IdP Discovery functionality (IdP side) Endpoint is used for IdP-Discovery implementations (SP side) Assertion Retrieval URL /idp/writecdc.ping /sp/cdcstartsso.ping SAML 1.x: SAML 2.0: Sample SMFE Java application for SMFE as the consumer Sample SMFE Java application for SMFE as the producer hostpf entry in the config files for the sample applications (pingfederate-sp-config.properties and pingfederate-idpconfig.properties) SMFE_install_dir\quickstart\sample_app\java\SpSample SMFE_install_dir\quickstart\sample_app\java\IdpSample (pingfederate-idp-config.properties) (pingfederate-sp-config.properties) Chapter 3: Deploying Federation without the Sample Application 39

40

41 Chapter 4: FSS and SMFE Configuration Settings that Must Match This section contains the following topics: SAML 1.x Settings that Must Match (see page 41) SAML 2.0 Settings that Must Match (see page 42) SAML 1.x Settings that Must Match The table lists the SAML 1.x values must match between the FSS and SMFE configurations. This SiteMinder FSS Setting... Must Match this SMFE Setting... Affiliate Name--SAML 1.x POST Location: SAML 1.x POST Authentication scheme dialog Affiliate Name --SAML 1.x Artifact Location: Scheme Setup tab in the SAML Artifact Authentication Scheme Properties SAML v1.x Issuer/Audience Location: Federation Info (Local Settings) SAML v1.x Issuer/Audience Location: Federation Info (Local Settings) SOAP Username Location: Back-Channel Authentication (SP Connection > Credentials) Audience --FSS as the Consumer Location: SAML POST or Artifact Authentication Scheme Properties Audience (Connection ID) Location (General Info for the SP connection) Audience--FSS as the Producer Location: Assertions tab of the Affiliate Properties SAML v1.x Issuer/Audience Location: Federation Info (Local Settings) Authentication Location: Scheme Setup tab in the SAML Artifact Template Authentication Scheme Properties Inbound Soap Authentication Type Location: Back-Channel Authentication (SP Connection > Credentials) Chapter 4: FSS and SMFE Configuration Settings that Must Match 41

42 SAML 2.0 Settings that Must Match This SiteMinder FSS Setting... Must Match this SMFE Setting... Password Verify Password Location: SAML Artifact Template Authentication Scheme Properties Password Location: Back-Channel Authentication (SP Connection > Credentials) SAML 2.0 Settings that Must Match The table lists the SAML 2.0 values must match between the FSS and SMFE configurations. This SiteMinder FSS Setting... Must Match this SMFE Setting... The following settings must match each other and the SMFE setting: SP ID--SiteMinder as the Identity Provider SAML v2.0 Entity ID Location: Federation Info (Local Settings) Location: General tab on the SAML Service Provider Properties dialog Audience--SiteMinder as the Identity Provider Location: SSO tab on the SAML Service Provider Properties dialog SP ID--SiteMinder as the Service Provider Location: Scheme Setup tab on the Authentication Scheme Properties dialog IdP ID--SiteMinder as the Service Provider Location: Scheme Setup tab on the Authentication Scheme Properties dialog Authentication Location: Backchannel tab on the SAML 2.0 Auth Scheme Properties dialog (SAML 2.0 artifact only) SAML v2.0 Entity ID Location: Federation Info (Local Settings) Partner's Entity ID (Connection ID) Location (General Info for the SP connection) Inbound SOAP Authentication Type Location Back-Channel Authentication (SP Connection, Credentials) 42 Federation Endpoint Deployment Guide

43 SAML 2.0 Settings that Must Match This SiteMinder FSS Setting... Must Match this SMFE Setting... SP Name Location: Backchannel tab on the SAML 2.0 Auth Scheme Properties dialog (SAML 2.0 artifact only) Password and Confirm Password Location: Backchannel tab on the SAML 2.0 Auth Scheme Properties dialog (SAML 2.0 artifact only) Service URL IPD tab in the Service Provider Properties dialog SOAP Username Location Back-Channel Authentication (SP Connection, Credentials) Password Location Back-Channel Authentication (SP Connection, Credentials) URL entered in browser to test IdP Discovery with SMFE as the Identity Provider Chapter 4: FSS and SMFE Configuration Settings that Must Match 43

44

45 Chapter 5: SAML 1.x SSO with SiteMinder FSS This section contains the following topics: SiteMinder FSS as the SAML 1.x Producer (see page 45) SiteMinder FSS as the SAML 1.x Consumer (see page 51) SAML 1.x SSO Verification (see page 59) SiteMinder FSS as the SAML 1.x Producer The procedures that follow describe the configuration for SiteMinder serving as a SAML 1.x producer. Install the Policy Server and Policy Server Option Pack To install the Policy Server and the Policy Server Option Pack, follow the instructions in the Policy Server Installation Guide and the Policy Server, Web Agent Option Pack Release Notes. Create a SAML 1.x Affiliate Domain You have to identify the SMFE consumer to the SiteMinder producer via the Administrative UI. Detailed step-by-step instructions for the following procedure can be found in the Federation Security Services Guide in the section on identifying a SAML 1.x consumer to the producer. To establish the SMFE as an affiliate 1. Create an affiliate domain. 2. Assign a user directory as a user store. 3. Accept the default SiteMinder administrator. 4. Add the SMFE to the affiliate domain. Chapter 5: SAML 1.x SSO with SiteMinder FSS 45

46 SiteMinder FSS as the SAML 1.x Producer Add the SMFE to the SAML 1.x Affiliate Domain The SMFE, as the consumer/sp, receives assertions from the SiteMinder FSS. By adding the SMFE to an affiliate domain, you: identify it to the SiteMinder FSS select the SAML profile being used specify the users who want access to the resource at the SMFE determine how the assertion is sent across to the SMFE Detailed instructions for the following procedure can be found in the Federation Security Services Guide. Refer to the sections about configuring consumers or Service Providers. To add the SMFE as an affiliate 1. Access the Affiliate Properties dialog for the SMFE consumer. 2. Enter data in the following required fields as shown: Name spsmfe-artifact (for artifact profile) or spsmfe-post (for POST profile) Description SMFE Consumer Password and Confirm Password (SAML artifact only) federate Authentication URL redirectjsp/redirect.jsp Note: Protect this URL with a policy (see page 48). 3. Select the Enabled check box to activate the affiliate object. 4. Select the Users tab, and add the users who require access to the SMFE consumer. For this deployment, user1 defined in the LDAP user store, should have access. 46 Federation Endpoint Deployment Guide

47 SiteMinder FSS as the SAML 1.x Producer 5. Click on the Assertions tab and complete the following fields as shown: SAML Profile artifact or POST Assertion Consumer URL (SAML POST only) SAML Version 1.1 Audience The Audience entry here is the value of the Issuer/Audience field when defining the Federation Info settings of the SMFE as the consumer. Validity Duration 60 seconds Skew Time 30 seconds 6. Click OK to save your changes. 7. Set up the Web Agent and Web Agent Option Pack (see page 47). Install the Web Agent and Web Agent Option Pack You need to install the Web Agent and the Web Agent Option Pack to set-up the Federation Web Services application. To set-up Federation Web Services 1. Install a Web Agent. For instructions, see the Web Agent Installation Guide. Note: When SiteMinder FSS is the producer or IdP, be sure to set the Web Agent configuration parameter RequireCookies to No. This is not necessary when SiteMinder FSS is the consumer or SP. 2. Install the Web Agent Option Pack. For instructions, see the Policy Server, Web Agent Option Pack Release Notes. 3. Install ServletExec, WebLogic, or WebSphere for Federation Web Services. Chapter 5: SAML 1.x SSO with SiteMinder FSS 47

48 SiteMinder FSS as the SAML 1.x Producer 4. For artifact single sign-on only, SSL-enable the web server where the Web Agent and Web Agent Option Pack are installed. For instructions, see your web server's documentation. 5. Deploy Federation Web Services on the web or application server you are using. For instructions, see the section on the Federation Web Services application in the Federation Security Services Guide. Protect Federation Web Services When you install the Policy Server Option Pack and import the ampolicy.smdif file, specific policies and related policy objects are automatically created for the Federation Web Services application. You must enforce protection of the Federation Web Services application as well as specify that the SMFE affiliate can access the Federation Web Services application. To protect the Federation Web Services application Follow the detailed instructions in the section on the Federation Web Services application in the Federation Security Services Guide. Protect the Authentication URL (SAML 1.x) When you add the SMFE as a consumer to the affiliate domain, you are required to set the AuthenticationURL parameter in the Affiliate Properties dialog. The file that the AuthenticationURL points to is the redirect.jsp file. This file must be protected by a SiteMinder policy so that the Web Agent presents an authentication challenge to users who request a protected consumer resource but do not have a SiteMinder session. To create a policy to protect the Authentication URL Follow the detailed instructions for SAML 1.x in the Federation Security Services Guide. 48 Federation Endpoint Deployment Guide

49 SiteMinder FSS as the SAML 1.x Producer Create a Page with SAML 1.x Links to the SMFE Consumer At the SiteMinder producer site, create pages that contain links that direct the user to the consumer site. Each link represents an intersite transfer URL. The user has to visit the intersite transfer URL, which then sends a request to the producer-side Web Agent before being redirected to a consumer site. To create the intersite transfer URLs The link that the user selects at the producer must contain certain query parameters. These parameters are supported by an HTTP GET request to the producer Web Agent. For SAML artifact profile, the syntax for the intersite transfer URL is: SMASSERTIONREF=QUERY&NAME=spsmfe-artifact&TARGET= For SAML POST profile, the syntax for the intersite transfer URL is: SMASSERTIONREF=QUERY&NAME=spsmfe-post&TARGET= sp/acs.saml1&authrequirement=2 The SMCONSUMERURL and AUTHREQUIREMENT parameters are not used by SAML POST profile; however, if you include one of these parameters in the intersite transfer URL, you must also include the other. Configure the Key Database to Sign POST Responses To sign SAML POST responses, which is required by the SAML specification, you have to add a private key and certificate to the SiteMinder key database, named smkeydatabase. You request keys from a Certificate Authority. The private key is added to the smkeydatabase. The public key associated with the private key is sent to the endpoint receiving the assertion. The SMFE needs to have this public key to verify the signature used to sign the assertion. Chapter 5: SAML 1.x SSO with SiteMinder FSS 49

50 SiteMinder FSS as the SAML 1.x Producer To configure the smkeydatabase to sign SAML POST responses 1. Open a command window. 2. Create the smkeydatabase if it does not exist by entering one of the following commands: UNIX: smkeytool.sh createdb passphrase Windows: smkeytool.bat createdb passphrase 3. Add a private key and certificate by entering one of the following commands: UNIX: smkeytool.sh -addprivkey -alias defaultenterpriseprivatekey -keyfile "opt/netegrity/siteminder/certs/sampleprivkey.pkcs12" -certfile "opt/netegrity/siteminder/certs/samplecertificate.cer" passphrase Windows: smkeytool.bat -addprivkey -alias defaultenterpriseprivatekey -keyfile "c:\program files\netegrity\siteminder\certs\sampleprivkey.pkcs12" -certfile "c:\program files\netegrity\siteminder\certs\samplecertificate.cer" passphrase The first part of this command is the location of the private key, in pkcs12 format, at the Identity Provider. For this deployment, that key is sampleprivkey.pkcs12. The second part of the command is the location of the public key certificate, which is samplecertificate.cer followed by the password associated with the private key, which is passphrase. For more information about the smkeydatabase and smkeytool, see the section on using key databases in the Federation Security Services Guide. Protect the SAML 1.x Assertion Retrieval Service (Artifact only) The Assertion Retrieval Service resides at the SiteMinder producer. When it receives a request containing a SAML artifact, it retrieves the associated assertion from the SiteMinder Session Server. Note: For artifact retrieval to be successful, SiteMinder FSS generating assertions must have its Web Agent configuration parameter RequireCookies set to No. By default, there is a pre-configured policy that uses the Basic over SSL authentication scheme to protect the Assertion Retrieval Service. However, if you want to configure the policy for client certificate authentication instead of Basic over SSL, you need to create this policy for a different realm than the realm that uses the Basic over SSL scheme. 50 Federation Endpoint Deployment Guide

51 SiteMinder FSS as the SAML 1.x Consumer Generally, the administrator at the producer should create two policies to protect the Assertion Retrieval Service, one for Basic over SSL and one for client certificate authentication. To protect the Assertion Retrieval Service using a client certificate authentication scheme 1. Create a policy at the producer that uses an X.509 client certificate authentication scheme. 2. Enable client certificate authentication at the consumer. For detailed instructions, see the SAML 1.x instructions in the Federation Security Services Guide. SiteMinder FSS as the SAML 1.x Consumer The procedures that follow describe the configuration for SiteMinder as a SAML 1.x consumer. Install the Policy Server and the Policy Server Option Pack To install the Policy Server and the Policy Server Option Pack, follow the instructions in the Policy Server Installation Guide and the Policy Server, Web Agent Option Pack Release Notes. Protect the Federation Web Services Application When you install the Policy Server Option Pack and import the ampolicy.smdif file, specific policies and related policy objects are automatically created for the Federation Web Services application. You must enforce protection of the Federation Web Services application as well as specify that the SMFE affiliate can access the Federation Web Services application. To protect the Federation Web Services application Follow the detailed instructions in the section on the Federation Web Services application in the Federation Security Services Guide. Chapter 5: SAML 1.x SSO with SiteMinder FSS 51

