Integrating CA der and Arcot a Ok Using CA Federation Manager

TECH BRIEF:INTEGRATING CA SITEMINDER AND ARCOT A-OK USING CA FEDERATION MANAGERIntegrating CA SiteMinder and Arcot A-OK using CA Federation Manager A Step-by-Step Configuration Guide JANUARY 2011 Tommy Cheng Taneja Vikas . any implied warranties of merchantability.... even if CA is expressly advised in advance of the possibility of such damages....... ....................... direct or indirect.................. without limitation...............................................................19 CA Security Customer Solutions Unit Copyright ©2011 CA.......... All rights reserved.3 CA SiteMinder ..... from the use of this document...................................................... goodwill..................................... fitness for a particular purpose...................................... 3 Arcot A-OK Federation Worksheet .. including......................... CA provides this document “as is” without warrant y of any kind...................7 CA Federation Manager: Add-on to CA SiteMinder . To the extent permitted by applicable law........... This document is for your informational purposes only.. TROUBLESHOOTING ......................................................... CA assumes no responsibility for the accuracy or completeness of the information................................. without limitation............. 3 Arcot A-OK ..................................... lost profits............................................................................... including............ In no event will CA be liable for any loss or damage.. or non-infringement...................................... business interruption........ or lost data.... service marks and logos referenced herein belong to their respective companies.............Contents Overview: Integrating CA Siteminder and Arcot A-OK using CA Federation Manager ...................................................................................... trade names.................................... All trademarks.................................................................................................................................................... 4 CA Federation Manager: Standalone Option .....................................14 APPENDIX A....................... enabling an organization to identify and authenticate a user once. entitlements management. eliminating the need to install.0 security token delivered by Arcot A-OK and bring the strong authentication service that Arcot is known for to further enhance the CA Identity Federation solution. and technology that make it up. Arcot A-OK provides the strong authentication service with single sign-on capability to deliver the SAML 2. including user account management. and the people. PCI DSS-compliant data center. and access management and are therefore a focus of these cost control efforts. password management.Expanding regulatory requirements and the increasing rate of compromise of personal information via various types of security breaches have led organizations to place a greater emphasis on data security.10 or later).Page 3 Overview: Integrating CA SiteMinder and Arcot A-OK using CA Federation Manager Application developers and IT security people are becoming increasingly aware of the value of using standards-based identity federation to achieve single sign-on to SaaS applications and to the Cloud. CA Federation Manager enables this integration by establishing a standards-based SAML 2. The security token service delivered by A-OK is SAML 2.0 standards-based and further extends this capability into Internet Web Applications that are capable of consuming a SAML 2.IT organizations are looking to control IT costs and gain efficiencies. Arcot A-OK Arcot A-OK is a versatile authentication service that can quickly and easily upgrade the security of any authentication process. including external partner websites. This integration is based on Arcot A-OK (2.1. and then use that identity information across multiple systems. portals and web services. manage.  