TECH BRIEF:INTEGRATING CA SITEMINDER AND ARCOT A-OK USING CA FEDERATION MANAGER

Integrating CA SiteMinder and Arcot A-OK using CA Federation Manager

A Step-by-Step Configuration Guide

JANUARY 2011

Tommy Cheng Taneja Vikas

Contents
Overview: Integrating CA Siteminder and Arcot A-OK using CA Federation Manager ...................................3
CA SiteMinder ......................................................................................................................................................................................... 3 Arcot A-OK ................................................................................................................................................................................................ 3 Arcot A-OK Federation Worksheet ................................................................................................................................................... 4

CA Federation Manager: Standalone Option ........................................................................................................................7 CA Federation Manager: Add-on to CA SiteMinder ........................................................................................................14 APPENDIX A. TROUBLESHOOTING ..........................................................................................................................................19

CA Security Customer Solutions Unit Copyright 2011 CA. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informational purposes only. CA assumes no responsibility for the accuracy or completeness of the information. To the extent permitted by applicable law, CA provides this document as is without warrant y of any kind, including, without limitation, any implied warranties of merchantability, fitness for a particular purpose, or non-infringement. In no event will CA be liable for any loss or damage, direct or indirect, from the use of this document, including, without limitation, lost profits, business interruption, goodwill, or lost data, even if CA is expressly advised in advance of the possibility of such damages.

Page 3

Overview: Integrating CA SiteMinder and Arcot A-OK using CA Federation Manager Application developers and IT security people are becoming increasingly aware of the value of using standards-based identity federation to achieve single sign-on to SaaS applications and to the Cloud. This document gives examples of how CA Federation Manager is configured to consume the SAML 2.0 security token delivered by Arcot A-OK and bring the strong authentication service that Arcot is known for to further enhance the CA Identity Federation solution. Federated Single Sign-on offers significant benefits, including: Cost Reduction - IT organizations are looking to control IT costs and gain efficiencies. Federated Single Sign-on targets areas that traditionally require lots of manual processes, including user account management, entitlements management, password management, and access management and are therefore a focus of these cost control efforts. Easier Regulatory Compliance - Expanding regulatory requirements and the increasing rate of compromise of personal information via various types of security breaches have led organizations to place a greater emphasis on data security, and the people, process, and technology that make it up. Standards-based identity federation can increase security, enabling an organization to identify and authenticate a user once, and then use that identity information across multiple systems, including external partner websites.

In this case, Arcot A-OK provides the strong authentication service with single sign-on capability to deliver the SAML 2.0 security token to Web Applications that are supported by CA Federation Manager. CA SiteMinder CA SiteMinder is enterprise level web access management software which allows organizations to manage their web users and help control their access to applications, portals and web services. When CA SiteMinder is integrated with Arcot A-OK, SiteMinder is able to use the strong authentication that Arcot A-OK provides as one of its authentication methods. CA Federation Manager enables this integration by establishing a standards-based SAML 2.0 federation between these two applications. This integration is based on CA Federation Manager 12.1. Arcot A-OK Arcot A-OK is a versatile authentication service that can quickly and easily upgrade the security of any authentication process. It delivers the strong authentication you need without having to install and manage your own authentication infrastructure. Arcot hosts all the components necessary to deliver on-demand strong authentication in a SAS 70 audited, PCI DSS-compliant data center, eliminating the need to install, manage, or maintain any hardware or software on local servers. This integration is based on Arcot A-OK (2.10 or later). The security token service delivered by A-OK is SAML 2.0 standards-based and further extends this capability into Internet Web Applications that are capable of consuming a SAML 2.0 security token. The key features of A-OK include:

Page 4

Choose the authentication method that suits the application and user group A-OK offers multiple hardware and software authentication methods to choose from to avoid vendor lock-in. Flexible, easy to use, deploy and manage Provide multifactor authentication across multiple platforms without the cost or inconvenience of hardware. Uniquely block man-in-the-browser and man-in-the-middle attacks Helps keep users safe and prevent alteration or hijacking of data in sessions. Reduce management costs - By authenticating all your users with centralized server architecture, you can reduce costs and increase span-of-control. Increase security while protecting user login experience Legitimate users login with their familiar username/password and are given access quickly and transparently. Block fraud before it hurts you - Assess high-risk transactions in real-time. You can block fraud as it is happening rather than waiting to investigate it afterwards. Meet regulatory and compliance requirements while keeping costs under control - Because A-OK is hosted in Arcot's SAS 70 audited, PCI DSS-compliant hosting data center, you get a proven, secure and reliable service that is immediately available for your use.