52 SiteMinder FSS as the SAML 1.x Consumer Install the Web Agent and Web Agent Option Pack You need to install the Web Agent and the Web Agent Option Pack to set-up the Federation Web Services application. To set-up Federation Web Services 1. Install a Web Agent. For instructions, see the Web Agent Installation Guide. Note: When SiteMinder FSS is the producer or IdP, be sure to set the Web Agent configuration parameter RequireCookies to No. This is not necessary when SiteMinder FSS is the consumer or SP. 2. Install the Web Agent Option Pack. For instructions, see the Policy Server, Web Agent Option Pack Release Notes. 3. Install ServletExec, WebLogic, or WebSphere for Federation Web Services. 4. For artifact single sign-on only, SSL-enable the web server where the Web Agent and Web Agent Option Pack are installed. For instructions, see your web server's documentation. 5. Deploy Federation Web Services on the web or application server you are using. For instructions, see the section on the Federation Web Services application in the Federation Security Services Guide. Set-up the smkeydatabase for Artifact Single Sign-on (Optional) For artifact binding, the SiteMinder FSS is the 1.x consumer or 2.0 Service Provider may use Basic, Basic over SSL or client certificate authentication to protect the Artifact Resolution Service. If Basic over SSL is used, you must add the appropriate Certificate Authority's certificate to the Service Provider s smkeydatabase to establish the SSL connection between the Idp and SP. The certificate secures the back channel that the assertion is sent across. The Artifact Resolution Service needs to be protected and the back channel needs to be secure so the Service Provider knows the SSL connection is secured by a trusted authority. Important! If you configure Basic over SSL as the authentication method for the artifact back-channel, disable POST preservation at the producer-side Web Agent. Disable POST Preservation by setting the Web Agent's POST Preservation parameter to No. 52 Federation Endpoint Deployment Guide

53 SiteMinder FSS as the SAML 1.x Consumer A set of common root CA certificates are shipped with the default smkeydatabase; however, to use one that is not already in the key store, you must import it into the smkeydatabase. Note: The Owner CN has to be the domain of the web server hosting the assertion retrieval service (SAML 1.x) or artifact resolution service (SAML 2.0). Use the SiteMinder smkeytool utility to modify the smkeydatabase. For this deployment, the alias is sampleappcertca and the certificate of the CA is docca.crt. To add a certificate to the smkeydatabase 1. Open a command window. 2. Check whether the Certificate Authority certificate is already in the database by entering: smkeytool -listcerts Look for an entry type of CertificateAuthorityEntry. 3. If the CA certificate is not present, import a new CA certificate by entering: smkeytool -addcert -alias <alias> -infile <cert_file> -trustcacert For this deployment, the command is: smkeytool -addcert -alias sampleappcertca -infile docca.crt -trustcacert 4. When asked if you trust the certificate, enter YES. The certificate is added to the key store. 5. Enable the Artifact Binding for SAML Authentication at the SP. Configure Signing Verification for POST Profile For SAML POST profile, the assertion issuer signs the response that contains the assertion. In this case, the SMFE is the assertion issuer and it should send the public key (samplecaroot.cer in this deployment) to the one partner consuming the assertion or publish this public key to all its partners who may consume assertions. SiteMinder, as the consuming entity, must verify the signature. To do this, the producer's public key sent to SiteMinder must be added to the smkeydatabase file. Chapter 5: SAML 1.x SSO with SiteMinder FSS 53

54 SiteMinder FSS as the SAML 1.x Consumer To setup signature verification at the SiteMinder consumer 1. Obtain a CA certificate from a certificate authority. 2. Check whether it already exists in the consuming authority database by entering: smkeytool.sh -listcerts 3. Open a command window. 4. Use the smkeytool utility and add the public key, that is, the certificate, to the smkeydatabase at the Policy Server. The command syntax is: UNIX: smkeytool.sh addcert -alias sp1cacert -infile /opt/ca/siteminder/certs/post-cet.crt Windows: smkeytool.bat addcert -alias sp1cacert -infile "c:\program files\ca\siteminder\certs\post-cet.crt" For more information about using the key database, see the Federation Security Services Guide. Configure the SAML 1.x Authentication Schemes You can setup an authentication scheme for SAML 1.x artifact or POST bindings that protects the target federated resource at SiteMinder. More information: Configure the SAML 1.x POST Authentication Scheme (see page 55) Configure the SAML 1.x Artifact Authentication Scheme (see page 57) 54 Federation Endpoint Deployment Guide

55 SiteMinder FSS as the SAML 1.x Consumer Configure the SAML 1.x POST Authentication Scheme If you are using the POST profile for single sign-on, you need to configure the SAML POST template authentication scheme at the SiteMinder consumer. To configure the SAML 1.x POST authentication scheme 1. Log in to the Policy Server User Interface. 2. Select the SAML POST Template and complete the following fields with the values shown: Affiliate Name smfe-partner This value must match the value specified in the Federation Info dialog for the SAML 1.x Audience/Issuer setting at the SMFE producer (IdP). Audience Assertion Consumer URL Issuer Dsig Issuer DN CN=Certificate Manager,OU=IAM,O=CA.COM This value comes from the public key in the smkeydatabase. (The public key is sent by the SMFE to SiteMinder, and it is associated with the private key that the SMFE used to sign the POST response. You can read the Issuer DN by using the smkeytool utility and issuing the following command: Windows: smkeytool.bat -listcerts UNIX: smkeytool.sh -listcerts For more information about using the key database, see the Federation Security Services Guide. Chapter 5: SAML 1.x SSO with SiteMinder FSS 55

56 SiteMinder FSS as the SAML 1.x Consumer Serial Number 008D 8B6A D18C 46D8 5B This value comes from the public key in the smkeydatabase. (The public key is sent by the SMFE to SiteMinder, and it is associated with the private key that the SMFE used to sign the POST response. You can read the serial number by using the smkeytool utility and issuing the following command: Windows: smkeytool.bat -listcerts UNIX: smkeytool.sh -listcerts For more information about using the key database, see the Federation Security Services Guide. Search Data XPATH Field //NameIdentifier/text() This value tells SiteMinder to use the first instance of the NameIdentifier element in the assertion and map it to a user store entry. Instead of looking for the NameIdentifier, you can specify an Xpath query that looks for the value of the <Subject> element in the assertion and maps the value to a user store entry. Namespace list LDAP Search Specification name=%s Specifies the placeholder for what the Xpath search generates. Single attribute look-ups are the only look-up permitted. You can also enter a specific value instead of a variable statement. SAML Version 1.1 (by default) Redirect Mode 302 No Data For detailed instructions and field descriptions, see the Federation Security Services Guide. 3. Click OK to save your configuration. 4. Protect a resource with this authentication scheme (see page 58). 56 Federation Endpoint Deployment Guide

57 SiteMinder FSS as the SAML 1.x Consumer Configure the SAML 1.x Artifact Authentication Scheme If you are using the artifact profile for single sign-on, you need to configure the SAML artifact template authentication scheme at the SiteMinder consumer. To configure the SAML 1.x artifact authentication scheme 1. Log in to the Policy Server User Interface. 2. Select the SAML Artifact Template and complete the fields with the values shown: Affiliate Name smfe-partner This value must match the value specified in the Federation Info dialog for the SAML 1.x Audience/Issuer and SOAP Username settings at the SMFE producer. Password/Verify Password federate This value is part of the basic credential presented to identify the SiteMinder consumer to the SMFE producer. Redirect Mode 302 No Data Company Source ID aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa This value is the SAML v1.x Source ID; this is just an example and does not reflect a real source ID. SAML Version 1.1 Assertion Retrieval URL idp/soap.ssaml1 is the URI of the SMFE servlet that retrieves the assertion. Port 8443 is the secondary port defined in the run.properties file of the SMFE because you cannot use the default SSL port of 9031 for artifact requests. Authentication Basic Auth Audience Chapter 5: SAML 1.x SSO with SiteMinder FSS 57

58 SiteMinder FSS as the SAML 1.x Consumer Issuer Search Data XPATH field //NameIdentifier/text() This value tells SiteMinder to use the first instance of the Name Identifier from the assertion. You can also specify the value comes from the <Subject> element in the assertion. Namespace list LDAP Search Specification name=%s Single attribute look-ups are the only look-up permitted. This value is a placeholder for what the Xpath search generates. You can also enter a specific value instead of a variable statement. For detailed instructions and field descriptions, see the Federation Security Services Guide. 3. Click OK to save the configuration. 4. Protect a resource using this authentication scheme (see page 58). Protect the Resource with the SAML 1.x Authentication Scheme After creating a SAML 1.x authentication scheme, you need to protect the target resource with it. To protect the target resource 1. Create a unique realm for each SAML authentication scheme. 2. Assign the SAML authentication scheme to the realm. Create a realm that uses the one of the following resource filters /saml-samlauthprotected-post/ /saml-samlauthprotected-artifact/ Note: There is a backslash (/) at the end of the resource filter. 3. Protect the resource with the appropriate artifact or POST authentication scheme. 58 Federation Endpoint Deployment Guide

59 SAML 1.x SSO Verification 4. Create a rule for the realm. 5. Create a policy that groups the realm and the rule together. For instructions on each of these steps, see the Federation Security Services Guide. For details on creating a policy and all its components, see the Policy Design guide. SAML 1.x SSO Verification Assuming that each side of the federation network is configured and operational, test single sign-on (see page 87). You can either initiate single sign-on with SiteMinder FSS as the producer/idp or SMFE as the producer/idp. More information SAML 1.x SSO Testing (see page 87) Chapter 5: SAML 1.x SSO with SiteMinder FSS 59

60

61 Chapter 6: SAML 1.x SSO with the SMFE This section contains the following topics: SMFE as the SAML 1.x Producer (see page 61) SMFE as the SAML 1.x Consumer (see page 73) SAML 1.x SSO Verification (see page 86) SMFE as the SAML 1.x Producer The procedures that follow show an example of setting up the SMFE as a SAML 1.x producer. This configuration relies on the following components: SMFE adapter SMFE agent Sample application Apache Tomcat (for use by the sample Java applications) The SMFE contains an integration kit that includes: An adapter that plugs into the Federation Endpoint server, which encrypts data into a PFToken that is then sent as a query parameter or browser cookie to the target consumer application. The standard adapters provide a generic interface for integrating with various applications, including Javaand.NET-based applications. Agent toolkits that extract data from the PFToken and pull out the relevant user data needed by the target application to set a valid session cookie or other application-specific security context for the user. Note: The SMFE Agent is not related to the SiteMinder Web Agent in any way. Two sets of sample applications are included with the SMFE that allow you to use your configured Federation Endpoint to demonstrate single sign-on. One is for Java and one is for.net. The Java Sample Applications use the Java Integration Kit 1.1 for integration with Federation Endpoint. The.NET Sample Applications use the.net Integration Kit 1.1 The IdP Sample Application, IdPSample, simulates the use case where users authenticate to an IdP locally to access a remote SP application Important! This deployment uses the Java applications. Chapter 6: SAML 1.x SSO with the SMFE 61

62 SMFE as the SAML 1.x Producer Configure the SMFE to Accept Artifact Requests For single sign-on using the artifact profile, you have to configure a port that will accept artifact requests. To do this you have to set an SMFE runtime parameter, located in the run.properties file. To set-up a port 1. Open the run.properties file in an editor. The file is located in: SMFE_install_dir/ Siteminder_Federation_Endpoint/bin 2. Set the pf.secondary.https.port parameter to Save the file. In addition, when SSL Client certificates are used as the authentication mechanism for the artifact back channel, the secondary listener must be configured to ask for client authentication. This is configured by setting the WantClientAuth field to true in the following file: SMFE_install_dir/Siteminder_Federation_Endpoint/server/default/ deploy/jetty.sar/meta-inf/jboss-service.xml file. Note: These changes require a server restart. Start the SMFE and Login to the Administrative Console You configure SMFE features via the SMFE Administrative Console. To start the SMFE 1. Enter the following command at the command prompt: Windows: SMFE_install_dir\Siteminder_Federation_Endpoint\bin\run.bat UNIX: SMFE_install_dir/Siteminder_Federation_Endpoint/bin/run.sh Note: UNIX users may have to set the executable permissions. 2. Access the Federation Endpoint Administrative Console using the following URL: This is the fully qualified URL of the server running SMFE. For example: Federation Endpoint Deployment Guide

63 SMFE as the SAML 1.x Producer 3. Enter the default CA SiteMinder Federation Endpoint Username and Password: Username: Administrator Password: 2Federate 4. Click the Login button.opens. The SMFE Administrative Console displays. 5. Change the Administrator password. Follow the instructions in the Federation Endpoint Quick Start Guide. Note: To shut down the SMFE, enter Ctrl-c. Configure the Local Settings for the Producer Specify the Producer Role and Protocol The Local Settings include unique federation server identifiers, the designation of your site s federation role (assertion issuer or assertion consumer or both), and your choice of federation protocols and application integration adapters. Local settings also include system administration configuration (one-user or multi-user), notification options and setup, and shortcut links to adapter configurations and account management (when multi-user administration is enabled). You need to indicate which role in a federation network that the SMFE is fulfilling. Additionally, you need to specify the SAML protocol. To specify the role and protocol 1. Log in to the Administrative Console and select Local Settings. 2. On the Roles and Protocols dialog, select the following options: Enable Identity Provider Role Enable SAML v Click Next. The Federation Info dialog appears. 4. Configure the Federation Info. Chapter 6: SAML 1.x SSO with the SMFE 63

64 SMFE as the SAML 1.x Producer Configure the SAML 1.x Federation Info at the SMFE Producer The SMFE Federation Info identifies your federation deployment to your partners, according the protocol(s) you support. To configure the Federation Info for the SMFE producer 1. Navigate to the Federation Info dialog in the local settings. 2. Configure the following on the Federation Info dialog Base URL (optional) SAML v1.x Issuer/Audience smfe-partner In the case of the SMFE as the producer, this is the Issuer value in the assertion. SAML v1.x Source ID 3. Click Next. aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa This is just an example for this deployment. It is not a real ID. A source ID is defined by the SAML specification standard as a 20-byte binary, hex-encoded number that identifies the producer. This ID is used by the consumer to identify an assertion issuer. Enter a number that matches the Source ID for the producer. A more typical Source ID value is b a0ea431bff69dd346aeeff83128b6f. 4. Configure the IdP Adapter (see page 110). Configure the IdP Adapter Instance (SAML 1.x) The IdP adapter allows the SMFE to receive a user's identity from the IdP application. If you have multiple applications, configure multiple IdP adapter instances. To configure an IdP adapter instance 1. From the IdP Adapter Selection step. 2. Click on Configure Adapter Instances. 3. Click on Create New Adapter Instance. The Adapter Type Screen dialog appears. 4. Complete the fields for the adapter instance with the values shown: Adapter Instance Name IdPJava 64 Federation Endpoint Deployment Guide

