ACS integration with SiteMinder

Question

I am using CA SiteMinder as local IDP to generate SAML 2.0 Federation tokens. I cannot find any reference to support for SiteMinder integration wi a th ACS. Here is my scenario:

- User authenticates against SiteMinder locally and requests access to Azure based application

- SiteMinder creates a SAML 2.0 assertion with user claims information in the "attributes option" section

- ACS receives SAML assertion and maps input claims to output cliams and directs user to requested relying party

My problem is I cannot find any support for configuring  SAML based partner  (i-e; SiteMinder) in ACS, only WS-Fed based partner.

Is the above integration possible? if so, how do I configure a SAML 2.0 IDP in ACS?

Thanks

Answer 1

Hi,

I am not familiar with SiteMinder. But you may have some misunderstanding between WS-Federation and SAML. WS-Federation is a protocol (similar to OAuth). SAML is a kind of token (similar to SWT). A protocol is used to send the token. Ideally, you use WS-Federation to send SAML tokens, and ACS supports WS-Federation as custom identity providers. You mentioned SiteMinder already supports SAML. So the next thing to check is if it uses WS-Federation or another protocol to send the SAML token. If it uses WS-Federation, it will be fine. Otherwise it’s not supported by ACS.

 

Best Regards,

Ming Xu.

---

Please mark the replies as answers if they help or unmark if not.
If you have any feedback about my replies, please contact msdnmg@microsoft.com.
Microsoft One Code Framework

Answer 2

Mr. Xu,

Thank you for your comment. I do understand the difference between a protocol and a token. SAML however is used both as a token (as in SAML Assertion) and a protocol. I see that ACS supports SAML as input cliams token as well as output claims token, but not as a protocol. Which makes it very hard for me to integrate with with SiteMider.

Does anyone know if SAML (Protocol) support for IDP is forthcoming in ACS?

Regards,

Ssoomor

Answer 3

Hi Ssoomor,

Siteminder is supported in ACS. Find the following Eugenio's blog for more details on integration:

http://blogs.msdn.com/b/eugeniop/archive/2010/07/01/identity-federation-interoperability-wif-adfs-ca-siteminder.aspx

Thanks,

Seetha

(Pls. mark this as answered if this reply answered your query)

Answer 4

This doc is about SiteMinder/ADFS integration. ADFS2 supports SAML2p - so yes this works.

ACS does not support SAML2p.

---

Dominick Baier | thinktecture | http://www.leastprivilege.com

Answer 5

That is correct, the document refers to SiteMinder + ADFS integration, which is supported. SiteMinder federation services support SAML and WS-Federaion, so it can integrate with ADFS. The issue of integration with ACS is that it only supports Metadata exchange for WS-Fed and does not support SAML (Protocol) whereas SiteMinder supports SAML metadata exchage, and while it does support WS-Fed partnerships, it does not provide a mechnism for Metadata Exchange for it (so it has to be manually configured). Since you cannot manually configure a WS-Fed partnership in ACS, there is an incompatability between the two systems.

Regards,

Ssoomro

Answer 6

oh yah... Why don't you write Custom STS on top of SiteMinder and use it to integrate with ACS? You can even use ADFSV2 instead of Custom STS, through which it can integrate with ACS.

Regards,

Seetha

Answer 7

Hi,

 AFAIK In ACS it is not possible.

However, MSFT last year released an update for supporting SAML protocol in WIF.

So theoretically you could configure Siteminder to interact directly with the application deployed on Azure than through ACS using SAML protocol.

Here is the link which speaks of SAML support in WIF.

http://blogs.msdn.com/b/card/archive/2011/05/16/announcing-the-wif-extension-for-saml-2-0-protocol-community-technology-preview.aspx

Cheers,

Kanduri

Answer 8

Well, Generating metadata is definitely a non trivial task, but it is not so complex either.

ACS does not need signed metadata either. so it is just an XMLwith....

1. URL to post the WS-fed request

2. Cert used by SM

3. Claims

Hope this helps...

Cheers,

Kanduri

Answer 9

I found SAML Protocol(Preview Feature) is now supported on ACS in msdn documentation, is it possible now please check the link

http://msdn.microsoft.com/en-us/library/windowsazure/jj899563.aspx

If yes then how can ACS integration with SiteMinder?