Configuring CA as an Identity Provider

Page last updated:

This topic explains how to configure single sign-on (SSO) between CA and Pivotal Platform.

Overview

Partnership creation between CA and Pivotal Platform involves the following steps:

  1. Installing and configuring the prerequisites. For more information, see Prerequisites.

  2. Configuring CA SSO as an identity provider (IDP). For more information, see Configure CA as the SAML Identity Provider for Pivotal Platform.

  3. Configuring the service provider (SP). For more information, see Configure Pivotal Platform as the SAML Service Provider for CA Single Sign-On.

Prerequisites

To configure SSO between CA and Pivotal Platform, you must have:

  • An installation of CA SSO v12.52 or later.

  • Configured user store and session store.

  • A signed certificate by a certificate authority (CA).

  • A protected IDP URL with CA SSO by creating:

    • Authentication scheme
    • Domain
    • Realm
    • Rules and policy
  • An Pivotal Platform environment at https://console.SYSTEM-DOMAIN, where SYSTEM-DOMAIN is the system domain of your Pivotal Platform installation.

Configuring CA as the SAML Identity Provider for Pivotal Platform

To configure CA SSO as the SAML IDP for Pivotal Platform:

  1. Download the SP metadata.

    1. Navigate to https://login.SYSTEM-DOMAIN/saml/metadata, where SYSTEM-DOMAIN is the system domain of your Pivotal Platform installation.
    2. Log in to CA SSO.
    3. Navigate to Federation.
    4. Select Partnership Federation
    5. In the Actions menu, select Export Metadata.
    6. Save the exported metadata in an XML file.
  2. Follow the procedure in Configure PAS as a Service Provider for SAML in Configuring Authentication and Enterprise SSO for PAS to set the IDP metadata on Pivotal Platform.

  3. Paste the contents of the XML file into the Provider metadata field.

  4. Click Save.

  5. Return to the Ops Manager Installation Dashboard.

  6. Click Review Pending Changes.

  7. Click Apply Changes.

Configuring Pivotal Platform as the SAML Service Provider for CA Single Sign-On

This section explains how to configure Pivotal Platform as the SAML SP for CA SSO.

Configure Identity Provider and Service Provider Entities

To configure IDP and SP entities in CA SSO:

  1. Navigate to https://login.SYSTEM-DOMAIN/, where SYSTEM-DOMAIN is the system domain of your Pivotal Platform installation.

  2. Log in to CA SSO.

  3. Navigate to Federation.

  4. Click Partnership Federation.

  5. Click Entity.

  6. Click Create Entity.

  7. To create a local entity, configure the fields with the following values:

    • Entity Location: Local
    • Entity Type: SAML2 IDP
    • Entity ID: Enter an ID for your local identity provider. For example, https://ca-technologies.xxx.com.
    • Entity Name: Create a name for your local identity provider.
    • Base URL: Enter the fully-qualified domain name for the host service CA SSO Federation Web Services.
    • Signing Private Key Alias: Select the private key alias or import a private key.
    • Signed Authentication Requests Required: Select No.
    • Supported NameID format: Enter urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress and urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified to select both email address and unspecified as supported NameID formats.
  8. To create a remote entity:

    1. Click Import Metadata Button.
    2. Download the SP metadata from https://login.SYSTEM-DOMAIN/saml/metadata, where SYSTEM-DOMAIN is the system domain of your Pivotal Platform installation.
    3. Save the SP metadata to an XML file.
    4. Browse and select the saved XML metadata you downloaded in the previous step.
    5. Provide a name for the Remote Service Provider Entity.
    6. Provide an alias for the Signing Certificate imported from the metadata.

      Note: Pivotal Platform signs the outgoing SAML authentication requests.

    7. Click Save.

Configure Partnership Between CA SSO and Pivotal Platform

To configure a partnership between CA SSO and Pivotal Platform:

  1. Navigate to https://login.SYSTEM-DOMAIN/, where SYSTEM-DOMAIN is the system domain of your Pivotal Platform installation.

  2. Log in to CA SSO.

  3. Navigate to Federation.

  4. Click Partnership Federation.

  5. Click Create Partnership.

  6. To configure the partnership, configure the fields with the following values:

    • Add Partnership Name: Enter a name for your partnership.
    • (Optional) Description: Enter a relevant description for your partnership.
    • Local IPD ID: Enter the Local Service Provider ID you created in Configure Identity Provider and Service Provider Entities.
    • Remote SP ID: Enter the Remote SP ID you created in Configure Identity Provider and Service Provider Entities.
    • Base URL: This field will be pre-populated.
    • Skew Time: Enter any skew time required by your environment.
    • User Directories and Search Order: Select the required directories in the required search order.
  7. Click Next.

  8. On the Federation Users page, accept the default values.

  9. Click Next.

  10. To complete the Name ID Format section:

    1. Select Email Address from the Name ID Format dropdown.
    2. Select User Attribute from the Name ID Type dropdown.

      Note: Pivotal Platform does not support processing SAML Assertion Attributes at this time. You can skip filling out the Assertion Attributes fields.

  11. Click Next.

  12. To complete the SSO and SLO section:

    1. Enter the Authentication URL that is protected by CA SSO under prerequisites.
    2. For SSO Binding, click HTTP-POST.
    3. In the Audience field, enter http://login.SYSTEM-DOMAIN, where SYSTEM-DOMAIN is the system domain of your Pivotal Platform installation.

      Note: The Audience field requires http:// instead of https://. This is only a naming convention within the schema and does not determine connection security.

    4. Select Both IDP and SP Initiated from the Transactions Allowed dropdown.
    5. The Assertion Consumer Service URL field is be pre-populated using information from the SP entity.
  13. Click Next.

  14. To complete the Configure Signature and Encryption section:

    1. In the Signing Private Key Alias dropdown, verify that the correct Private Key Alias is selected.
    2. Verify that the correct Verification Certificate Alias is selected in the Verification Certificate Analysis dropdown. This alias should be the same certificate created when you imported the remote SP entity ID in Remote Service Provider Entity ID.
    3. Select Sign Both from the Post Signature Options dropdown.

      Note: Pivotal Platform does not support encryption options at this time.

    4. Click Finish.
  15. To activate the partnership, expand the Action dropdown for your partnership and click Activate.