Configuring CA as an Identity Provider

Page last updated:

This topic explains how to configure single sign-on (SSO) between CA and Pivotal Cloud Foundry (PCF).

Partnership creation between CA and PCF involves the following steps:

  1. Installing and configuring the prerequisites

  2. Configuring CA Single Sign-On as an Identity Provider

  3. Configuring the Service Provider


  • CA Single Sign-On v12.52 installation
  • User store and session store configuration
  • Creation of Signed Certificate by a Certificate Authority
  • Protect Identity Provider URL with CA SSO by creating the following objects:
    • Authentication scheme
    • Domain
    • Realm
    • Rules and policy
  • PCF environment at https://console.YOUR-SYSTEM-DOMAIN

    Note: Replace YOUR-SYSTEM-DOMAIN with the name of your PCF installation.

Configuring CA as the SAML 2.0 Identity Provider on PCF

  1. Download the service provider metadata.

    1. Navigate https://login.YOUR-SYSTEM-DOMAIN/saml/metadata and log in to CA SSO.
    2. Navigate to Federation.
    3. Select Partnership Federation
    4. In the Actions menu, select Export Metadata.
    5. Save the exported metadata in an XML file.
  2. Follow the steps in Configuring Authentication and Enterprise SSO for Elastic Runtime to set the identity provider metadata on PCF.

  3. Paste the contents of the XML file into the Identity Provider Metadata field.

  4. Click Save.

  5. Click Review Pending Changes, then Apply Changes.

Configuring PCF as the SAML 2.0 Service Provider on CA Single Sign-On

Configure Identity Provider and Service Provider Entities

  1. Navigate to https://login.YOUR-SYSTEM-DOMAIN/ and log in to CA SSO.

  2. Navigate to Federation.

  3. Click Partnership Federation.

  4. Click Entity.

  5. Click Create Entity.

  6. To create a local entity, use the values below:

    • Entity Location: Local
    • Entity Type: SAML2 IDP
    • Entity ID: Enter an ID for your local identity provider. For example,
    • Entity Name: Create a name for your local identity provider.
    • Base URL: Enter the fully-qualified domain name for the host service CA SSO Federation Web Services.
    • Signing Private Key Alias: Select the private key alias or import a private key.
    • Signed Authentication Requests Required: Select No.
    • Supported NameID format: Enter urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress and urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified to select both email address and unspecified as supported NameID formats.
  7. To create a remote entity, click Import Metadata Button and do the following:

    1. Download the service provider metadata from https://login.{systemdomain}/saml/metadata and save to an XML file.
    2. Browse and select the saved XML Metadata you downloaded in the previous step.
    3. Provide a name for the Remote Service Provider Entity.
    4. Provide an alias for the Signing Certificate imported from the metadata.

      Note: PCF signs the outgoing SAML authentication requests.

    5. Click Save.

Configure Partnership Between CA SSO and PCF

  1. Navigate to https://login.YOUR-SYSTEM-DOMAIN/ and log in to CA SSO.

  2. Navigate to Federation.

  3. Click Partnership Federation.

  4. Click Create Partnership.

  5. To configure the partnership, use the values below to fill in the fields:

    • Add Partnership Name: Enter a name for your partnership.
    • (optional) Description: Enter a relevant description for your partnership.
    • Local IPD ID: Enter the Local Service Provider ID you created in the Configure Identity Provider and Service Provider Entities section.
    • Remote SP ID: Enter the Remote SP ID you created in the Configure Identity Provider and Service Provider Entities section.
    • Base URL: This field will be pre-populated.
    • Skew Time: Enter any skew time required by your environment.
    • User Directories and Search Order: Select the required directories in the required search order.
  6. Click Next.

  7. On the Federation Users page, accept the default values.

  8. Click Next.

  9. To complete the Name ID Format section:

    1. Select Email Address from the Name ID Format dropdown.
    2. Select User Attribute from the Name ID Type dropdown.

      Note: PCF does not support processing SAML Assertion Attributes at this time. You can skip filling out the Assertion Attributes fields.

  10. Click Next.

  11. To complete the SSO and SLO section:

    1. Enter the Authentication URL that is protected by CA SSO under prerequisites.
    2. For SSO Binding, click HTTP-POST.
    3. In the Audience field, enter http://login.YOUR-SYSTEM-DOMAIN.

      Note: The Audience field requires http:// instead of https://. This is only a naming convention within the schema and does not determine connection security.

    4. Select Both IDP and DP Initiated from the Transactions Allowed dropdown.
    5. The Assertion Consumer Service URL field will be pre-populated using information from the service provider entity.
  12. Click Next.

  13. To complete the Configure Signature and Encryption section:

    1. In the Signing Private Key Alias dropdown, verify that the correct Private Key Alias is selected.
    2. Verify that the correct Verification Certificate Alias is selected in the Verification Certificate Analysis dropdown. This alias should be the same certificate created when you import the Remote Service Provider Entity ID.
    3. Select Sign Both from the Post Signature Options dropdown.

      Note: PCF does not support encryption options at this time.

    4. Click Finish.
  14. To activate the partnership, expand the Action dropdown for your partnership and click Activate.