In this case.0 security token to Web Applications that are supported by CA Federation Manager. including:  Cost Reduction . This document gives examples of how CA Federation Manager is configured to consume the SAML 2. CA SiteMinder CA SiteMinder is enterprise level web access management software which allows organizations to manage their web users and help control their access to applications. SiteMinder is able to use the strong authentication that Arcot A-OK provides as one of its authentication methods. It delivers the strong authentication you need without having to install and manage your own authentication infrastructure. Standards-based identity federation can increase security.0 security token. This integration is based on CA Federation Manager 12. Federated Single Sign-on offers significant benefits. or maintain any hardware or software on local servers. Easier Regulatory Compliance . process. Arcot hosts all the components necessary to deliver on-demand strong authentication in a SAS 70 audited. The key features of A-OK include: . When CA SiteMinder is integrated with Arcot A-OK. Federated Single Sign-on targets areas that traditionally require lots of manual processes.0 federation between these two applications.  This paper shows the steps needed to consume the SAML 2. we present a pre-populated Arcot A-OK Federation Worksheet that contains the configuration information used for the interoperability tests actually performed. You can block fraud as it is happening rather than waiting to investigate it afterwards. be installed. Block fraud before it hurts you . we first highlight the CA Federation Manager deployment options. first the „stand-alone‟ option and then the add-on to CA SiteMinder option. you get a proven.0 security token. Using the information gathered.Because A-OK is hosted in Arcot's SAS 70 audited.Page 4        Choose the authentication method that suits the application and user group – A-OK offers multiple hardware and software authentication methods to choose from to avoid vendor lock-in.By authenticating all your users with centralized server architecture. Meet regulatory and compliance requirements while keeping costs under control . PCI DSS-compliant hosting data center. secure and reliable service that is immediately available for your use. easy to use. Increase security while protecting user login experience – Legitimate users login with their familiar username/password and are given access quickly and transparently. Flexible. CA FSS. This deployment option was formerly known as CA SiteMinder Federation Security Services. This option may be deployed in either stand-alone gateway or proxy mode. An Add-on to CA SiteMinder option . CA FEDERATION MANAGER DEPLOYMENT OPTIONS CA Federation Manager offers two deployment options to augment Web Applications with the ability to consume standards-based SAML 2. deploy and manage – Provide multifactor authentication across multiple platforms without the cost or inconvenience of hardware.  A Stand-alone option – this option does not require that CA SiteMinder or any other CA software product. We then take a look at the Arcot A-OK environments and the Identity Provider Federation services it offers. Arcot A-OK Federation Worksheet Before we describe the steps required to integrate CA SiteMinder and Arcot A-OK using CA Federation Manager.Assess high-risk transactions in real-time. you can reduce costs and increase span-of-control. Reduce management costs . A connector to CA SiteMinder is provided to easily integrate CA Federation Manager with CA SiteMinder if desired. .where federation capabilities are added to an existing SiteMinder implementation. Uniquely block man-in-the-browser and man-in-the-middle attacks – Helps keep users safe and prevent alteration or hijacking of data in sessions. also sometimes called the Web Agent Option Package (WAOP).0 authentication response generated by Arcot A-OK authentication services and to sign on to a Web Application front ended with either CA Federation deployment option. Page 5 ARCOT A-OK IDENTITY PROVIDER FEDERATION SERVICES In order to meet your specific needs. your Assertion Consumer Service URL is in the format of <SP Server Base URL>/affwebservices/public/saml2assertionconsumer. we focus on the aokpoc.com/capps/auth_entry_point. and Production. enable credentials. The following pre-populated example is meant to quickly show you what may be required of you: . In this document.sp.  If you need the IdP Initiated SAML 2 SSO Service.demo and the https protocol has been enabled on standard 443 port.sp. (This is an optional service that you need to request. https://aokpoc. When you start working with A-OK supporting staff. After you have started working with Arcot A-OK. You will receive something similar to the following URL https://aokpoc.arcot. Production-Replica.sp. a service agreement with Arcot.com/arcotadmin/ This is where you log in using the ID and password to create AOK users. you will need to provide the following:  Your Assertion Consumer Service URL Using CA Federation Manger. Preview. you will be working with A-OK supporting staff on your specific need. As of this writing.com environment which is setup as a Proof-Of-Concept environment for customers who are interested