One way to get started with partnership federation is by configuring a partnership. This chapter describes how to set up a basic SAML 2.0 federation partnership—single sign-on with SAML 2.0 POST profile
By starting with a basic configuration, you can complete the least number of steps to see how partnership federation works.
The chapter also describes the configuration of additional features, such as digital signing and single logout to reflect a real production environment. You can also add the Artifact binding to the configuration.
The sample network used in this chapter presupposes that CA Single Sign-On is installed at both sites in the partnership. However, you can have CA Single Sign-On at one site and a different SAML-compliant product at the other site and still engage in a partnership.
With CA Single Sign-On at both sites, you have to understand the perspective from which you are configuring a partnership. To configure a complete partnership, you begin by defining a partnership definition at each site, one for each direction of communication from a given site. For example, if the local site is the Identity Provider (IdP), you configure the local IdP-to-remote SP partnership. This configuration is one partnership definition. To complete the partnership configuration, you configure the reciprocal local SP-to-remote IdP partnership at the local SP.
The partnership definition always distinguishes the local and remote entities. The local entity is the entity at the site from where you are configuring partnership federation. This environment is not necessarily the same as the one on which CA Single Sign-On is installed, but the same domain. The remote entity is the entity at a partner that resides in a different domain from where you are configuring partnership federation.
The following process shows the steps for creating the basic partnership when CA Single Sign-On is at both sites:
The initial partnership that you are creating represents the following sample network. The URLs in the procedures and sample network are examples and do not resolve to any real site.
The following figure shows the sample partnership with CA Single Sign-On at both partners.
To use partnership federation, the following components are required:
This simple partnership deployment example assumes that these components are installed and working.