Fedlet Service Provider and CA Siteminder Identity Provider
Has anyone used Fedlet as their service provider and CA Siteminder as their identity provider? Our client is using CA Siteminder Federation Security services and we need to configure our end to be a service provider that can accept SAMLv2 assertions with attribute mapping. Is the IDP iniatiated SSO possible with this setting?
I was only able to make Fedlet work with an OpenSSO identity provid开发者_运维百科er, but not with the CA Siteminder. The client only gave the idp and sp ID to use, their metadata, protocol and binding standard and nothing else. I gave them our Assertion consumer service URL (I got from the sp.xml on our Fedlet conf) and the relay state url where we will redirect the user upon successful login on their side.
Or do you recommend a different technology to use as a service provider for the CA siteminder IDP?
Please advise.
The Fedlet is pretty bare bones and was designed by Sun (now Oracle) to work with OpenSSO as the IDP. While it is probably compliant to some degree, I would imagine that it may not be a full implementation of SAML 2.0 SP-Lite but a sub-set of that.
I'd check out PingFederate from PingIdentity if you are looking for a more robust option. We have dozens of SPs who are integrating with CA SM FSS as the IDP (and vice versa) using SAML 1.x and 2.0. It has a very light footprint, can support a multitude of development languages/platforms and can be setup and in Production extremely quickly.
HTH - IanB
If you already have a SiteMinder installation setup then SMFSS is the fastest, easiest and most robust solution, IMHO but then I support it. I am able get new customers up and running in less than a day for SAML 2.0 POC when they already have a working SiteMinder architecture in place and there are no known issues with OpenSSO. If you have a particular issue you should give a fiddler trace with HTTPS decryption enabled and logs so we can assist. Also, the R12 SP3 or SM6 SMFSS docs have the chapter on what settings need to match, the setting up the IDP and SP for SAML 2.0 chapters which are step by step as long as you have the settings for the matching values chapter which is the second to last chapter and chapter number changes depending on version of the docs.
You can also do Authorization on the SP side using the Attribute Authority we provide if your SP implements the Attribute Query SAML specification. In other words, if there was no attribute authority then you would need to store attributes on the SP side for use later. With that being said, if you used an SMFSS (SiteMinder Federation Security Services) SP you could use the Session Store on the SP side and store the assertions attributes there at authentication time. Let me know if you have any more questions on this. The thing I like about SMFSS is you really get a good idea of what your doing and can become quite proficient where a lot of other products seem to use a lot of the MetaData to add stuff into their UI's which IMHO results in people not really understanding the federation that they are setting up and administering.
I am wondering if IanB is my old co-worker Ian Barnett of Ping? If so hello!!!
Crissy Krueger Stone
SiteMinder Support est. 5/1/2000
精彩评论