Arcot A-OK Federation Worksheet Before we describe the steps required to integrate CA SiteMinder and Arcot A-OK using CA Federation Manager, we first highlight the CA Federation Manager deployment options. We then take a look at the Arcot A-OK environments and the Identity Provider Federation services it offers. Using the information gathered, we present a pre-populated Arcot A-OK Federation Worksheet that contains the configuration information used for the interoperability tests actually performed. CA FEDERATION MANAGER DEPLOYMENT OPTIONS CA Federation Manager offers two deployment options to augment Web Applications with the ability to consume standards-based SAML 2.0 security token. A Stand-alone option this option does not require that CA SiteMinder or any other CA software product, be installed. This option may be deployed in either stand-alone gateway or proxy mode. A connector to CA SiteMinder is provided to easily integrate CA Federation Manager with CA SiteMinder if desired. An Add-on to CA SiteMinder option - where federation capabilities are added to an existing SiteMinder implementation. This deployment option was formerly known as CA SiteMinder Federation Security Services, CA FSS, also sometimes called the Web Agent Option Package (WAOP).

This paper shows the steps needed to consume the SAML 2.0 authentication response generated by Arcot A-OK authentication services and to sign on to a Web Application front ended with either CA Federation deployment option; first the stand-alone option and then the add-on to CA SiteMinder option.

Page 5

ARCOT A-OK IDENTITY PROVIDER FEDERATION SERVICES In order to meet your specific needs, Arcot A-OK provides multiple environments to help you develop and ultimately deploy the final solution into production. After you have started working with Arcot A-OK, you will be working with A-OK supporting staff on your specific need. As of this writing, there are four sets of A-OK environments, Proof-Of-Concept, Preview, Production-Replica, and Production. In this document, we focus on the aokpoc.arcot.com environment which is setup as a Proof-Of-Concept environment for customers who are interested in, but have not yet officially signed, a service agreement with Arcot. When you start working with A-OK supporting staff, you will need to provide the following: Your Assertion Consumer Service URL Using CA Federation Manger, your Assertion Consumer Service URL is in the format of <SP Server Base URL>/affwebservices/public/saml2assertionconsumer. For example, if your server name is www.sp.demo and the https protocol has been enabled on standard 443 port, then it is https://www.sp.demo:443/affwebservices/public/saml2assertionconsumer or its equivalent of https://www.sp.demo/affwebservices/public/saml2assertionsonsumer. If you need the IdP Initiated SAML 2 SSO Service. (This is an optional service that you need to request. It is not available by default.)

When using CA Federation Manager as a SAML 2.0 Service Provider there is generally no need to use the IdP Initiated SAML 2 SSO Service provided by Arcot A-OK. Arcot A-OK supporting staff will provide you the Arcot A-OK integration information including an administrator ID and password. You will receive something similar to the following URL
https://aokpoc.arcot.com/arcotadmin/

This is where you log in using the ID and password to create AOK users, enable credentials, and perform other administrative tasks. If you do need the IdP Initiated SAML 2 SSO Service, you will also receive the IdP initiated template URL where you need to replace the StartURL parameter with your own value, for example,
https://aokpoc.arcot.com/capps/auth_entry_point.htm?appType=4&appId=spinterop&StartURL=https: //aokpoc.arcot.com/sampleapps/spinterop

ARCOT A-OK FEDERATION WORKSHEET To complete the configuration, use the Arcot A-OK Federation Worksheet that follows as a guide. From the worksheet, the most relevant sections are: Assertion Verification Certificate IDP ID A-OK SSO Service URL Assertion Consumer URL SP Server Base URL

During our interoperability testing, we developed the following worksheet to capture the most relevant information required for a successful integration. The following pre-populated example is meant to quickly show you what may be required of you:

Page 6

Arcot A-OK Federation Worksheet Item

SP Server Base URL

Description
The protocol, machine name, and port number of your SAML 2.0 SP Server The Assertion Consumer Service URL that consumes an SAML 2.0 Assertion sent by Arcot AOK. The certificate file must contain the public key to verify the SAML 2.0 Assertion signed by Arcot A-OK.

