Configuring Layer7 SiteMinder as an Identity Provider

Note: Pivotal Platform is now part of VMware Tanzu. In v1.12 and later, Pivotal Single Sign‑On is named Single Sign‑On for VMware Tanzu Application Service.

Page last updated:

This topic describes how to set up Layer7 SiteMinder as your identity provider by configuring SAML integration in both Ops Manager and Layer7 SiteMinder.


To set up Layer7 SiteMinder as your identity provider through SAML integration:

  1. Set up SAML in Single Sign‑On
  2. Create an Entity
  3. Configure the Entity
  4. Import the Metadata
  5. Create a Partnership
  6. Configure the Partnership
  7. Add Federation Users
  8. Configure the Assertion
  9. Configure the SSO and SLO Authentication
  10. Configure the Signature and Encryption

Set up SAML in Single Sign‑On

Follow the steps in Configure SAML Settings.

Create an Entity

To create an entity:

  1. Sign in as a Layer7 SiteMinder admin.

  2. Click the Federation tab.

  3. Click on the Entities link.

  4. Click Create Entity.

  5. Select Local for Entity Location.

  6. Select SAML2 IDP for New Entity Type.

  7. Click Next.

Configure the Entity

To configure the entity in the Entities section:

  1. Enter an Entity ID.

  2. Enter an Entity Name.

  3. Enter a Description.

  4. Enter the URL for your Layer7 SiteMinder as the Base URL.

  5. Select or import a Signing Private Key Alias.

  6. Select a Name ID format.

  7. Click Next.

  8. Confirm the Entity Details and click Finish.

Import the Metadata

To import the metadata you downloaded earlier in the Configure SAML Settings procedure:

  1. Click the Federation tab.

  2. Click the Entities link.

  3. Click Import Metadata.

  4. Click Browse and select the downloaded metadata for Metadata file.

  5. Select Remote Entity for Import As.

  6. Select Create New for Operation.

  7. Click Next.

  8. In the Select Entity Defined in Metadata File section, fill in the Entity Name field and then click Next.

  9. In the Select Key Entries to Import section, fill in the Alias field and then click Next.

  10. Click Finish.

Create a Partnership

To create a partnership:

  1. Click on the Federation tab.

  2. Click Create Partnership and select SAML2 IDP -> SP.

Configure the Partnership

To configure the partnership in the Configure Partnership section:

  1. Enter a Partnership Name.

  2. Enter a Description.

  3. Select a previously created local entity for Local IDP.

  4. Select a previously created remote entity for Remote SP.

  5. Enter a Skew Time.

  6. Add any User Directories.

  7. Click Next.

Add Federation Users

To add federation users:

  1. Add the users you want to include in the partnership.

  2. Click Next.

Configure the Assertion

To configure the assertion:

  1. Select a Name ID Format.

  2. Select User Attribute as the Name ID Type.

  3. Enter mail as the Value.

  4. (Optional) Under Assertion Attributes, specify any app or group attributes that you want to map to users in the ID token. The value for sending a user’s groups is FMATTR:SM_USERGROUPS.

  5. Click Next.

Configure the SSO and SLO Authentication

To configure the SSO and SLO in the SSO and SLO section:

  1. Enter the Authentication URL.

  2. Select HTTP-Post for SSO Binding.

  3. Select Both IDP and SP initiated for Transactions Allowed.

  4. Click Next.

Configure the Signature and Encryption

To configure the signature and encryption in the Signature and Encryption section:

  1. Select your key alias for Signing Private Key Alias.

  2. Select your certificate alias for Verification Certificate Alias.

  3. Click Next.

  4. Click Finish.

  5. Click the Action dropdown and select Activate.

  6. Click the Action dropdown and select Export Metadata to obtain the metadata needed for the Configuring a Single Sign-On Service Provider procedure.