This paper shows how to configure identity federation between CA
SiteMinder and Microsoft SharePoint 2010, using the CA Federation
Manager Add-on for SiteMinder. Two scenarios are presented. The
first is an intra-organizational scenario that is useful where
SiteMinder, the user accounts, and SharePoint are all maintained
within the enterprise. The second is a traditional identity
federation scenario where the user accounts are maintained outside
of the enterprise hosting SharePoint. A federated identity
environment features the following advantages:
· Helps control Information Technology (IT) costs and gain
efficiencies. Federation targets areas that require lots of manual
processes such as user account management, and access management.
These manual processes are the focus of cost control.
· Enables compliance with expanding regulatory requirements. A
standards-based identity federation can increase security of
websites and portals and enable an organization to identify and
authenticate a user only once. The organization can then use that
identity information to access multiple systems which can include
websites of external partners and various portals.
While both scenarios create a federated identity environment,
the techniques or methodology used in the two lab scenarios is
different. The two lab scenarios are:
1. Lab scenario 1 - Intra-organization
scenario. In this lab scenario, SiteMinder is the Trusted
Identity Provider for SharePoint and authenticates users to one or
more user directories maintained within the organization. Once
authenticated, these users (which may be employees, partners or
customers) can access SharePoint as well as other applications
protected by SiteMinder. This lab scenario uses the CA Federation
Manager Add-on to SiteMinder (a.k.a., SiteMinder Federation
Security Services) to generate a WS-Federation 1.0 token that is in
turn read by SharePoint 2010.
2. Lab scenario 2 - Cross-organization,
traditional Federation scenario. In this lab scenario,
SiteMinder is deployed at the external partner organization, along
with the CA Federation Manager Add-on, and Microsoft AD FS 2.0 is
deployed within the enterprise where SharePoint is hosted.
SiteMinder authenticates the partners to the partner organization's
user directory and generates a SAML 2.0 token. AD FS 2.0, which
acts as a security token service, translates the SAML 2.0 token
into a WS-Federation token for use with SharePoint. In this lab
scenario, we also configure SharePoint's native claims-based
Windows provider to illustrate how employees within the enterprise
could access SharePoint alongside partners who use the federated
approach (The claims-based Windows provider is listed along with
the other Identity Providers configured in ADFS 2.0, in the lab it
is identified with as ADFSMachine.CompanyA.com).