65 SMFE as the SAML 1.x Producer Adapter Instance ID IdPJava Adapter Type 5. Click Next. PF4 Standard Adapter v1.1 The IdP Adapter dialog is displayed. 6. Complete only the following settings with the values shown: Transfer Method query PFToken Holder Name IdPJava Domain.idp.com Cookie Path / Password fedendpoint This password is between the sample application and the adapter. Authentication Service 7. Click Next. Port 8080 is the Tomcat instance where the IdpSample is deployed. This is a URL to an external application that authenticates the user. 8. Specify the adapter actions. Chapter 6: SAML 1.x SSO with the SMFE 65

66 SMFE as the SAML 1.x Producer Specify Adapter Actions and the Extended Adapter Contract for the Producer The Adapter Actions are activities that the IdP adapter can perform. The extended adapter contract informs the SMFE of other attributes that it is sending in the assertion. To configure the remaining settings for the IdP Adapter instance 1. From the Adapter Actions screen, click the Generate properties link to view the adapter configuration properties. 2. Copy and save the results of the display to a separate file. For Java, the file is: <SMFE_home>\quickstart\sample_app\java\IdpSample\config\pfagentidp.properties Important! When configuring the IdP or SP Adapter, use WordPad to edit the pfagent-idp.properties (Java application) or pf-agent-idp.config (.NET application) for configuring the adapter actions. You will need one of these files later for use with the sample application. Also, save the file using the exact name (pfagent-idp.properties or pf-agent-idp.config). Do not save the file using.doc,.txt or any other extension. 3. Click Next. The Extended Adapter Contract dialog is displayed. 4. In the Extended Adapter Contract dialog, click Add to configure the additional attribute. 5. Add userid as an attribute. 6. Click Next until you reach the Summary dialog. 7. On the Summary dialog, verify that the information is correct and click Done. You return to the Manage Adapter Instance dialog. 8. Click Save to complete the adapter configuration. Important! You must save at this point or you will lose your configuration. 9. Click Next. The IdP Events dialog displays. 10. Specify the IdP Events (see page 67). 66 Federation Endpoint Deployment Guide

67 SMFE as the SAML 1.x Producer Specify SAML 1.x IdP Events The IdP Events dialog lets you define the single logout link that the user is sent to if the single sign-on link is not in the assertion. Important! SAML 1.1 does not support single logout; however, you are required to specify an SLO URL. This URL will be ignored by the SMFE acting as a SAML 1.1 producer. Save the IdP Local Settings To set specify a SLO URL 1. On the SP Events screen, enter the following URL where the user will be directed for single logout: 2. Click Next. The Summary screen is displayed with the completed Local Settings. 3. Save the local settings (see page 67). The Summary screen lets you review all your local settings. To save the local settings 1. In the Local Settings, review the summary and click Save. You return to the main menu. 2. Configure the SP connection from the SMFE to the SiteMinder FSS entity consuming assertions. Configure the SP Connection For the SMFE producer/idp to issue assertions, you need to define the partner connection, which is the connection to the SiteMinder consumer/sp. This is defined as the SP connection. This assumes that the producer/idp is initiating single sign-on. To create an SP Connection 1. Log in to the Administrative Console. The Main menu displays. 2. Under the SP Connections, select Create New. Chapter 6: SAML 1.x SSO with the SMFE 67

68 SMFE as the SAML 1.x Producer 3. Define all the settings associated with an SP Connection: Roles & Protocols General Info IdP Web SSO SAML Profiles Credentials Activation 4. Verify the Roles & Protocols. Verify the SAML 1.x Role and Protocol for the SP Connection The SMFE is acting as a producer. Therefore, it has to establish an SP connection because the SMFE is connecting to a consumer. To verify the role and protocol for the connection 1. On the Roles & Protocols dialog, ensure the following settings: Connection Type SP Protocol SAML v Click Next. 3. Configure the General Info settings (see page 69). 68 Federation Endpoint Deployment Guide

69 SMFE as the SAML 1.x Producer Configure General Info for SAML 1.x The General Info identifies the partner consuming assertions, in this case, the SiteMinder FSS. To specify the General Info 1. Select the General Info step. 2. Complete the fields with the values shown: Audience Base URL This is the base host of the web server where the Web Agent Option Pack is installed. By specifying a base URL, you can then enter relative URLs in other parts of the configuration, making configuration more efficient. Note: If you configure the Base URL for an artifact profile configuration, you must begin the URL with because SiteMinder requires that the back-channel authentication for the artifact profile occur over a secure connection. The POST profile does not need to return to the producer, so this URL is irrelevant. 3. Leave the remaining fields blank. 4. Click Next. The Assertion Lifetime dialog is displayed. 5. Accept the default in the Assertion Lifetime dialog and click Next. The Web SSO dialog is displayed. 6. Specify the Web SSO settings (see page 69). Configure SAML 1.x Web SSO Settings for the SP Connection The Web SSO settings define the single sign-on profiles (artifact and POST). To configure Web SSO for POST or Artifact Profile 1. Create a new Web SSO configuration by following the instructions in the Federation Endpoint Quick Start Guide. 2. In the Identity Mapping dialog, select Standard. Standard indicates that the SMFE IdP will send the SP a known attribute value, such as the name identifier. Chapter 6: SAML 1.x SSO with the SMFE 69

70 SMFE as the SAML 1.x Producer 3. In the Attribute Contract dialog, verify that SAML_SUBJECT is the value. The Attribute Contract is where you define additional attributes to be sent to the SAML partner. 4. Click Next. The IdP Adapter Mapping dialog is displayed, where you can map attributes from the assertion to the IdP adapter and the target application. 5. Select the default IdPJava Adapter Instance then click Next. This adapter authenticates users to the producer. 6. In the Assertion Mapping dialog, select the option "Use only the attributes available in the SSO Assertion." Click Next. 7. In the Attribute Contract FulFillment dialog, enter the following for the SAML_SUBJECT attribute contract then click Next. Source Value Adapter userid The Assertion Consumer URL dialog is displayed. 8. In the Assertion Consumer dialog, complete the following fields with the values shown: Binding POST and/or Artifact Select the appropriate binding for your connection. Endpoint URL 9. Click Next. The Default Target URL dialog is displayed. 10. In the Default Target URL, enter the fully qualified URL to the target resource at the SiteMinder consumer. In this deployment, the URLs are: For POST For Artifact Federation Endpoint Deployment Guide

71 SMFE as the SAML 1.x Producer 11. Skip the Signature Policy dialog and click Next. Do not check this box. The Summary dialog is displayed. 12. Review the Summary then click Done to get back to the main SP Connection dialog. 13. Depending on the binding you are configuring, do one or both of the following: credentials for POST responses (see page 72) credentials for the artifact back-channel authentication (see page 71) Specify Credentials for the SAML 1.x Artifact Back-Channel For artifact profile, the SMFE sends the assertion across a secure back-channel to the SiteMinder partner consuming assertions. In the Credentials dialog, you specify what SiteMinder presents to the SMFE as credentials for access across the back-channel. To configure the credentials for the back-channel 1. From the SP connection main menu, click Credentials. The Credentials dialog opens. 2. Click Configure Credentials. 3. Select Back-Channel Authentication. The Back-Channel dialog opens. 4. Click Configure on the right side of the dialog. The Inbound SOAP Authentication Type dialog opens. 5. Select HTTP Basic, then click Next. The Basic SOAP Authentication (Inbound) dialog is displayed. 6. Complete the following fields with the values shown: SOAP Username smfe-partner Password smfederate 7. The values you enter for these fields must match the values specified in the SiteMinder Policy Server User Interface for the SAML artifact authentication scheme's back channel configuration. 8. Click Next. The Digital Signature Settings dialog is displayed. Chapter 6: SAML 1.x SSO with the SMFE 71

72 SMFE as the SAML 1.x Producer 9. Do one of the following: Configure credentials to sign POST responses, if necessary. (see page 72) Click next until you reach the Summary screen. 10. On the Summary screen, click Done. You return to the Credentials dialog. 11. Click Save. 12. Activate the SP connection. Configure the Credentials to Sign POST Responses For POST profile single sign-on, you have to sign the assertion response with a certificate. You can create a new certificate or import an existing certificate that will sign assertions. In this deployment, you will import a certificate. To import a certificate for signing assertions 1. Go to the Credentials step for the SP connection. 2. Click on Configure Credentials. 3. Navigate to the Digital Signature Settings dialog and click Manage Certificates. The Manage Digital Signing Certificates dialog opens. 4. To import a certificate, follow the instructions in the Federation Endpoint Quick Start Guide. 5. Use the following values in the Import Certification dialog: Filename c:\smfe_install_dir\certs\pingtest_signing_cert.p12 Password federate SiteMinder places the public key of this certificate in the smkeydatabase to verify the signature. 6. Click Next. 7. Review the Summary and then click Done. You return to the Credentials step. 8. Activate the SP connection (see page 73). 72 Federation Endpoint Deployment Guide

73 SMFE as the SAML 1.x Consumer Activate and Save the SP Connection Now that you have configured an SP connection to SiteMinder, you activate this connection. To activate the SP connection 1. From the SP Connection tab, select Activation & Summary. The Activation & Summary dialog is displayed. 2. Click the Active radio button. 3. Review the summary of the SP connection settings. 4. Click Save. 5. Deploy the sample IdP application. Deploy the IdP Sample Application (SAML 1.x) To test that producer- or IdP-initiated single sign-on is configured properly at the SMFE, first configure and deploy the IdpSample application located in the directory SMFE_home\quickstart\sampleapp\java\IdpSample\config. To set up the IdP sample application 1. Configure the IdpSample Java application. 2. Deploy the application in the Tomcat server. 3. Assuming the federated partner is configured, test single sign-on using the Idp sample application. For instructions about using the IdP sample application, see the Federation Endpoint Quick Start Guide. SMFE as the SAML 1.x Consumer The procedures that follow show an example of setting up the SMFE as a SAML 1.x consumer. This configuration relies on the following components: SMFE adapter SMFE agent Sample application Apache Tomcat (for use by the sample Java applications) Chapter 6: SAML 1.x SSO with the SMFE 73

74 SMFE as the SAML 1.x Consumer The procedures that follow describe the configuration for the SMFE serving as the consumer. The SMFE contains an integration kit that includes: An Adapter that plugs into the Federation Endpoint server, which encrypts data into a PFToken that is then sent as a query parameter or browser cookie to the target consumer application. The standard adapters provide a generic interface for integrating with various applications, including Javaand.NET-based applications. Agent toolkits that extract the data from the PFToken and pull out the relevant user data needed by the target application to set a valid session cookie or other application-specific security context for the user. Note: The SMFE Agent is not related to the SiteMinder Web Agent. Two sets of sample applications are included with the SMFE that allow you to use your configured Federation Endpoint to demonstrate single sign-on processing. One is for Java and one for.net. The Java Sample Applications use the Java Integration Kit 1.1 for integration with Federation Endpoint. The.NET Sample Applications use the.net Integration Kit 1.1 The SP Sample Application, SPSample, simulates the use case where users authenticate with a local application through a remote IdP. Start the SMFE and Login to the Administrative Console You configure SMFE features via the SMFE Administrative Console. To start the SMFE 1. Enter the following command at the command prompt: Windows: SMFE_install_dir\Siteminder_Federation_Endpoint\bin\run.bat UNIX: SMFE_install_dir/Siteminder_Federation_Endpoint/bin/run.sh Note: UNIX users may have to set the executable permissions. 2. Access the Federation Endpoint Administrative Console using the following URL: This is the fully qualified URL of the server running SMFE. For example: Federation Endpoint Deployment Guide

75 SMFE as the SAML 1.x Consumer 3. Enter the default CA SiteMinder Federation Endpoint Username and Password: Username: Administrator Password: 2Federate 4. Click the Login button.opens. The SMFE Administrative Console displays. 5. Change the Administrator password. Follow the instructions in the Federation Endpoint Quick Start Guide. Note: To shut down the SMFE, enter Ctrl-c. Configure the Local Settings for the Consumer Specify the Consumer Role and Protocol The Local Settings include unique federation server identifiers, the designation of your site s federation role (SP, IdP, or both), and your choice of federation protocols and application integration adapters. Local settings also include system administration configuration (one-user or multi-user), notification options and setup, and shortcut links to adapter configurations and account management (when multi-user administration is enabled). You need to indicate which role in a federation network that the SMFE is fulfilling. Additionally, you need to specify the SAML protocol. To indicate the role and protocol 1. Log in to the Administrative Console and select Local Settings. 2. On the Roles and Protocols dialog, select the Enable Service Provider (SP) Role and then select the Enable SAML v1.1 protocol options. 3. Click Next. The Federation Info dialog appears. Chapter 6: SAML 1.x SSO with the SMFE 75

76 SMFE as the SAML 1.x Consumer Configure the SP Adapter Instance 4. Configure the settings on the Federation Info dialog using the values shown: Base URL (optional) This URL is where SMFE is installed. SAML v1.x Issuer/Audience In the case of the SMFE acting as the consumer, this is the audience value in the assertion. 5. Configure the SP Adapter Instance (see page 76). Configure an SP adapter instance to define the communication between the SMFE generating assertions and the SiteMinder system with the target resources. The SP adapter allows the SMFE to supply information needed by the target application to set a valid session cookie or other application-specific security context for the user. Note: This deployment uses the adapter that works with the SMFE Java Integration Kit. To configure an SP adapter instance 1. Log on to the Administrative Console. 2. From the Main dialog, select Local Settings 3. Select the SP Adapter Selection. 4. Click on Configure Adapter Instances. The Manager Adapter Instances dialog displays. 5. Select Create New Adapter Instance. The Adapter Type dialog opens. Complete the fields for the adapter instance are with the values shown: Adapter Instance Name SPJava Adapter Instance ID SPJava Adapter Type PF4 Standard Adapter v Federation Endpoint Deployment Guide