in.htm?appType=4&appId=spinterop&StartURL=https: //aokpoc.arcot. we developed the following worksheet to capture the most relevant information required for a successful integration. the most relevant sections are:      Assertion Verification Certificate IDP ID A-OK SSO Service URL Assertion Consumer URL SP Server Base URL During our interoperability testing.demo/affwebservices/public/saml2assertionsonsumer. then it is https://www. but have not yet officially signed.arcot. For example.arcot. for example.demo:443/affwebservices/public/saml2assertionconsumer or its equivalent of https://www. there are four sets of A-OK environments. use the Arcot A-OK Federation Worksheet that follows as a guide. Arcot A-OK supporting staff will provide you the Arcot A-OK integration information including an administrator ID and password. If you do need the IdP Initiated SAML 2 SSO Service. From the worksheet. Proof-Of-Concept.com/sampleapps/spinterop ARCOT A-OK FEDERATION WORKSHEET To complete the configuration.0 Service Provider there is generally no need to use the IdP Initiated SAML 2 SSO Service provided by Arcot A-OK. if your server name is www. Arcot A-OK provides multiple environments to help you develop and ultimately deploy the final solution into production. and perform other administrative tasks.) When using CA Federation Manager as a SAML 2. It is not available by default. you will also receive the IdP initiated template URL where you need to replace the StartURL parameter with your own value. co. and port number of your SAML 2. this URL is in the format of <<SP Server Base URL>>/affwebservices/public /saml2assertionconsumer.arcot.0 documents.0 Assertion signed by Arcot A-OK. Value https://www. This value is configured as the Target Page in CA Federation Manager A customizable landing page. Always use value '4' (SAML type application) (optional) This URL is passed back to the calling application after authentication. The certificate file must contain the public key to verify the SAML 2.sp. This is also the URL to which A-OK will redirect the user when a session timeout occurs. This certificate needs to be imported into the Federation Manager keystore.0 SP Server The Assertion Consumer Service URL that consumes an SAML 2. URL to which A-OK will redirect the user at the end of different flows. This parameter together with an appType parameter is used to uniquely identify the Service Provider (SP) application by A-OK. spinterop appType RelayState 4 (Not Used) A landing page after a User is authenticated with Arcot AOK.com appId Application Id is provided by A-OK. https://aokpoc. it is strongly suggested that you use https.sp. A-OK Support provides this information. one for each of the four-OK environments.in. For CA Federation Manager.Page 6 Arcot A-OK Federation Worksheet Item SP Server Base URL Description The protocol.demo Comments Both http and https are supported. In production environment. This is not the target application landing page. Assertion Consumer Service URL https://www. machine name.demo . StartURL http://www.sp.demo/affwebs ervices/public/saml2assertion consumer Assertion Verification Certificate The aokpreview. A-OK Base URL The A-OK Base URL that is used to form other A-OK service URLs.cer file. This URL is A-OK environment specific.0 Assertion sent by Arcot AOK.arcot. It contains the public key that is used to verify the Arcot A-OK signature on the SAML 2. There are four different Base URLs. com The IdP ID used by Arcot AOK. the stand-alone option. Arcot A-OK signs the SAML assertion using a certificate to confirm its integrity. When the override is allowed. http://www.Page 7 Arcot A-OK Federation Worksheet IDP ID SAML 2.demo/testsaml 2/ RelayState overrides Target A single-sign on configuration usually has a preconfigured target page. ASSERTION VERIFICATION CERTIFICATE When Arcot A-OK sends a SAML assertion to CA Federation Manager.arcot. unless there is a very restricted rule that requires the user to always land at the default Target page.demo Target The default landing page after authentication. This is usually allowed. This certificate (Assertion Verification Certificate) is sent to you by A-OK Support.0 IdP Entity ID https://aok.htm?appType=<<appType >>&appID=<<appId>>&Start URL=<<StartURL>> This needs to be a URL of the same cookie domain name as the CA Federation Manager SP Server. this is usually not needed. In some cases.com/cap ps/auth_entry_point. It is the Issuer in the SAML 2.0 SSO Service URL. Yes IDP Initiated SSO URL The IdP Initiated SSO is also known as unsolicited SSO as it is a request started from the IdP without the SP requesting it.arcot.sp. is available to CA SiteMinder Federation Security