Windows Azure Platform >
ACS integration with SiteMinder

Answered ACS integration with SiteMinder

  • Tuesday, December 06, 2011 4:24 PM
     
     
    Sign In to Vote
    0

    I am using CA SiteMinder as local IDP to generate SAML 2.0 Federation tokens. I cannot find any reference to support for SiteMinder integration wi a th ACS. Here is my scenario:

    - User authenticates against SiteMinder locally and requests access to Azure based application

    - SiteMinder creates a SAML 2.0 assertion with user claims information in the "attributes option" section

    - ACS receives SAML assertion and maps input claims to output cliams and directs user to requested relying party

    My problem is I cannot find any support for configuring  SAML based partner  (i-e; SiteMinder) in ACS, only WS-Fed based partner.

    Is the above integration possible? if so, how do I configure a SAML 2.0 IDP in ACS?

    Thanks

     

All Replies

  • Wednesday, December 07, 2011 9:57 AM
    Moderator
     
     
    Sign In to Vote
    0

    Hi,

    I am not familiar with SiteMinder. But you may have some misunderstanding between WS-Federation and SAML. WS-Federation is a protocol (similar to OAuth). SAML is a kind of token (similar to SWT). A protocol is used to send the token. Ideally, you use WS-Federation to send SAML tokens, and ACS supports WS-Federation as custom identity providers. You mentioned SiteMinder already supports SAML. So the next thing to check is if it uses WS-Federation or another protocol to send the SAML token. If it uses WS-Federation, it will be fine. Otherwise it’s not supported by ACS.

     

    Best Regards,

    Ming Xu.

    Please mark the replies as answers if they help or unmark if not.
    If you have any feedback about my replies, please contact msdnmg@microsoft.com.
    Microsoft One Code Framework
     
  • Wednesday, December 07, 2011 3:20 PM
     
     
    Sign In to Vote
    0

    Mr. Xu,

    Thank you for your comment. I do understand the difference between a protocol and a token. SAML however is used both as a token (as in SAML Assertion) and a protocol. I see that ACS supports SAML as input cliams token as well as output claims token, but not as a protocol. Which makes it very hard for me to integrate with with SiteMider.

    Does anyone know if SAML (Protocol) support for IDP is forthcoming in ACS?

    Regards,


    Ssoomor

     
  • Thursday, December 08, 2011 8:52 AM
     
     
    Sign In to Vote
    0

    Hi Ssoomor,

    Siteminder is supported in ACS. Find the following Eugenio's blog for more details on integration:

    http://blogs.msdn.com/b/eugeniop/archive/2010/07/01/identity-federation-interoperability-wif-adfs-ca-siteminder.aspx

    Thanks,

    Seetha

    (Pls. mark this as answered if this reply answered your query)

     
  • Thursday, December 08, 2011 8:58 AM
     
     
    Sign In to Vote
    1

    This doc is about SiteMinder/ADFS integration. ADFS2 supports SAML2p - so yes this works.

    ACS does not support SAML2p.

    Dominick Baier | thinktecture | http://www.leastprivilege.com
     
  • Thursday, December 08, 2011 3:01 PM
     
     
    Sign In to Vote
    0

    That is correct, the document refers to SiteMinder + ADFS integration, which is supported. SiteMinder federation services support SAML and WS-Federaion, so it can integrate with ADFS. The issue of integration with ACS is that it only supports Metadata exchange for WS-Fed and does not support SAML (Protocol) whereas SiteMinder supports SAML metadata exchage, and while it does support WS-Fed partnerships, it does not provide a mechnism for Metadata Exchange for it (so it has to be manually configured). Since you cannot manually configure a WS-Fed partnership in ACS, there is an incompatability between the two systems.

    Regards,

    Ssoomro

     
  • Friday, December 09, 2011 4:22 AM
     
     Answered
    Sign In to Vote
    0

    oh yah... Why don't you write Custom STS on top of SiteMinder and use it to integrate with ACS? You can even use ADFSV2 instead of Custom STS, through which it can integrate with ACS.

    Regards,

    Seetha

     
  • Friday, February 10, 2012 7:40 AM
     
     
    Sign In to Vote
    0

    Hi,

     AFAIK In ACS it is not possible.

    However, MSFT last year released an update for supporting SAML protocol in WIF.

    So theoretically you could configure Siteminder to interact directly with the application deployed on Azure than through ACS using SAML protocol.

    Here is the link which speaks of SAML support in WIF.

    http://blogs.msdn.com/b/card/archive/2011/05/16/announcing-the-wif-extension-for-saml-2-0-protocol-community-technology-preview.aspx

    Cheers,

    Kanduri


     
  • Friday, February 10, 2012 7:45 AM
     
     
    Sign In to Vote
    0

    Well, Generating metadata is definitely a non trivial task, but it is not so complex either.

    ACS does not need signed metadata either. so it is just an XMLwith....

    1. URL to post the WS-fed request

    2. Cert used by SM

    3. Claims

    Hope this helps...

    Cheers,

    Kanduri


     
  • Saturday, April 06, 2013 2:30 PM
     
     
    Sign In to Vote
    0

    I found SAML Protocol(Preview Feature) is now supported on ACS in msdn documentation, is it possible now please check the link

    http://msdn.microsoft.com/en-us/library/windowsazure/jj899563.aspx

    If yes then how can ACS integration with SiteMinder?