77 SMFE as the SAML 1.x Consumer 6. Click Next. The SP Adapter Instance displays. 7. Click on the SP Adapter Instance option. 8. Complete only the following settings with the values shown: Transfer Method query Domain.sp.com PFToken Holder Name SPJava Cookie Path / Password fedendpoint This is a password between the target system and the SMFE. Authentication Service This is the URL where the user is sent for a single sign-on event. Port 8080 is the Tomcat instance where the SpSample application is deployed. 9. Specify the SP adapter actions. Chapter 6: SAML 1.x SSO with the SMFE 77

78 SMFE as the SAML 1.x Consumer Specify the SP Adapter Actions and Extended Adapter Contract The Adapter Actions are functions that the SP adapter can perform.the Extended Adapter contract informs the SMFE about other attributes included in the assertion from the producer. To configure the remaining settings for the SP Adapter Instance 1. Go to the Adapter Actions screen and click the Generate properties link to view the adapter configuration properties. 2. Copy and save the results of the display to a separate file. For Java the file is: Important! When configuring the SP Adapter, use WordPad to edit the pfagent-sp.properties (Java application) or pf-agent-sp.config (.NET application) for configuring the Adapter Actions. You will need one of these files later for use with the Sample Application. Also, save the file with the exact name (pfagent-sp.properties or pf-agent-sp.config). Do not save the file using.doc,.txt or any other extension. 3. Click Next. 4. On the Extended Adapter Contract dialog, configure an additional attribute of userid for the adapter. Click Next. The Summary screen is displayed. 5. On the Summary screen, verify that the information is correct and click Done. You return to the Manage Adapter Instances dialog. 6. Click Save to complete the adapter configuration. Important! Remember to save at this point or you will loose your configuration. 7. On the SP Adapter Selection dialog, click Next. The SP Events dialog displays. 8. Configure SP Events. 78 Federation Endpoint Deployment Guide

79 SMFE as the SAML 1.x Consumer Configure SP Events (SAML 1.x) Save the Local SP Settings Set Up the IdP Connection The SP Events dialog lets you define the single sign-on link, that is, the target URL, that the user is sent to if the single sign-on link is not in the assertion. To set up the SP Events 1. On the SP Events screen, enter the URL where the user will be redirected when single sign-on has succeeded. Because you are using the sample application, SpSample, the link is: Important! If the RelayState parameter is supplied in the assertion sent by SiteMinder, it would be used by the SMFE to determine the target application and override the value you enter for the URL. 2. Click Next. The Summary screen is displayed with the completed local settings. 3. Save the local SP settings for the SP connection. The Summary screen lets you review all your local settings. To save the local settings 1. From the Summary dialog in the Local Settings tab, click Save. You return to the main menu. Configure the connection between the SMFE consuming assertions to the SiteMinder issuing assertions. This is referred to as the IdP Connection. 2. Set up the IdP connection to SiteMinder. For the SMFE to receive assertions, you need to define the partner connection, which in this case is the connection to SiteMinder FSS that is issuing assertions. In the SMFE user interface, this means you define an IdP connection between the SMFE and SiteMinder FSS. With a single license-key, you are restricted to creating a single connection to SiteMinder FSS. Note: This procedure assumes that the IdP is initiating single sign-on. To create an IdP Connection 1. Log in to the Administrative Console. The Main menu displays. 2. Under the IdP Connections, select Create New. Chapter 6: SAML 1.x SSO with the SMFE 79

80 SMFE as the SAML 1.x Consumer 3. Define all the settings associated with an IdP Connection: Role & Protocol General Info IdP Web SSO SAML Profiles Credentials Activation 4. Verify the Role & Protocol. Verify the SAML 1.x Role and Protocol for the IdP Connection The SMFE is consuming assertions so the connection type must be an IdP connection, that is, a connection to the partner issuing assertions. To verify the role and protocol for the connection 1. On the Roles & Protocols dialog, enter the following settings: Connection Type IdP Protocol SAML v Click Next. The General Info tab is displayed. 3. Specify the General Info. 80 Federation Endpoint Deployment Guide

81 SMFE as the SAML 1.x Consumer Configure SAML 1.x General Info The General Info defines the Producer, in this case, SiteMinder. Note: Remember that for SAML 1.x, the SMFE user interface refers to the Producer as the IdP. To specify the General Info 1. Enter values for the following fields, as shown: Issuer (Connection ID) This value is AssertionIssuerID of the entity issuing assertions, which is the value of the AssertionIssuerID specified in the SiteMinder producer's AMAssertionGenerator.properties file. This file is located at policy_server_home/config/properties. Base URL (optional) This URL is where the Web Agent Option Pack is installed. The base URL makes configuration of producer endpoints more efficient. By specifying a base URL, you can then enter relative URLs in other parts of the configuration. In this example, this is the base host of the web server where the Web Agent Option Pack is installed. Note: If you configure the Base URL for an artifact profile configuration, you must begin the URL with because the artifact profile requires a secure connection. The POST profile does not need to return to the producer, so this URL is irrelevant. 2. You can leave the other fields blank. 3. Click Next. The SAML Profiles dialog is displayed. 4. Ignore the SAML Profiles dialog and click Next. The Web SSO dialog is displayed. 5. Configure the Web SSO settings. Chapter 6: SAML 1.x SSO with the SMFE 81

82 SMFE as the SAML 1.x Consumer Configure the Web SSO Settings The Web SSO settings define the single sign-on profiles (artifact and POST). To configure Web SSO for the SAML 1.x IDP Connection 1. Create a new Web SSO configuration for the Idp connection by following the instructions in the Federation Endpoint Quick Start Guide. 2. In the Identity Mapping dialog, select Account Mapping and click Next. The Attribute Contract tab is displayed. 3. Accept the default attribute SAML_SUBJECT and click Next. 4. In the Adapter Mapping & User Lookup dialog, use the default SPJava adapter instance and identify a user to the application based on attributes sent in an assertion. Map an adapter instance for each target application on your system. a. In the Adapter Instance tab, use the SPJava adapter instance then click Next. This adapter enables the SMFE to extract data from incoming assertions. b. In the Adapter Data Store tab, select the radio button for "Use only the attributes available in the SSO Assertion" then click Next. c. In the Attribute Contract FulFillment tab, configure the following values for the userid adapter contract: Source Assertion Value SAML_SUBJECT 5. Click Next to display the Summary. 6. Review the Summary and click Done. You return to the Adapter Mapping & User Lookup tab. 7. Click Next until you reach the Allowable SAML Bindings tab. Note: Skip the SSO Service URL dialog. This is only for SP-initiated SSO, which is not supported for the SAML 1.x release of the product. 8. In the Allowable SAML Bindings settings, select POST, Artifact or both, as appropriate, to specify the profile used for communication. Click Next. The Artifact Resolution Location step displays. 82 Federation Endpoint Deployment Guide

83 SMFE as the SAML 1.x Consumer 9. In the Artifact Resolution Location, complete the following fields with the values shown: Artifact Resolution Endpoint ver This is the SAML 1.x Assertion Retriever Service at the FSS IdP. Enter a relative URI is you configured a Base URL. Note: You can only define one endpoint for SAML 1.x. Source ID aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 10. Click Next to Skip the Signature Policy and Encryption Policy dialog. The Summary is the final tab. 11. Review the Summary then click Done to return to the main IdP Connection dialog. 12. Depending on the SAML profiles you are configuring, do one or both of the following: Configure the authentication for the artifact back-channel. Configure the Credentials for POST signature verification. Configure Back Channel Authentication for SAML 1.x Artifact SSO Using the artifact profile for SSO, the assertion is sent from the producer back to the consumer across a secure back-channel. You need to determine the authentication method required for back-channel communication. To configure the artifact back channel for the IdP Connection 1. Navigate to the Credentials tab. 2. In the Back-Channel Authentication tab, click Configure on the right of the dialog. The Outbound SOAP Authentication Type dialog displays. 3. Select HTTP Basic and deselect all other options. Click Next. The Basic SOAP Authentication (Outbound) dialog is displayed. 4. Complete the fields with the values shown then click Next: Username spsmfe-artifact The value you specify for the username should be the same value as the name of the Service Provider objects configured at the FSS IdP. Chapter 6: SAML 1.x SSO with the SMFE 83

84 SMFE as the SAML 1.x Consumer Password smfederate Confirm Password smfederate The Summary page is displayed. 5. Review the summary then click Done. You return to the Back-Channel Authentication tab. 6. Click Next until you reach the Signature Verification Certificate step. 7. Configure the certificate used to verify signed POST responses. Configure Credentials for SAML 1.x Signature Verification In the Digital Signature settings for the IdP Connection, configure the certificate that enables the SMFE to verify the signed assertions generated by POST single sign-on. For more information on importing certificates, see the Federation Endpoint Quick Start Guide. To set-up signature verification at the SMFE 1. From the Credentials dialog, select Signature Verification Certificate. 2. Click Manage Certificates. 3. In the Manage Digital Verification Certificates dialog, click Import. 4. In the Import Certification dialog, click Browse and select the Certificate of the key/certificate pair used in the smkeydatabase for digitally signing the assertion. For this deployment, select the certificate named idp-port-comsigning.cer. You are importing the public key sent from SiteMinder FSS, the assertion issuer, for signature verification. The public key is associated with the private key that FSS used to sign the assertion response. This is the certificate that was exported from SiteMinder's smkeydatabase. Important! When SiteMinder is the entity issuing assertions, do not require that the assertions be digitally signed when configuring the SMFE to consume assertions. SiteMinder only supports signing of the entire response and not the assertion in the response. The certificate information is displayed in the certificate summary page. 5. Click Next. The Signature Verification Certificate dialog is displayed. 84 Federation Endpoint Deployment Guide

85 SMFE as the SAML 1.x Consumer 6. In the Signature Verification Certificate dialog, select the imported certificate under the primary certificate. Click Next to view the summary. Note: You can also specify a primary and secondary certificate to ensure that a certificate is always valid. If the primary expires, then the secondary is used. 7. In the Summary page, the certificates are listed. 8. Click Done to return to the main Credentials page. 9. Activate the IdP connection. Activate and Save the IdP Connection Now that you have configured an IdP connection that defines SiteMinder, you activate this connection. To activate the IdP connection: 1. Select the Activation & Summary step. The Activation & Summary dialog is displayed. 2. Click the Active radio button. 3. Review the summary of the IdP connection settings. 4. Click Save. 5. Deploy the SP sample application. Deploy the SMFE SP Sample Application To test that consumer- or SP- single sign-on is configured properly at the SMFE, first configure and deploy the SpSample application. The SpSample application is located in the directory SMFE_home\quickstart\sampleapp\java\SpSample\config. Before you can verify that single sign-on works 1. Configure the SpSample Java application. 2. Deploy the application in the Tomcat server. 3. Assuming the federated partner is configured, test single sign-on using the SP sample application. For instructions, see the Federation Endpoint Quick Start Guide. Chapter 6: SAML 1.x SSO with the SMFE 85

86 SAML 1.x SSO Verification SAML 1.x SSO Verification Assuming that each side of the federation network is configured and operational, test single sign-on (see page 87). You can either initiate single sign-on with SiteMinder FSS as the producer/idp or SMFE as the producer/idp. More information SAML 1.x SSO Testing (see page 87) 86 Federation Endpoint Deployment Guide

87 Chapter 7: SAML 1.x SSO Testing This section contains the following topics: Test SAML 1.x SSO with FSS as the Producer (see page 87) Test SAML 1.x SSO with the SMFE as the Producer (see page 87) Test SAML 1.x SSO with FSS as the Producer After setting up the SAML 1.x producer and consumer, you can test single sign-on. Note: The FSS sample application cannot be used to test SAML 1.x single sign-on. The FSS sample application is only for SAML 2.0. To test single sign-on initiated by the SiteMinder FSS 1. Open up the sample page you configured with the intersite transfer URL link to the SMFE. 2. Click on the appropriate single sign-on link. 3. When prompted for credentials, enter the following: Username lisac Password test If single sign-on is successful, you should see the Service Provider Main Page of the SP application. Note: Ignore any warning messages about SP connections. Test SAML 1.x SSO with the SMFE as the Producer To test single sign-on initiated by the SMFE 1. Start the SMFE. 2. Start Tomcat. 3. Open the Idp sample application. For instructions, see the Federation Endpoint Quick Start Guide. Chapter 7: SAML 1.x SSO Testing 87

88 Test SAML 1.x SSO with the SMFE as the Producer 4. Log in with the following credentials: Username lisac Password test You are presented with the IdP Main Page. 5. Click on the Signon button. If single sign-on is successful, you should see the protected page, spfekt.html, that resides at the SiteMinder site. 88 Federation Endpoint Deployment Guide

89 Chapter 8: SAML 2.0 SSO with SiteMinder FSS This section contains the following topics: Set-up SiteMinder FSS as the Identity Provider (see page 89) Set-up SiteMinder FSS as the Service Provider (see page 96) SAML 2.0 SSO Testing (see page 105) Set-up SiteMinder FSS as the Identity Provider The procedures that follow describe the configuration for SiteMinder FSS as a SAML 2.0 Identity Provider. Install the Policy Server and the Policy Server Option Pack To install the Policy Server and the Policy Server Option Pack, follow the instructions in the Policy Server Installation Guide and the Policy Server, Web Agent Option Pack Release Notes. Create a SAML 2.0 Affiliate Domain You have to identify the SMFE Service Provider to the FSS Identity Provider. Detailed step-by-step instructions for the following procedure can be found in the Federation Security Services Guide in the section on identifying a SAML 2.0 Service Provider to the Identity Provider. To establish the SMFE as an affiliate 1. Create an affiliate domain. 2. Assign a user directory as a user store. 3. Accept the default SiteMinder administrator 4. Add the SMFE to the domain. Chapter 8: SAML 2.0 SSO with SiteMinder FSS 89