Value
https://www.sp.demo

Comments
Both http and https are supported. In production environment, it is strongly suggested that you use https. For CA Federation Manager, this URL is in the format of <<SP Server Base URL>>/affwebservices/public /saml2assertionconsumer. This certificate needs to be imported into the Federation Manager keystore. It contains the public key that is used to verify the Arcot A-OK signature on the SAML 2.0 documents. This URL is A-OK environment specific. There are four different Base URLs, one for each of the four-OK environments. A-OK Support provides this information.

Assertion Consumer Service URL

https://www.sp.demo/affwebs ervices/public/saml2assertion consumer

Assertion Verification Certificate

The aokpreview.arcot.co.in.cer file.

A-OK Base URL

The A-OK Base URL that is used to form other A-OK service URLs.

https://aokpoc.arcot.com

appId

Application Id is provided by A-OK. This parameter together with an appType parameter is used to uniquely identify the Service Provider (SP) application by A-OK. Always use value '4' (SAML type application) (optional) This URL is passed back to the calling application after authentication. URL to which A-OK will redirect the user at the end of different flows. This is also the URL to which A-OK will redirect the user when a session timeout occurs.

spinterop

appType RelayState

4 (Not Used) A landing page after a User is authenticated with Arcot AOK. This value is configured as the Target Page in CA Federation Manager A customizable landing page. This is not the target application landing page.

StartURL

http://www.sp.demo

Page 7

Arcot A-OK Federation Worksheet

IDP ID SAML 2.0 IdP Entity ID https://aok.arcot.com The IdP ID used by Arcot AOK. It is the Issuer in the SAML 2.0 Assertion and is always set to https://aok.arcot.com. The A-OK SSO Service URL is using the format of <<A-OK Base URL>>/capps/auth_entry_poi nt.htm?appType=<<appType >>&appID=<<appId>>&Start URL=<<StartURL>> This needs to be a URL of the same cookie domain name as the CA Federation Manager SP Server. This is usually allowed, unless there is a very restricted rule that requires the user to always land at the default Target page. When the override is allowed, it makes deep link possible. Implementing a deep link requires other more advanced custom configurations. With the CA Federation Manager as a SP, this is usually not needed.

A-OK SSO Service URL

The A-OK SAML 2.0 SSO Service URL.

https://aokpoc.arcot.com/cap ps/auth_entry_point.htm?app Type=4&appId=spinterop&Sta rtURL=https://www.sp.demo

Target

The default landing page after authentication.

http://www.sp.demo/testsaml 2/

RelayState overrides Target

A single-sign on configuration usually has a preconfigured target page. In some cases, the administrator or a user may want to redirect the user to a different page. The Rely state allows the system to go directly to the chosen page.

Yes

IDP Initiated SSO URL

The IdP Initiated SSO is also known as unsolicited SSO as it is a request started from the IdP without the SP requesting it.

https://aokpoc.arcot.com/cap ps/auth_entry_point.htm?app Type=4&appId=spinterop&Sta rtURL=https://www.sp.demo

CA Federation Manager: Standalone Option NOTE: CA Federation Manager, the stand-alone option, is available to CA SiteMinder Federation Security Services customers with current maintenance at no additional charge. ASSERTION VERIFICATION CERTIFICATE When Arcot A-OK sends a SAML assertion to CA Federation Manager, Arcot A-OK signs the SAML assertion using a certificate to confirm its integrity. This certificate (Assertion Verification Certificate) is sent to you by A-OK Support. When you receive this certificate, you use the Import

Page 8

New button on the Certs and Keys tab to import this certificate into the CA Federation Manager and give it an alias name. REMOTE SAML 2 IDP ENTITY After the Assertion Verification Certificate has been imported into Federation Manager, use the following information from the A-OK Federation Worksheet to create a Remote SAML 2 IdP Entity for the A-OK: IDP ID -> Entity ID A-OK SSO Service URL -> Remote SSO Service URL using HTTP-Redirect Binding, e.g. https://aokpoc.arcot.com/capps/auth_entry_point.htm?appType=4&appId=spinterop&StartURL =https://www.sp.demo Assertion Verification Certificate alias -> Verification Certificate Alias The Name ID is simply Unspecified.