Services customers with current maintenance at no additional charge.htm?app Type=4&appId=spinterop&Sta rtURL=https://www.sp.sp. With the CA Federation Manager as a SP. the administrator or a user may want to redirect the user to a different page. it makes deep link possible.arcot.htm?app Type=4&appId=spinterop&Sta rtURL=https://www. When you receive this certificate.demo CA Federation Manager: Standalone Option NOTE: CA Federation Manager.com.com/cap ps/auth_entry_point.0 Assertion and is always set to https://aok. you use the Import . The A-OK SSO Service URL is using the format of <<A-OK Base URL>>/capps/auth_entry_poi nt.arcot. https://aokpoc. A-OK SSO Service URL The A-OK SAML 2. https://aokpoc. Implementing a deep link requires other more advanced custom configurations. The Rely state allows the system to go directly to the chosen page. sp.demo   Assertion Verification Certificate alias -> Verification Certificate Alias The Name ID is simply “Unspecified”. e.Page 8 New button on the “Certs and Keys” tab to import this certificate into the CA Federation Manager and give it an alias name.the stand-alone deployment option .0 SP ENTITY To offer federation service using CA Federation Manager.as a SAML 2.com/capps/auth_entry_point. you now need to use the following information from the A-OK Federation Worksheet to create a Local SP Entity for the CA Federation Manager server itself: .g. https://aokpoc.arcot. REMOTE SAML 2 IDP ENTITY After the Assertion Verification Certificate has been imported into Federation Manager.0 SP. use the following information from the A-OK Federation Worksheet to create a Remote SAML 2 IdP Entity for the A-OK:   IDP ID -> Entity ID A-OK SSO Service URL -> Remote SSO Service URL using HTTP-Redirect Binding. LOCAL SAML 2.htm?appType=4&appId=spinterop&StartURL =https://www. . note that the Entity ID is identical to the Assertion Consumer Service URL.Page 9    Assertion Consumer URL -> Entity ID SP Server Base URL -> Base URL The Name ID Format is “Unspecified”. In the following Confirm screen. With the Local SP and Remote IdP defined.0 SP->IDP PARTNERSHIP 1. Choose the Local SP and Remote IdP defined earlier. you can now configure and activate a SAML2 IDP>SP Partnership. .Page 10 SAML 2. set an appropriate Skew Time and select an appropriate User Directory. .Page 11 2. we are mapping the “Name ID” to the Name field of an ODBC User Directory. In this case. Select the “Use Name ID” to pick up the Name ID value generated by A-OK and set the “Map Identity Attribute to User Directories” appropriately. . Check the “HTTP-Post” and leave the rest as the default settings: 4.Page 12 3. Leaving the default setting as Federation Manager picks up the correct Verification Certificate Alias from the Remote IDP Entity.  SP-Initiated: When a user visit a URL such as ttps://www.ca.com/headers. Save and activate this newly created Federation Partnership. SP-Initiated URL supports the same RelayState syntax too. . Here the RelayState parameter is optional to provide an alternative landing page.Page 13 5.htm?appType=4&appId=cainterop&StartURL=htt ps://interop.com/capps/auth_entry_point. EXERCISE THE FEDERATION SERVICE Once the configurations are done and enabled on both the Arcot A-OK and CA Federation Manager. the CA Federation Manager server will automatically invoke the Federation Service. You may also want to change other settings according to your own need: 6. Set the appropriate “Redirect Mode”.com&RelayState=https://interop.arcot.ca. if an existing session does not exist. and default landing page “Target” with the “Relay state overrides target” checked.arcot. you can open a Web Browser to test the federation service.asp also works.demo/affwebservices/public/saml2authnrequest?ProviderID=https://aok. IDP-Initiated: Accessing a URL such as  https://aokpoc.co m.sp. you must have a CA Federation Manager (or CA SiteMinder Federated Security Services) license and software to use the federation features.cer Once this is imported successfully. these instructions will help you set up single sign-on.in.co. the most relevant ones are the following:     Assertion Verification Certificate IDP ID A-OK SSO Service URL Assertion Consumer URL ASSERTION VERIFICATION CERTIFICATE When Arcot A-OK sends a SAML assertion to CA Federation Manager. From the worksheet. Arcot A-OK signs the SAML assertion using a certificate to confirm its integrity. you can then use the following smkeytool command to list the certificate you just imported. Later.htm?lourl=<<LogoutLandingPage>> Here the LogoutLandPage tends to be a URL that is used to logout the Web Application that CA Federation Manager helps to support. When you receive this