90 Set-up SiteMinder FSS as the Identity Provider Add the SMFE to SAML 2.0 Domain The SMFE, as the consumer/sp, receives assertions from the SiteMinder FSS. By adding the SMFE to an affiliate domain, you: identify it to the SiteMinder FSS select the SAML profile being used specify the users who want access to the resource at the SMFE determine how the assertion is sent across to the SMFE Detailed instructions for the following procedure can be found in the Federation Security Services Guide. Refer to the sections about configuring consumers or Service Providers. To add the SMFE as a Service Provider 1. From the affiliate domain, create a SAML Service Provider. The SAML Service Provider Properties dialog opens. 2. Enter data in the following required fields as shown: Name sp.demo Description SMFE Service Provider Authentication URL Note: Protect this URL with a policy. 3. Select the Enabled check box to activate the Service Provider object. 4. Select the Users tab, and add the users who require access to the SMFE SP. For this example, user1, defined in the LDAP user store, should have access. 5. Select the Name IDs tab and complete the following fields with the values shown: Name ID Format Unspecified Name ID Type User Attribute Attribute Name uid 90 Federation Endpoint Deployment Guide

91 Set-up SiteMinder FSS as the Identity Provider 6. Select the General tab and complete the following fields with the values shown: SP ID IdP ID sp.demo idp.demo SAML Version 2.0 Skew Time Select the SSO tab and complete the following fields with the values shown: Audience sp.demo The Audience entry here must match the SAML v2.0 Entity ID or the Base URL in the Federation Info dialog of the SMFE Service Provider's local settings. In this deployment, it matches the SAML v2 Entity ID. Assertion Consumer Service (POST only) Bindings HTTP-Artifact and HTTP-POST NOTE: If you select HTTP-Artifact, go back to the General tab and configure the backchannel. Authentication Level 5 (default) Validity Duration 60 (default) AuthnContext Class Ref. urn:oasis:names:tc:saml:2.0:ac:classes:password (default) 8. Click OK to save your changes. 9. Do one of the following: Configure the backchannel for artifact SSO. Install the Web Agent and Web Agent Option Pack. Chapter 8: SAML 2.0 SSO with SiteMinder FSS 91

92 Set-up SiteMinder FSS as the Identity Provider More information: Setup the Back Channel for SAML 2.0 Artifact Binding (see page 92) Setup the Back Channel for SAML 2.0 Artifact Binding If you use the HTTP-Artifact binding for SAML 2.0 single sign-on, the IdP sends the assertion across a secure back channel to the Service Provider. You need to configure a password for the Service Provider to be granted access across the back channel to the Artifact Resolution Service, which will resolve the artifact and retrieve the assertion. Note: The password is only relevant if you use Basic or Basic over SSL as the authentication method across the back channel; however, you must configure a password regardless of which authentication method you plan to use. To set a password for the backchannel 1. From the SAML Service Providers Properties dialog, select the General tab. 2. Click on Configure Backchannel Authentication. This button will be active if you have selected HTTP-Artifact as an SSO binding on the SSO tab. 3. Complete the following fields as shown: Password password Confirm Password password 4. Click OK. 5. Install the Web Agent and Web Agent Option Pack. Install the Web Agent and Web Agent Option Pack You need to install the Web Agent and the Web Agent Option Pack to set-up the Federation Web Services application. To set-up Federation Web Services 1. Install a Web Agent. For instructions, see the Web Agent Installation Guide. Note: When SiteMinder FSS is the producer or IdP, be sure to set the Web Agent configuration parameter RequireCookies to No. This is not necessary when SiteMinder FSS is the consumer or SP. 92 Federation Endpoint Deployment Guide

93 Set-up SiteMinder FSS as the Identity Provider 2. Install the Web Agent Option Pack. For instructions, see the Policy Server, Web Agent Option Pack Release Notes. 3. Install ServletExec, WebLogic, or WebSphere for Federation Web Services. 4. For artifact single sign-on only, SSL-enable the web server where the Web Agent and Web Agent Option Pack are installed. For instructions, see your web server's documentation. 5. Deploy Federation Web Services on the web or application server you are using. For instructions, see the section on the Federation Web Services application in the Federation Security Services Guide. Protect Federation Web Services When you install the Policy Server Option Pack and import the ampolicy.smdif file, specific policies and related policy objects are automatically created for the Federation Web Services application. You must enforce protection of the Federation Web Services application as well as specify that the SMFE affiliate can access the Federation Web Services application. To protect the Federation Web Services application Follow the detailed instructions in the section on the Federation Web Services application in the Federation Security Services Guide. Protect the Authentication URL (SAML 2.0) You must protect the Authentication URL with a SiteMinder policy. Protecting the Authentication URL ensures that a user requesting a protected federated resource is presented with an authentication challenge if they do not have a SiteMinder session at the IdP. To protect the Authentication URL at the Identity Provider 1. From the Domains tab, create a policy domain called Authentication URL Protection Domain. 2. Add the IdP LDAP user directory in the User Directories tab. Chapter 8: SAML 2.0 SSO with SiteMinder FSS 93

94 Set-up SiteMinder FSS as the Identity Provider 3. From the Authentication URL Protection domain, create a persistent realm with the following field entries: Name Agent Authentication URL Protection Realm Using the lookup button, select FSS web agent This is the Web Agent protecting the server with the Web Agent Option Pack. Resource Filter /siteminderagent/redirectjsp/redirect.jsp Accept the defaults for the other settings. Session tab Select Persistent Session 4. From the IDP Authentication URL Protection Realm, create a rule under the realm with the following field entries: Name Realm Authentication URL Protection Rule Authentication URL Protection Realm Resource * Web Agent actions Get Accept the defaults for the other settings. 5. From the Authentication URL Protection domain, create a policy with the following entries: Name Authentication URL Protection Policy Users tab Add user1 from the IdP LDAP user directory Rules tab add Authentication URL Protection Rule You now have a policy that protects the Authentication URL at the Identity Provider. 94 Federation Endpoint Deployment Guide

95 Set-up SiteMinder FSS as the Identity Provider Configure the Key Database to Sign POST Responses To sign SAML POST responses, which is required by the SAML specification, you have to add a private key and certificate to the SiteMinder key database, named smkeydatabase. You request keys from a Certificate Authority. The private key is added to the smkeydatabase. The public key associated with the private key is sent to the endpoint receiving the assertion. The SMFE needs to have this public key to verify the signature used to sign the assertion. To configure the smkeydatabase to sign SAML POST responses 1. Open a command window. 2. Create the smkeydatabase if it does not exist by entering one of the following commands: UNIX: smkeytool.sh createdb passphrase Windows: smkeytool.bat createdb passphrase 3. Add a private key and certificate by entering one of the following commands: UNIX: smkeytool.sh -addprivkey -alias defaultenterpriseprivatekey -keyfile "opt/netegrity/siteminder/certs/sampleprivkey.pkcs12" -certfile "opt/netegrity/siteminder/certs/samplecertificate.cer" passphrase Windows: smkeytool.bat -addprivkey -alias defaultenterpriseprivatekey -keyfile "c:\program files\netegrity\siteminder\certs\sampleprivkey.pkcs12" -certfile "c:\program files\netegrity\siteminder\certs\samplecertificate.cer" passphrase The first part of this command is the location of the private key, in pkcs12 format, at the Identity Provider. For this deployment, that key is sampleprivkey.pkcs12. The second part of the command is the location of the public key certificate, which is samplecertificate.cer followed by the password associated with the private key, which is passphrase. For more information about the smkeydatabase and smkeytool, see the section on using key databases in the Federation Security Services Guide. Chapter 8: SAML 2.0 SSO with SiteMinder FSS 95

96 Set-up SiteMinder FSS as the Service Provider Protect the SAML 2.0 Artifact Resolution Service (Artifact only) For SAML 2.0 HTTP-artifact SSO, the Artifact Resolution Service retrieves the assertion stored in the SiteMinder session server at the Identity Provider so it can be sent to the Service Provider. This service needs to be protected with a SiteMinder policy so assertions are retrieved only by authorized users. Note: For artifact resolution to be successful, the SiteMinder FSS site generating assertions must have its Web Agent configuration parameter RequireCookies set to No. By default, there is a pre-configured policy that uses the Basic over SSL authentication scheme to protect the Artifact Resolution Service. When you configure a policy that uses the client certificate authentication scheme to protect this service, this policy must be created for a different realm than the realm that uses the Basic over SSL scheme. Generally, the administrator at the Identity Provider should create two policies to protect the Artifact Resolution Service by Basic over SSL and to protect it with client certificate authentication. To protect the Artifact Resolution Service with a client certificate authentication scheme 1. Create a policy at the Identity Provider that uses an X.509 client certificate authentication scheme. 2. Enable client certificate authentication at the consumer. For detailed instructions, see the SAML 2.0 instructions in the Federation Security Services Guide. Setup the SMFE as the Service Provider Now that SiteMinder FSS is configured as an Identity Provider, configure the SMFE as a Service Provider. More information: SMFE as the Service Provider (see page 120) Set-up SiteMinder FSS as the Service Provider The procedures that follow describe the configuration for SiteMinder FSS as the SAML 2.0 Service Provider. 96 Federation Endpoint Deployment Guide

97 Set-up SiteMinder FSS as the Service Provider Install the Policy Server and the Policy Server Option Pack To install the Policy Server and the Policy Server Option Pack, follow the instructions in the Policy Server Installation Guide and the Policy Server, Web Agent Option Pack Release Notes. Install the Web Agent and Web Agent Option Pack You need to install the Web Agent and the Web Agent Option Pack to set-up the Federation Web Services application. To set-up Federation Web Services 1. Install a Web Agent. For instructions, see the Web Agent Installation Guide. Note: When SiteMinder FSS is the producer or IdP, be sure to set the Web Agent configuration parameter RequireCookies to No. This is not necessary when SiteMinder FSS is the consumer or SP. 2. Install the Web Agent Option Pack. For instructions, see the Policy Server, Web Agent Option Pack Release Notes. 3. Install ServletExec, WebLogic, or WebSphere for Federation Web Services. 4. For artifact single sign-on only, SSL-enable the web server where the Web Agent and Web Agent Option Pack are installed. For instructions, see your web server's documentation. 5. Deploy Federation Web Services on the web or application server you are using. For instructions, see the section on the Federation Web Services application in the Federation Security Services Guide. Protect Federation Web Services When you install the Policy Server Option Pack and import the ampolicy.smdif file, specific policies and related policy objects are automatically created for the Federation Web Services application. You must enforce protection of the Federation Web Services application as well as specify that the SMFE affiliate can access the Federation Web Services application. Chapter 8: SAML 2.0 SSO with SiteMinder FSS 97

98 Set-up SiteMinder FSS as the Service Provider To protect the Federation Web Services application Follow the detailed instructions in the section on the Federation Web Services application in the Federation Security Services Guide. Set-up the smkeydatabase for Artifact Single Sign-on (Optional) For artifact binding, the SiteMinder FSS is the 1.x consumer or 2.0 Service Provider may use Basic, Basic over SSL or client certificate authentication to protect the Artifact Resolution Service. If Basic over SSL is used, you must add the appropriate Certificate Authority's certificate to the Service Provider s smkeydatabase to establish the SSL connection between the Idp and SP. The certificate secures the back channel that the assertion is sent across. The Artifact Resolution Service needs to be protected and the back channel needs to be secure so the Service Provider knows the SSL connection is secured by a trusted authority. Important! If you configure Basic over SSL as the authentication method for the artifact back-channel, disable POST preservation at the producer-side Web Agent. Disable POST Preservation by setting the Web Agent's POST Preservation parameter to No. A set of common root CA certificates are shipped with the default smkeydatabase; however, to use one that is not already in the key store, you must import it into the smkeydatabase. Note: The Owner CN has to be the domain of the web server hosting the assertion retrieval service (SAML 1.x) or artifact resolution service (SAML 2.0). Use the SiteMinder smkeytool utility to modify the smkeydatabase. For this deployment, the alias is sampleappcertca and the certificate of the CA is docca.crt. To add a certificate to the smkeydatabase 1. Open a command window. 2. Check whether the Certificate Authority certificate is already in the database by entering: smkeytool -listcerts Look for an entry type of CertificateAuthorityEntry. 3. If the CA certificate is not present, import a new CA certificate by entering: smkeytool -addcert -alias <alias> -infile <cert_file> -trustcacert For this deployment, the command is: smkeytool -addcert -alias sampleappcertca -infile docca.crt -trustcacert 98 Federation Endpoint Deployment Guide

99 Set-up SiteMinder FSS as the Service Provider 4. When asked if you trust the certificate, enter YES. The certificate is added to the key store. 5. Enable the Artifact Binding for SAML Authentication at the SP. Configure Signing Verification for POST Profile For SAML POST profile, the assertion issuer signs the response that contains the assertion. In this case, the SMFE is the assertion issuer and it should send the public key (samplecaroot.cer in this deployment) to the one partner consuming the assertion or publish this public key to all its partners who may consume assertions. SiteMinder, as the consuming entity, must verify the signature. To do this, the producer's public key sent to SiteMinder must be added to the smkeydatabase file. To setup signature verification at the SiteMinder consumer 1. Obtain a CA certificate from a certificate authority. 2. Check whether it already exists in the consuming authority database by entering: smkeytool.sh -listcerts 3. Open a command window. 4. Use the smkeytool utility and add the public key, that is, the certificate, to the smkeydatabase at the Policy Server. The command syntax is: UNIX: smkeytool.sh addcert -alias sp1cacert -infile /opt/ca/siteminder/certs/post-cet.crt Windows: smkeytool.bat addcert -alias sp1cacert -infile "c:\program files\ca\siteminder\certs\post-cet.crt" For more information about using the key database, see the Federation Security Services Guide. Chapter 8: SAML 2.0 SSO with SiteMinder FSS 99