LOCAL SAML 2.0 SP ENTITY To offer federation service using CA Federation Manager- the stand-alone deployment option - as a SAML 2.0 SP, you now need to use the following information from the A-OK Federation Worksheet to create a Local SP Entity for the CA Federation Manager server itself:

Page 9

Assertion Consumer URL -> Entity ID SP Server Base URL -> Base URL The Name ID Format is Unspecified.

In the following Confirm screen, note that the Entity ID is identical to the Assertion Consumer Service URL.

Page 10

SAML 2.0 SP->IDP PARTNERSHIP

1.

With the Local SP and Remote IdP defined, you can now configure and activate a SAML2 IDP>SP Partnership. Choose the Local SP and Remote IdP defined earlier, set an appropriate Skew Time and select an appropriate User Directory.

Page 11

2.

Select the Use Name ID to pick up the Name ID value generated by A-OK and set the Map Identity Attribute to User Directories appropriately. In this case, we are mapping the Name ID to the Name field of an ODBC User Directory.

Page 12

3.

Check the HTTP-Post and leave the rest as the default settings:

4.

Leaving the default setting as Federation Manager picks up the correct Verification Certificate Alias from the Remote IDP Entity.

Page 13

5.

Set the appropriate Redirect Mode, and default landing page Target with the Relay state overrides target checked. You may also want to change other settings according to your own need:

6.

Save and activate this newly created Federation Partnership.

EXERCISE THE FEDERATION SERVICE Once the configurations are done and enabled on both the Arcot A-OK and CA Federation Manager, you can open a Web Browser to test the federation service. SP-Initiated: When a user visit a URL such as ttps://www.sp.demo/affwebservices/public/saml2authnrequest?ProviderID=https://aok.arcot.co m, if an existing session does not exist, the CA Federation Manager server will automatically invoke the Federation Service. IDP-Initiated: Accessing a URL such as

https://aokpoc.arcot.com/capps/auth_entry_point.htm?appType=4&appId=cainterop&StartURL=htt ps://interop.ca.com&RelayState=https://interop.ca.com/headers.asp also works. Here the RelayState parameter is optional to provide an alternative landing page. SP-Initiated URL supports the same RelayState syntax too.

Page 14

A-OK LOGOUT If your Web application needs to implement a way to Logout the A-OK session, the following URL can be used:
<<A-OK Base URL>>/capps/logout.htm?lourl=<<LogoutLandingPage>>

Here the LogoutLandPage tends to be a URL that is used to logout the Web Application that CA Federation Manager helps to support.

CA Federation Manager: Add-on to CA SiteMinder (formerly CA SiteMinder Federation Security Services) LICENSING NOTE: If you already have CA SiteMinder implemented at your organization, you must have a CA Federation Manager (or CA SiteMinder Federated Security Services) license and software to use the federation features. If you already have CA SiteMinder Federation Security Services, now branded as CA Federation Manager, these instructions will help you set up single sign-on. ARCOT A-OK FEDERATION WORKSHEET To complete the configuration, use the Arcot A-OK Federation Worksheet as a guide. From the worksheet, the most relevant ones are the following: Assertion Verification Certificate IDP ID A-OK SSO Service URL Assertion Consumer URL

ASSERTION VERIFICATION CERTIFICATE When Arcot A-OK sends a SAML assertion to CA Federation Manager, Arcot A-OK signs the SAML assertion using a certificate to confirm its integrity. This certificate (Assertion Verification Certificate) is sent to you by A-OK Support. When you receive this certificate, use the smkeytool command on the Policy Server to import this certificate into the key store:
smkeytool -addCert -alias aok infile aokpreview.arcot.co.in.cer