certificate. If you already have CA SiteMinder Federation Security Services. use the Arcot A-OK Federation Worksheet as a guide. you will be able to copy the output of this command and paste into other screen you need to configure: . now branded as CA Federation Manager. use the smkeytool command on the Policy Server to import this certificate into the key store: smkeytool -addCert -alias aok –infile aokpreview. ARCOT A-OK FEDERATION WORKSHEET To complete the configuration. This certificate (Assertion Verification Certificate) is sent to you by A-OK Support. the following URL can be used: <<A-OK Base URL>>/capps/logout.Page 14 A-OK LOGOUT If your Web application needs to implement a way to Logout the A-OK session.arcot. CA Federation Manager: Add-on to CA SiteMinder (formerly CA SiteMinder Federation Security Services) LICENSING NOTE: If you already have CA SiteMinder implemented at your organization. OU=ArcotSecureHosting.Page 15 C:\>smkeytool -listCerts -alias aok Alias Name: aok Type: CertificateEntry Subject: CN=aok...O=Arcot Systems Inc.arcot.C=US Issuer: CN=aok.C=US Serial Number: 47B09D9A Valid from: Mon Feb 11 14:10:18 EST 2008 until: Sat Feb 09 14:10:18 EST 2013 ***************************************************************************** Number of entries listed: 1 .OU=ArcotSecureHosting.com.O=Arcot Systems Inc.com.arcot. Page 16 SAML 2.0 AUTHENTICATION SCHEME To configure the SiteMinder Add-on. using the information from our A-OK Federation worksheet:    Assertion Consumer URL -> SP ID IDP ID -> IdP ID Assertion Verification Certificate -> Issuer DN and Serial Number (taken from the output of the smkeytool –listCerts command) Click on “Additional Configuration” to continue.0 Authentication Scheme is equivalent to a SP->IdP partnership object on the stand-alone option deployment. . a SAML 2. pick an appropriate Skew Time to adjust the possible system clock differences between the SiteMinder Add-on system and the A-OK system. On the Scheme Setup screen. The spdemoaok below is an example. Page 17 Users tab: set the appropriate Search Specification base on the choice of your User Directory. we are mapping the Name ID in the SAML Assertion to the Name field of an ODBC User Directory: . In this example. if an existing session does not exist. Use the default settings for the remaining tabs.Page 18 SSO tab: The A-OK SSO Service URL from the A-OK Federation Worksheet goes to the SSO Service.c om. In this case. POLICIES. EXERCISE THE FEDERATION SERVICE Once the configurations are done and enabled on both the Arcot A-OK and CA Federation Manager. “302 Cookie Data” is the Redirect Mode.arcot.com&RelayState=https://interop.  . you can open a Web Browser to test the federation service.asp also works. The HTTP-Post in the Bindings group is also checked. Here the RelayState parameter is optional to provide an alternative landing page. IDP-Initiated: Accessing a URL such as https://aokpoc.demo/affwebservices/public/saml2authnrequest?ProviderID=https://aok.arcot.htm?appType=4&appId=cainterop&StartURL =https://interop. you need to have the appropriate SiteMinder security policies configured before this Authentication Scheme is actually used. the CA Federation Manager server will automatically invoke the Federation Service.ca. DOMAIN.  SP-Initiated: When a user visit a URL such as https://www.ca.com/capps/auth_entry_point. AND OTHERS Just as any other SiteMinder Authentication Scheme. REALM. The Target field is set to a test landing page and “Relay State Overrides Target” is checked.sp.com/headers. SP-Initiated URL supports the same RelayState syntax too. CA Federation Manager does not allow this attribute to be set. INRESPONSETO ATTRIBUTE By default. . This is configurable in Arcot A-OK.Page 19 A-OK LOGOUT If your SiteMinder protected Web application needs to implement a way to logout from the A-OK session. SIGNATURE ON RESPONSE INSTEAD OF SIGNATURE ON ASSERTION By default.htm?lourl=<<LogoutLandingPage>> The LogoutLandPage is likely to be a URL that involves the SiteMinder logoff URI. Troubleshooting NOTBEFORE ATTRIBUTE By default. A-OK sets the NotBefore attribute on the SubjectConfirmationData tag. This is configurable in Arcot A-OK. CA Federation Manager needs it on Assertion. This is configurable in Arcot A-OK. IdP Initiated SSO does not use it at all as there is no value to set for this attribute. the following URL can be used: <<A-OK Base URL>>/capps/logout. Please keep in mind that InResponseTo is only used with SP Initiated SSO. A-OK only sets InResponseTo on the SubjectConfirmationData tag but not samlp:Response tag. Appendix A. A-OK sets the Signature on Response. CA Federation Manager requires it to be set on both.