100 Set-up SiteMinder FSS as the Service Provider Configure the SAML 2.0 Authentication Scheme (Artifact and POST) For POST or artifact SSO to work, you need to configure the SAML 2.0 authentication scheme at the Service Provider. To configure a SAML 2.0 authentication scheme 1. Log into the Policy Server User Interface. 2. From the menu bar, select Edit, System Configuration, Create Authentication Scheme. The Authentication Scheme Properties dialog box opens. 3. In the Authentication Scheme Type drop-down list, select SAML 2.0 Template. The contents of the SiteMinder Authentication Scheme dialog box change for the SAML 2.0 scheme. 4. Complete the following fields: Name Partner IDP.demo Auth Scheme This value must match the value specified for the SAML v2.0 Entity ID field in the Federation Info at the SMFE IdP. Protection Level 5 SP ID Idp ID sp.demo idp.demo SAML Version 2.0 Skew Time Federation Endpoint Deployment Guide

101 Set-up SiteMinder FSS as the Service Provider Issuer DN CN=Certificate Manager, OU=IAM,O=CA.COM This value comes from the public key in the smkeydatabase. (The public key is sent by the SMFE to the SiteMinder, and it is associated with the private key that the SMFE used to sign the POST response. You can read the Issuer DN by using the smkeytool utility and issuing the following command: Windows: smkeytool.bat -listcerts UNIX: smkeytool.sh -listcerts For more information about using the key database, see the Federation Security Services Guide. Serial Number 008D 8B6A D18C 46D8 5B This value comes from the public key in the smkeydatabase. (The public key is sent by the SMFE to the SiteMinder, and it is associated with the private key that the SMFE used to sign the POST response. You can read the serial number by using the smkeytool utility and issuing the following command: UNIX: smkeytool.sh -listcerts Windows: smkeytool.bat -listcerts By default, signature processing is enabled; it is required by the SAML 2.0 specification; therefore, it must be enabled in a production environment. However, for debugging your initial federation setup only, you can temporarily disable all signature processing for the Service Provider (both signing and verification of signatures) by checking the Disable Signature Processing option. The value you enter for the Issuer DN field should match the issuer DN of the certificate in the smkeydatabase. We recommend you open a command window and enter the command smkeytool -lc to list the certificates and view the DN to ensure that you enter a matching value. Important! If you disable signature processing, you are disabling a mandatory security function. For more information about using the key database, see the Federation Security Services Guide. 5. Click Additional Configuration to continue configuration. The SAML 2.0 Auth Scheme Properties dialog opens. Chapter 8: SAML 2.0 SSO with SiteMinder FSS 101

102 Set-up SiteMinder FSS as the Service Provider Specifying Users for SAML 2.0 SSO Select Bindings for SAML 2.0 SSO As part of the SAML 2.0 authentication scheme configuration, users need to be located in the local user directory. The SAML 2.0 authentication scheme first determines a LoginID from the assertion. The LoginID is a SiteMinder-specific term that identifies the user. By default, the LoginID is extracted from the Name ID value in the assertion. After the authentication scheme determines the LoginID, it is passed back to the Policy Server to locate the user in the user store. For example, if you configure an LDAP user store to search for users based on the uid attribute, the Policy Server searches for the user based on the uid. Because of this default behavior, no configuration is required on the Users tab. Configure the SSO profiles supported by the authentication scheme. To configure the SSO profiles 1. From the SAML 2.0 Authentication Scheme dialog, click Additional Configuration. The SAML Auth Scheme Properties dialog opens. 2. Select the SSO tab. 3. Complete the following fields with the values shown: Redirect Mode 302 Cookie Data SSO Service This is the SSO service at the SMFE. Audience idp.demo This is the value defined for the SAML v2 Entity ID in the Federation Info dialog of the SMFE IdP's local settings. Target 4. Check the HTTP-Artifact and HTTP-Post bindings. 102 Federation Endpoint Deployment Guide

103 Set-up SiteMinder FSS as the Service Provider 5. Enter a value for the resolution service for the artifact binding, as shown Resolution Service This is the resolution service at the SMFE. 6. Ensure that the Enforce Single Use Policy box is checked. 7. Click Apply to save your changes. Configure the Backchannel for Artifact SSO 8. Configure the backchannel (see page 103) for the artifact binding. For detailed instructions and field descriptions for SAML 2.0 authentication schemes, see the Federation Security Services Guide For artifact single sign-on, the assertion is sent across a secure backchannel. Configure the following settings for that back channel. To configure the backchannel 1. From the SAML 2.0 Authentication Scheme dialog, click Additional Configuration. The SAML Auth Scheme Properties dialog opens. 2. Select the Backchannel tab. 3. Complete the following fields with the values shown: Authentication Basic Auth SP Name sp.demo Password password Confirm Password password 4. Click OK to save your changes. Chapter 8: SAML 2.0 SSO with SiteMinder FSS 103

104 Set-up SiteMinder FSS as the Service Provider Protect the Target Resource at the SP After configuring a SAML 2.0 authentication scheme, use this scheme in a policy that protects the target resource at Service Provider. To protect the target resource 1. From the System tab of the Policy Server User Interface, create a policy domain called Domain for IdP.demo Visitors. 2. Define a Web Agent. In this deployment, the Agent is sp-webagent. This is the Agent protecting the server with the Web Agent Option Pack installed. 3. Associate the sp-webagent with the Domain for Idp.demo Visitors to protect the realm in this domain. 4. Add the user directory that holds users user1. 5. To the policy domain, add a persistent realm with the following components then click OK to save it. Name Agent SP Target Page Protection Realm sp-webagent Resource Filter This is the path to the target resource at the Service Provider web server. For this deployment, the resource filter is /spsample/protected.jsp Authentication Scheme Partner IdP.demo Auth Scheme Default Resource Protection Protected 6. To the realm, add a rule with the following components then click OK to save it. Name Realm SP Target Page Protection Rule SP Target Page Protection Realm 104 Federation Endpoint Deployment Guide

105 SAML 2.0 SSO Testing Resource * Web Agent Actions Get Accept the defaults for all other fields. 7. Add a policy with the following components then click OK to save it. Name SP Target Page Protection Policy Users Add user1 so this user has access to the target Rules Add the SP Target Page Protection Rule The target resource is now protected by SiteMinder. 8. Exit the Policy Server User Interface. 9. Use HTML Pages to Test the Federation Set-up. The protection policy for the target resource is complete. SAML 2.0 SSO Testing Assuming that each side of the federation network is configured and operational, test single sign-on (see page 133). You can either initiate single sign-on from the Idp or the SP. More information: SAML 2.0 Single Sign-on Testing (see page 133) Chapter 8: SAML 2.0 SSO with SiteMinder FSS 105

106

107 Chapter 9: SAML 2.0 SSO with the SMFE This section contains the following topics: SMFE as the Identity Provider (see page 107) Deploy the SMFE Java Sample Application (see page 119) Test Single Sign-on with the FSS Sample Application (see page 119) SMFE as the Service Provider (see page 120) SMFE as the Identity Provider The procedures that follow show an example of setting up the SMFE as a SAML 2.0 Identity Provider. This configuration relies on the following components: SMFE adapter SMFE agent Sample application Apache Tomcat (for use by the sample Java applications) The SMFE contains an integration kit that includes: An adapter that plugs into the Federation Endpoint server, which encrypts data into a PFToken that is then sent as a query parameter or browser cookie to the target consumer application. The standard adapters provide a generic interface for integrating with various applications, including Javaand.NET-based applications. Agent toolkits that extract data from the PFToken and pull out the relevant user data needed by the target application to set a valid session cookie or other application-specific security context for the user. Note: The SMFE Agent is not related to the SiteMinder Web Agent in any way. Two sets of sample applications are included with the SMFE that allow you to use your configured Federation Endpoint to demonstrate single sign-on. One is for Java and one is for.net. The Java Sample Applications use the Java Integration Kit 1.1 for integration with Federation Endpoint. The.NET Sample Applications use the.net Integration Kit 1.1 The IdP Sample Application, IdPSample, simulates the use case where users authenticate to an IdP locally to access a remote SP application Important! This deployment uses the Java applications. Chapter 9: SAML 2.0 SSO with the SMFE 107

108 SMFE as the Identity Provider Configure the SMFE to Accept Artifact Requests For single sign-on using the artifact profile, you have to configure a port that will accept artifact requests. To do this you have to set an SMFE runtime parameter, located in the run.properties file. To set-up a port 1. Open the run.properties file in an editor. The file is located in: SMFE_install_dir/ Siteminder_Federation_Endpoint/bin 2. Set the pf.secondary.https.port parameter to Save the file. In addition, when SSL Client certificates are used as the authentication mechanism for the artifact back channel, the secondary listener must be configured to ask for client authentication. This is configured by setting the WantClientAuth field to true in the following file: SMFE_install_dir/Siteminder_Federation_Endpoint/server/default/ deploy/jetty.sar/meta-inf/jboss-service.xml file. Note: These changes require a server restart. Start the SMFE and Login to the Administrative Console You configure SMFE features via the SMFE Administrative Console. To start the SMFE 1. Enter the following command at the command prompt: Windows: SMFE_install_dir\Siteminder_Federation_Endpoint\bin\run.bat UNIX: SMFE_install_dir/Siteminder_Federation_Endpoint/bin/run.sh Note: UNIX users may have to set the executable permissions. 2. Access the Federation Endpoint Administrative Console using the following URL: This is the fully qualified URL of the server running SMFE. For example: Federation Endpoint Deployment Guide

109 SMFE as the Identity Provider 3. Enter the default CA SiteMinder Federation Endpoint Username and Password: Username: Administrator Password: 2Federate 4. Click the Login button.opens. The SMFE Administrative Console displays. 5. Change the Administrator password. Follow the instructions in the Federation Endpoint Quick Start Guide. Note: To shut down the SMFE, enter Ctrl-c. Configure the Local Settings for the IdP Specify the IdP Role and Protocol The Local Settings include unique federation server identifiers, the designation of your site s federation role (assertion issuer or assertion consumer or both), and your choice of federation protocols and application integration adapters. Local settings also include system administration configuration (one-user or multi-user), notification options and setup, and shortcut links to adapter configurations and account management (when multi-user administration is enabled). You need to indicate which role in a federation network that the SMFE is fulfilling. Additionally, you need to specify the SAML protocol. To specify the role and protocol 1. Log in to the Administrative Console and select Local Settings. 2. On the Roles and Protocols dialog, check the following options: Enable Identity Provider Role Enable SAML v2.0 protocol. 3. Click Next. The Federation Info dialog appears. 4. Configure the Federation Info settings. Chapter 9: SAML 2.0 SSO with the SMFE 109

110 SMFE as the Identity Provider Specify the Federation Info Settings In the Federation Info settings, you identify the SAML 2.0 entity. 1. In the Federation Info dialog, complete the following fields as shown: Base URL (optional) SAML v2.0 Entity ID idp.demo 2. Click Next. Configure the IdP Adapter Instance In the case of the SMFE as the IdP, this is the Issuer value in the assertion. 3. Configure the IdP Adapter Instance. The IdP adapter allows the SMFE to receive a user's identity from the IdP application. If you have multiple applications, configure multiple IdP adapter instances. To configure an IdP adapter instance 1. From the IdP Adapter Selection step. 2. Click on Configure Adapter Instances. 3. Click on Create New Adapter Instance. The Adapter Type Screen dialog appears. 4. Complete the fields for the adapter instance with the values shown: Adapter Instance Name SampleAppIDPAdapter Adapter Instance ID SampleAppIDPAdapter Adapter Type 5. Click Next. PF4 Standard Adapter v1.1 The IdP Adapter dialog is displayed. 110 Federation Endpoint Deployment Guide

111 This password is between the sample application and the adapter. SMFE as the Identity Provider 6. Complete only the following settings with the values shown: Transfer Method query PFToken Holder Name SampleIDPPFToken Domain.idp.demo Cookie Path / Password password Authentication Service 7. Click Next. Port 9090 is the Tomcat instance where the SMFE IdpSample application is deployed. This is a URL to an external application that authenticates the user. 8. Specify the adapter actions. Specify the Adapter Actions and the Extended Adapter Contract for the IdP The Adapter Actions are activities that the IdP adapter can perform. The Extended Adapter Contract informs the SMFE of other attributes that it is sending in the assertion. To configure the remaining settings for the IdP Adapter Instance 1. From the Adapter Actions screen, click the Generate properties link to view the adapter configuration properties. 2. Copy and save the results of the display to a separate file. For Java, the file is: SMFE_home\quickstart\sample_app\java\IdpSample\config\pfagentidp.properties Important! When configuring the IdP Adapter, use WordPad to edit the pfagent-idp.properties (Java application) or pf-agent-idp.config (.NET application) for configuring the adapter actions. You will need one of these files later for use with the sample application. Also, save the file using the exact name (pfagent-idp.properties or pf-agent-idp.config). Do not save the file using.doc,.txt or any other extension. Chapter 9: SAML 2.0 SSO with the SMFE 111

112 SMFE as the Identity Provider 3. Click Next. Designate IdP Events (SAML 2.0) The Extended Adapter Contract dialog is displayed. 4. In the Extended Adapter Contract dialog, click Add to configure the additional attribute. 5. Add userid as an attribute. 6. Click Next until you reach the Summary dialog. 7. On the Summary dialog, verify that the information is correct and click Done. You return to the Manage Adapter Instances dialog. 8. Click Save to complete the adapter configuration. Important! You must save at this point or you will lose your configuration. 9. On the Idp Adapter Selection step, click Next. The IdP Events dialog displays. 10. Specify the IdP Events (see page 112). The IdP Events dialog lets you define the single logout link that the user is sent to if the single sign-on link is not in the assertion. Save the IdP Local Settings To set an SLO URL 1. On the SP Events screen, enter the following URL where the user will be directed for single logout: 2. Click Next. The Summary screen is displayed with the completed Local Settings. 3. Save the IdP local settings. The Summary screen lets you review all your local settings. To save the local settings 1. In the Local Settings, review the summary and click Save. You return to the main menu. 2. Configure the SP connection from the SMFE to the SiteMinder FSS entity consuming assertions. 112 Federation Endpoint Deployment Guide