Once this is imported successfully, you can then use the following smkeytool command to list the certificate you just imported. Later, you will be able to copy the output of this command and paste into other screen you need to configure:

Page 15

C:\>smkeytool -listCerts -alias aok Alias Name: aok Type: CertificateEntry Subject: CN=aok.arcot.com,OU=ArcotSecureHosting,O=Arcot Systems Inc.,C=US Issuer: CN=aok.arcot.com,OU=ArcotSecureHosting,O=Arcot Systems Inc.,C=US Serial Number: 47B09D9A Valid from: Mon Feb 11 14:10:18 EST 2008 until: Sat Feb 09 14:10:18 EST 2013 ***************************************************************************** Number of entries listed: 1

Page 16

SAML 2.0 AUTHENTICATION SCHEME To configure the SiteMinder Add-on, a SAML 2.0 Authentication Scheme is equivalent to a SP->IdP partnership object on the stand-alone option deployment. The spdemoaok below is an example. On the Scheme Setup screen, pick an appropriate Skew Time to adjust the possible system clock differences between the SiteMinder Add-on system and the A-OK system, using the information from our A-OK Federation worksheet: Assertion Consumer URL -> SP ID IDP ID -> IdP ID Assertion Verification Certificate -> Issuer DN and Serial Number (taken from the output of the smkeytool listCerts command)

Click on Additional Configuration to continue.

Page 17

Users tab: set the appropriate Search Specification base on the choice of your User Directory. In this example, we are mapping the Name ID in the SAML Assertion to the Name field of an ODBC User Directory:

Page 18

SSO tab: The A-OK SSO Service URL from the A-OK Federation Worksheet goes to the SSO Service. In this case, 302 Cookie Data is the Redirect Mode. The Target field is set to a test landing page and Relay State Overrides Target is checked. The HTTP-Post in the Bindings group is also checked.

Use the default settings for the remaining tabs. POLICIES, DOMAIN, REALM, AND OTHERS Just as any other SiteMinder Authentication Scheme, you need to have the appropriate SiteMinder security policies configured before this Authentication Scheme is actually used. EXERCISE THE FEDERATION SERVICE Once the configurations are done and enabled on both the Arcot A-OK and CA Federation Manager, you can open a Web Browser to test the federation service. SP-Initiated: When a user visit a URL such as https://www.sp.demo/affwebservices/public/saml2authnrequest?ProviderID=https://aok.arcot.c om, if an existing session does not exist, the CA Federation Manager server will automatically invoke the Federation Service. IDP-Initiated: Accessing a URL such as https://aokpoc.arcot.com/capps/auth_entry_point.htm?appType=4&appId=cainterop&StartURL =https://interop.ca.com&RelayState=https://interop.ca.com/headers.asp also works. Here the RelayState parameter is optional to provide an alternative landing page. SP-Initiated URL supports the same RelayState syntax too.

Page 19

A-OK LOGOUT If your SiteMinder protected Web application needs to implement a way to logout from the A-OK session, the following URL can be used:
<<A-OK Base URL>>/capps/logout.htm?lourl=<<LogoutLandingPage>>

The LogoutLandPage is likely to be a URL that involves the SiteMinder logoff URI.

Appendix A. Troubleshooting
NOTBEFORE ATTRIBUTE By default, A-OK sets the NotBefore attribute on the SubjectConfirmationData tag. CA Federation Manager does not allow this attribute to be set. This is configurable in Arcot A-OK. INRESPONSETO ATTRIBUTE By default, A-OK only sets InResponseTo on the SubjectConfirmationData tag but not samlp:Response tag. CA Federation Manager requires it to be set on both. This is configurable in Arcot A-OK. Please keep in mind that InResponseTo is only used with SP Initiated SSO. IdP Initiated SSO does not use it at all as there is no value to set for this attribute. SIGNATURE ON RESPONSE INSTEAD OF SIGNATURE ON ASSERTION By default, A-OK sets the Signature on Response. CA Federation Manager needs it on Assertion. This is configurable in Arcot A-OK.