113 SMFE as the Identity Provider Configure the SP Connection For the SMFE producer/idp to issue assertions, you need to define the partner connection, which is the connection to the SiteMinder consumer/sp. This is defined as the SP connection. This assumes that the producer/idp is initiating single sign-on. To create an SP Connection 1. Log in to the Administrative Console. The Main menu displays. 2. Under the SP Connections, select Create New. 3. Define all the settings associated with an SP Connection: Roles & Protocols General Info IdP Web SSO SAML Profiles Credentials Activation 4. Verify the Roles & Protocols. Verify the SAML 2.0 Role and Protocol for the SP Connection The SMFE is acting as an Identity Provider and therefore, it has to establish a connection type to a Service Provider. To verify the role and protocol for the connection 1. On the Role & Protocol dialog, ensure the following settings: Connection Type SP Protocol SAML v Click Next. 3. Configure the General Info settings. Chapter 9: SAML 2.0 SSO with the SMFE 113

114 SMFE as the Identity Provider Configure General Info for the SAML 2.0 The General Info identifies the partner consuming assertions, in this case, SiteMinder FSS. To specify the General Info 1. From the SP Connection tab, select General Info. 2. Complete the fields with the value shown: Partner's Entity ID (Connection ID) sp.demo Base URL This is the base host of the SMFE web server. By specifying a base URL, you can then enter relative URLs in other parts of the configuration, making configuration more efficient. If you configure the Base URL for an artifact profile configuration, you must begin the URL with because SiteMinder requires that the back-channel authentication for the artifact profile occur over a secure connection. The POST profile does not need to return to the producer, so this URL is irrelevant. The exception is the FSS sample application, which does not require the URL begin with 3. Leave the remaining fields blank. 4. Click Next. Set the SAML 2.0 Assertion Lifetime The Assertion Lifetime dialog is displayed. 5. Specify the SAMl 2.0 Assertion Lifetime. The assertion lifetime indicates the validity period of the assertion. Setting the maximum time limit accounts for any time differences between the IdP and SP. To specify an assertion lifetime 1. From the SP Connection tab, select the Assertion Lifetime dialog. 2. Complete the following fields with the values shown: Minutes before 500 Minutes after Federation Endpoint Deployment Guide

115 SMFE as the Identity Provider 3. Click Next. 4. Select the SAML 2.0 profiles. Choose the SAML 2.0 Profiles for the SP Connection The SAML Profiles dialog is where you select the bindings that you use to communicate with a federated partner. When the SMFE is the Identity Provider, configure this information for the SP connection. To select SAML 2.0 SSO bindings 1. From the SP Connection tab, select the SAML Profiles step. 2. Check Idp-Initiated SSO and SP-Initiated SSO. 3. Click Next. 4. Complete the Web SSO Configuration. Configure the SAML 2.0 Web SSO Settings for the SP Connection The Web SSO settings define the single sign-on profiles (artifact and POST). To configure Web SSO for POST or Artifact Profile 1. From the SP Connection tab, select Web SSO Settings 2. Click Configure Web SSO. The Web SSO steps are displayed. 3. In the Identity Mapping step, select Standard then click Next. The Attribute Contract dialog is displayed. 4. In the Attribute Contract dialog, verify that SAML_SUBJECT is the value and click Next. The Attribute Contract is where you define additional attributes to be sent to the SAML partner. 5. In the Idp Adapter Mapping you can map attributes from the assertion to the Idp adapter and the target application. a. For the Adapter Instance, select SampleAppIDPAdapter then click Next. This adapter authenticates users to the IdP. b. In the Adapter Data Store step, select the radio button for "Use only the attributes available in the SSO Assertion." Click Next. Chapter 9: SAML 2.0 SSO with the SMFE 115

116 SMFE as the Identity Provider c. In the Attribute Contract FulFillment step, complete the following fields with the values shown: Source Adapter The Source value is Adapter because the SMFE as the IdP generates the assertion. Value userid 6. Click Next to review the Summary. 7. After reviewing the Summary, click Done. You are taken back to the Idp Adapter Mapping dialog. 8. Click on Next. 9. In the Assertion Consumer Service URL, complete the following fields as shown the click Next. Index 1 Binding POST or Artifact Endpoint URL er 10. If you are using the artifact binding, go to the Artifact Resolver Locations step and complete the following fields as shown: Index URL Click Next until you reach the Summary dialog. You can skip the Signature Policy and Encryption Policy steps. 12. Review the Summary then click Done. You return to the main SP Connection dialog. 13. Complete one or both of the following steps depending on the bindings you are configuring: credentials for POST responses credentials for the artifact back-channel authentication. 116 Federation Endpoint Deployment Guide

117 SMFE as the Identity Provider Configure Credentials for the SAML 2.0 Artifact Back-Channel For artifact profile, the SMFE sends the assertion across a secure back-channel to the SiteMinder partner consuming assertions. In the Credentials dialog, you specify what SiteMinder presents to the SMFE as credentials for access across the back-channel. To configure the credentials for the back-channel 1. From the SP connection main menu, click Credentials. The Credentials dialog opens. 2. Click Configure Credentials. 3. Select Back-Channel Authentication. The Back-Channel Authentication dialog opens. 4. Click Configure on the right side of the dialog. The Inbound SOAP Authentication Type dialog opens. 5. Select HTTP Basic, then click Next. The Basic SOAP Authentication (Inbound) dialog is displayed. 6. Complete the following fields with the values shown: SOAP Username sp.demo Password password The values you enter for these fields must match the values specified in the SiteMinder Policy Server User Interface for the SAML artifact authentication scheme's back channel configuration. Contact the SiteMinder Administrator for these values. 7. After entering these values, click Next. 8. Do one of the following: Configure credentials to sign POST responses (see page 118) Click Next until you reach the Summary dialog 9. On the Summary screen, click Done. You return to the Credentials dialog. 10. Click Save. 11. Activate the SP connection. Chapter 9: SAML 2.0 SSO with the SMFE 117

118 SMFE as the Identity Provider Configure Credentials to Sign SAML 2.0 POST Responses For POST profile single sign-on, you have to sign the assertion response with a certificate. You can create a new certificate or import an existing certificate that will sign assertions. In this deployment, you will import a certificate. To import a certificate for signing assertions 1. Go to the Credentials step for the SP connection. 2. Click on Configure Credentials. 3. Navigate to the Digital Signature Settings dialog and click Manage Certificates. The Manage Digital Signing Certificates dialog opens. 4. Import a certificate according to the instructions in the Federation Endpoint Quick Start Guide. 5. Use the following values in the Import Certification dialog: Filename c:\smfe_install_dir\certs\pingtest_signing_cert.p12 Password federate SiteMinder places the public key of this certificate in the smkeydatabase to verify the signature. 6. After completing the import of the certificate, review the Summary and then click Done. You return to the Credentials step. 7. Activate the SP connection. Activate and Save the SP Connection Now that you have configured an SP connection to SiteMinder, you activate this connection. To activate the SP connection 1. From the SP Connection tab, select Activation & Summary. The Activation & Summary dialog is displayed. 2. Click the Active radio button. 3. Review the summary of the SP connection settings. 118 Federation Endpoint Deployment Guide

119 Deploy the SMFE Java Sample Application 4. Click Save. 5. Deploy the sample IdP application. Deploy the SMFE Java Sample Application To test that producer- or IdP-initiated single sign-on is configured properly at the SMFE, first configure and deploy the IdpSample application located in the directory SMFE_home\quickstart\sampleapp\java\IdpSample\config. To set up the IdP sample application 1. Configure the IdpSample Java application. 2. Deploy the application in the Tomcat server. 3. Assuming the federated partner is configured, test single sign-on using the Idp sample application. For instructions about using the IdP sample application, see the Federation Endpoint Quick Start Guide. Test Single Sign-on with the FSS Sample Application You have completed a manual configuration; however, if you have previously run the FSS sample application script, SetupFederationSample.pl, you can use the web pages included with the FSS sample application to test SAML 2.0 IdPinitiated single sign-on. If you do not run the FSS sample application, you will have to use your own web pages to test single sign-on. To prepare for the test Be sure that the web pages you are using to test single sign-on are copied to your web server's document root directory. Test single sign-on (see page 133). Chapter 9: SAML 2.0 SSO with the SMFE 119

120 SMFE as the Service Provider SMFE as the Service Provider The procedures that follow show an example of setting up the SMFE as a SAML 2.0 Service Provider. This configuration relies on the following components: SMFE adapter SMFE agent Sample application Apache Tomcat (for use by the sample Java applications) The procedures that follow describe the configuration for the SMFE serving as the Service Provider. The SMFE contains an integration kit that includes: An Adapter that plugs into the Federation Endpoint server, which encrypts data into a PFToken that is then sent as a query parameter or browser cookie to the target consumer application. The standard adapters provide a generic interface for integrating with various applications, including Javaand.NET-based applications. Agent toolkits that extract the data from the PFToken and pull out the relevant user data needed by the target application to set a valid session cookie or other application-specific security context for the user. Note: The SMFE Agent is not related to the SiteMinder Web Agent. In addition to the SiteMinder sample application, two sets of SMFE sample applications are available that allow you to use your configured Federation Endpoint to demonstrate single sign-on processing. One is for Java and one for.net. The Java Sample Applications use the Java Integration Kit 1.1 for integration with Federation Endpoint. The.NET Sample Applications use the.net Integration Kit 1.1. The SMFE Sample Application, SPSample, simulates the use case where users authenticate with a local application through a remote IdP. Important! The manual steps to set up single sign-on and single logout use the SiteMinder sample application. 120 Federation Endpoint Deployment Guide

121 SMFE as the Service Provider Start the SMFE and Login to the Administrative Console You configure SMFE features via the SMFE Administrative Console. To start the SMFE 1. Enter the following command at the command prompt: Windows: SMFE_install_dir\Siteminder_Federation_Endpoint\bin\run.bat UNIX: SMFE_install_dir/Siteminder_Federation_Endpoint/bin/run.sh Note: UNIX users may have to set the executable permissions. 2. Access the Federation Endpoint Administrative Console using the following URL: This is the fully qualified URL of the server running SMFE. For example: Enter the default CA SiteMinder Federation Endpoint Username and Password: Username: Administrator Password: 2Federate 4. Click the Login button.opens. The SMFE Administrative Console displays. 5. Change the Administrator password. Follow the instructions in the Federation Endpoint Quick Start Guide. Note: To shut down the SMFE, enter Ctrl-c. Configure the Local Settings for the SP The Local Settings include unique federation server identifiers, the designation of your site s federation role (SP, IdP, or both), and your choice of federation protocols and application integration adapters. Local settings also include system administration configuration (one-user or multi-user), notification options and setup, and shortcut links to adapter configurations and account management (when multi-user administration is enabled). Chapter 9: SAML 2.0 SSO with the SMFE 121

122 SMFE as the Service Provider Specify the SAML 2.0 Entity ID You must provide a unique identifier for the SMFE acting as the SAML 2.0 Service Provider so you can communicate with your federated partner. To specify an entity ID 1. From the main menu, go the My Server section and select Local Settings. The Local Settings configuration steps are displayed. 2. Navigate to the Federation Info step. 3. Complete the following fields as shown: Base URL The base URL makes configuration of other URLs for your system more efficient. By specifying a base URL, you can then enter relative URLs in other parts of the configuration. Note: If you configure the Base URL for an artifact profile configuration, you must begin the URL with because the artifact profile requires a secure connection. The POST profile does not need to return to the IdP so this URL is irrelevant. SAML v2.0 Entity ID sp.demo 4. Click Next to navigate to the SP Adapter Selection. Configure the SP Adapter Instance (SAML 2.0) Configure an SP adapter instance to define the communication between the SMFE generating assertions and the SiteMinder system with the target resources. The SP adapter allows the SMFE to supply information needed by the target application to set a valid session cookie or other application-specific security context for the user. Note: This deployment uses the adapter that works with the SMFE Java Integration Kit. To configure an SP adapter instance 1. Log on to the Administrative Console. 2. From the Main dialog, select Local Settings 3. Select the SP Adapter Selection. 4. Click on Configure Adapter Instances. The Manager Adapter Instances dialog displays. 122 Federation Endpoint Deployment Guide

123 SMFE as the Service Provider 5. Select Create New Adapter Instance. The Adapter Type dialog opens. Complete the fields for the adapter instance are with the values shown: Adapter Instance Name SampleAppSPAdapter Adapter Instance ID SampleAppSPAdapter Adapter Type 6. Click Next. PF4 Standard Adapter v1.1 The SP Adapter Instance displays. 7. Click on the SP Adapter Instance option. 8. Complete only the following settings with the values shown: Transfer Method query Domain.sp.demo PFToken Holder Name SampleSPPFToken Cookie Path / Password password This is a password between the target system and the SMFE. Authentication Service This is the URL where the user is sent for a single sign-on event. Port 9090 is the Tomcat instance where the SMFE SpSample application is deployed. 9. Specify the SP adapter actions. Chapter 9: SAML 2.0 SSO with the SMFE 123

124 SMFE as the Service Provider Set Up the SP Adapter Actions and Extended Adapter Contract (SAML 2.0) The Adapter Actions are functions that the SP adapter can perform.the Extended Adapter contract informs the SMFE about other attributes included in the assertion from the producer. To configure the remaining settings for the SP Adapter Instance 1. Go to the Adapter Actions screen and click the Generate properties link to view the adapter configuration properties. 2. Copy and save the results of the display to a separate file. For Java the file is: Important! When configuring the SP Adapter, use WordPad to edit the pfagent-sp.properties (Java application) or pf-agent-sp.config (.NET application) for configuring the Adapter Actions. You will need one of these files later for use with the Sample Application. Also, save the file with the exact name (pfagent-sp.properties or pf-agent-sp.config). Do not save the file using.doc,.txt or any other extension. 3. Click Next. 4. On the Extended Adapter Contract dialog, configure an additional attribute of userid for the adapter. Click Next. The Summary screen is displayed. 5. On the Summary screen, verify that the information is correct and click Done. You return to the Manage Adapter Instances dialog. 6. Click Save to complete the adapter configuration. Important! Remember to save at this point or you will loose your configuration. You return to the main Local Settings dialog. 7. Click the SP Events dialog displays. 8. Configure SP Events. 124 Federation Endpoint Deployment Guide

125 SMFE as the Service Provider Configure SP Events (SAML 2.0) Save the Local SP Settings The SP Events dialog lets you define the single sign-on link, that is, the target URL, that the user is sent to if the single sign-on link is not in the assertion. To set up the SP Events On the SP Events screen, enter the URL where the user will be redirected when single sign-on has succeeded. The link is: Important! If the RelayState parameter is supplied in the assertion sent by SiteMinder, it would be used by the SMFE to determine the target application and override the value you enter for the URL. 1. Click Next. The Summary screen is displayed with the completed local settings. 2. Save the local SP settings for the SP connection. The Summary screen lets you review all your local settings. To save the local settings 1. From the Summary dialog in the Local Settings tab, click Save. You return to the main menu. Configure the connection between the SMFE consuming assertions to the SiteMinder issuing assertions. This is referred to as the IdP Connection. 2. Set up the IdP connection to SiteMinder. Set Up the IdP Connection For the SMFE to receive assertions, you need to define the partner connection, which in this case is the connection to SiteMinder FSS that is issuing assertions. In the SMFE user interface, this means you define an IdP connection between the SMFE and SiteMinder FSS. With a single license-key, you are restricted to creating a single connection to SiteMinder FSS. Note: This procedure assumes that the IdP is initiating single sign-on. To create an IdP Connection 1. Log in to the Administrative Console. The Main menu displays. 2. Under the IdP Connections, select Create New. Chapter 9: SAML 2.0 SSO with the SMFE 125

126 SMFE as the Service Provider 3. Define all the settings associated with an IdP Connection: Role & Protocol General Info IdP Web SSO SAML Profiles Credentials Activation 4. Verify the Role & Protocol. Verify the SAML 2.0 Role and Protocol for the IdP Connection The SMFE is consuming assertions so the connection type must be an IdP connection, that is, a connection to the partner issuing assertions. To verify the role and protocol for the connection 1. On the Role & Protocol dialog, enter the following settings: Connection Type IdP Protocol SAML v Click Next. Specify the SAML 2.0 General Info 3. Configure the General Info settings. The General Info defines the Identity Provider, in this case, SiteMinder FSS. To specify the General Info 1. Enter values for the following, as shown: Partner's Entity ID (Connection ID) idp.demo This value is the AssertionIssuerID of the entity that issues assertions. The AssertionIssuerID is specified in the SiteMinder IdP's AMAssertionGenerator.properties file. This file is located at policy_server_home/config/properties. Note: The AssertionIssuerID cannot be used for the Partner's Entity ID if it is already in use for another IdP connection, even if the other connection is inactive. If a SAML 1.x connection exists for this field, it must be deleted before a SAML 2.0 connection for the same entity ID can be created. 126 Federation Endpoint Deployment Guide

127 SMFE as the Service Provider Base URL (optional) This URL is where the Web Agent Option Pack is installed. The base URL makes configuration of endpoints more efficient. By specifying a base URL, you can then enter relative URLs in other parts of the configuration. In this example, this is the base host of the web server where the Web Agent Option Pack is installed. Note: If you configure the Base URL for an artifact profile configuration, you must begin the URL with because the artifact profile requires a secure connection. The POST profile does not need to return to the producer, so this URL is irrelevant. 2. You can leave the other fields blank. 3. Click Next. The SAML Profiles dialog is displayed. 4. Choose the SAML 2.0 profiles. Choose the SAML 2.0 Profiles for the IdP Connection The SAML Profiles dialog is where you select the bindings that you use to communicate with a federated partner. When the SMFE is the Service Provider, configure this information for the IdP connection. To select SAML 2.0 SSO bindings 1. From the IdP Connection tab, select the SAML Profiles step. 2. Check IdP-Initiated SSO and SP-Initiated SSO. 3. Click Next. 4. Complete the Web SSO Configuration for the IdP Connection. Configure SAML 2.0 Web SSO Settings for the IdP Connection The Web SSO settings define the single sign-on profiles (artifact and POST). To configure Web SSO for POST or Artifact Profile 1. From the Web SSO settings, click Configure Web SSO. 2. In the Identity Mapping step, select Account Mapping. 3. In the Attribute Contract dialog, verify that SAML_SUBJECT is the value and click Next. The Attribute Contract is where you define additional attributes to be sent to the SAML partner. Chapter 9: SAML 2.0 SSO with the SMFE 127

128 SMFE as the Service Provider 4. In the Adapter Mapping & User Lookup dialog, click on Map New Adapter Instance. You can map attributes from the assertion to the Idp adapter and the target application. Complete the following fields with the values shown: Adapter Instance SampleAppSPAdapter This adapter authenticates users to the producer. Adapter Data Store Use only the attributes available in the SSO Assertion Attribute Contract FulFillment Source=Assertion Value=SAML_SUBJECT 5. Click Next to review the Summary for the Adapter, then click Done to save the changes. You are taken back to the Adapter Mapping tab. 6. Click on Next. The SSO Service URLs tab is displayed. The SSO Service URL configuration applies only to the SP-initiated SSO. 7. In the SSO Service URL dialog, complete the following fields with the values shown: Binding Redirect Endpoint URL 8. Click Next. The Allowable SAML Bindings dialog is displayed. 9. In the Allowable SAML Bindings tab, select all three bindings (Artifact, POST, Redirect) then click Next. 10. Skip the Artifact Lifetime step. The Artifact Resolver Locations dialog displays. 128 Federation Endpoint Deployment Guide

129 I SMFE as the Service Provider 11. In the Artifact Resolver Locations dialog, complete the following fields with the values shown: Index URL 0 Note: You can enter a relative URI is you have configured a Base URL. 12. Click Next until you reach the Summary dialog. Skip the Signature Policy and Encryption Policy steps. The Summary dialog is displayed. 13. Review the Summary then click Done. You return to the main IdP Connection dialog. 14. Complete one or both of the following steps depending on the bindings you are configuring: credentials for the artifact back-channel authentication (see page 129) credentials for SAML 2.0 signature verification (see page 130) Setup the Artifact Backchannel for the IdP Connection To configure the artifact back channel for the IdP Connection 1. In the Back-Channel Authentication Page, click Configure to the right of the option "Send to your partner: Artifact Resolution Requests. The Outbound SOAP Authentication Type dialog displays. 2. Select HTTP Basic and deselect all other options. Click Next. The Basic SOAP Authentication (Outbound) dialog is displayed. 3. Complete the fields with the values shown then click Next: Username sp.demo The value you specify for the username should be the same value as the name of the Service Provider object configured at the FSS IdP. Password password Confirm Password password The Summary page is displayed. Chapter 9: SAML 2.0 SSO with the SMFE 129

130 SMFE as the Service Provider 4. Review the summary then click Done. You return to the Back channel configuration. 5. Click Next until you reach the Signature Verification step. Specify Credentials for SAML 2.0 Signature Verification In the Digital Signature settings for the IdP Connection, configure the certificate that enables the SMFE verify signed assertions generated by POST single sign-on. For more information on importing certificates, see the Federation Endpoint Quick Start Guide. To set-up signature verification at the SMFE 1. From the Credentials dialog, select Signature Verification Certificate. 2. Click Manage Certificates. 3. In the Manage Digital Verification Certificates dialog, click Import. 4. In the Import Certification dialog, click on the browse and select the Certificate of the key/certificate pair used in the smkeydatabase for digitally signing the assertion. For this deployment, select the certificate named idp-port-com-signing.cer. You are importing the public key sent from SiteMinder, the assertion issuer, for signature verification. The public key is associated with the private key that signed the assertion. This is the certificate that was exported from SiteMinder's smkeydatabase. Important! When SiteMinder is the entity issuing assertions, do not require that the assertions be digitally signed when configuring the SMFE to consume assertions. SiteMinder only supports signing of the entire response and not the assertion in the response. The certificate information is displayed in the certificate summary page. 5. Click Next. The Signature Verification Certificate dialog is displayed. 6. In the Signature Verification Certificate dialog, select the imported certificate under the primary certificate. Click Next to view the summary. Note: You can also specify a primary and secondary certificate to ensure that a certificate is always valid. If the primary expires, then the secondary is used. 7. In the Summary page, the back-channel authentication and the digital signing verification certificates are listed. 8. Click Done to return to the main Credentials page. 9. Activate the IdP connection. 130 Federation Endpoint Deployment Guide

131 SMFE as the Service Provider Activate and Save the IdP Connection Now that you have configured an IdP connection that defines SiteMinder, you activate this connection. To activate the IdP connection: 1. Select the Activation & Summary step. The Activation & Summary dialog is displayed. 2. Click the Active radio button. 3. Review the summary of the IdP connection settings. 4. Click Save. 5. Deploy the SP sample application. Deploy the SMFE SP Sample Application To test that consumer- or SP- single sign-on is configured properly at the SMFE, first configure and deploy the SpSample application. The SpSample application is located in the directory SMFE_home\quickstart\sampleapp\java\SpSample\config. Before you can verify that single sign-on works 1. Configure the SpSample Java application. 2. Deploy the application in the Tomcat server. 3. Assuming the federated partner is configured, test single sign-on using the SP sample application. For instructions, see the Federation Endpoint Quick Start Guide. SAML 2.0 SSO Testing Assuming that each side of the federation network is configured and operational, test single sign-on (see page 133). You can either initiate single sign-on from the Idp or the SP. More information: SAML 2.0 Single Sign-on Testing (see page 133) Chapter 9: SAML 2.0 SSO with the SMFE 131

132

133 Chapter 10: SAML 2.0 Single Sign-on Testing This section contains the following topics: Test SAML 2.0 SSO with FSS as the Identity Provider (see page 133) Test SAML 2.0 SSO with SMFE as the Identity Provider (see page 136) Test SAML 2.0 SSO with FSS as the Identity Provider To test single sign-on, you can use the web pages included with the SiteMinder sample application, provided that you have previously run the FSS sample application. If you do not run the FSS sample application, you have to use your own web pages. The FSS sample application pages are located in the following folders: policy_server_home/samples/federation/content/idpsample policy_server_home/samples/federation/content/spsample Important! If you have run the sample application, the idpsample and spsample folders are automatically copied into your web server's document root directory. Using Your Own HTML Pages If you choose to use your own HTML pages to test single sign-on instead of the web pages provided by the SiteMinder sample application, the HTML pages must contain the appropriate links. For IdP-initiated SSO, be sure your pages include the following: For artifact SSO, include the following intersite transfer URL: ProtocolBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact For POST SSO, include the following intersite transfer URL: Note: The SPID value in the intersite transfer URL must match the SP ID value specified by the SAML Service Provider Properties configured at the FSS IdP. The SP ID field is on the General tab of the SAML Service Provider Properties dialog. Chapter 10: SAML 2.0 Single Sign-on Testing 133

134 Test SAML 2.0 SSO with FSS as the Identity Provider To test federated single sign-on 1. Open up a browser. 2. Enter the URL for the web page that has links to trigger single sign-on. For IdP-initiated single sign-on, access the index.jsp page at: For SP-initiated single sign-on, access the index.jsp page at: The following figure is the IdP.demo home page: The following figure is the SP.demo home page: 134 Federation Endpoint Deployment Guide

135 Test SAML 2.0 SSO with FSS as the Identity Provider 3. Click on one of the single sign-on links. A login challenge like the following is presented 4. For SMFE -to-fss communication, enter the following credentials in the login dialog: Username: user1 Password: password Be sure that user1 exists in the SMFE and FSS user stores. If single sign-on is successful, you should see the following welcome page: To see the assertion generated by SiteMinder, go to the FWSTrace.log file. located in the directory web_agent_home/log. Chapter 10: SAML 2.0 Single Sign-on Testing 135

136 Test SAML 2.0 SSO with SMFE as the Identity Provider Test SAML 2.0 SSO with SMFE as the Identity Provider To test single sign-on at the SMFE site, you can use the web pages included with the SiteMinder sample application, provided you have previously run the FSS sample application. If you do not run the FSS sample application, you have to use your own web pages. The FSS sample application web pages are located in the following directories: policy_server_home/samples/federation/content/idpsample policy_server_home/samples/federation/content/spsample Important! If you have run the sample application, the idpsample and spsample folders are automatically copied into your web server's document root directory. If you choose to use your own HTML page to test SP-initiated single sign-on, it must contain a hard-coded link to the AuthnRequest service for SiteMinder FSS, which in this case is the SP. For this deployment, the link for POST binding is: The AuthnRequest Service redirects the user to the Identity Provider specified in the link to retrieve the user s authentication context. After the Identity Provider authenticates the user and establishes a session, it directs the user back to the target resource at the Service Provider. Note: The ProviderID in the Authnrequest link must match the IdP ID field value specified by the SAML authentication scheme at the SP. The IdP ID field is located on the Scheme Setup tab of the Authentication Scheme Properties dialog. To test SAML 2.0 SSO with the SMFE as the Identity Provider 1. Start the SMFE. 2. Start the Tomcat server. 3. Open a browser. 4. Enter the URL for the web page that has links to trigger single sign-on. For IdP-initiated single sign-on, access the index.jsp page at: For SP-initiated single sign-on, access the index.jsp page at: Federation Endpoint Deployment Guide

137 Test SAML 2.0 SSO with SMFE as the Identity Provider The following figure is the IdP.demo home page: The following figure is the SP.demo home page: Chapter 10: SAML 2.0 Single Sign-on Testing 137

138 Test SAML 2.0 SSO with SMFE as the Identity Provider 5. Click on one of the single sign-on links. A login challenge like the following is presented 6. For SMFE -to-fss communication, enter the following credentials in the login dialog: Username: user1 Password: password Be sure that user1 exists in the SMFE and FSS user stores. If single sign-on is successful, you should see the following welcome page: 138 Federation Endpoint Deployment Guide