This paper shows how to configure identity federation between CA SiteMinder and Microsoft SharePoint 2010, using the CA Federation Manager Add-on for SiteMinder. Two scenarios are presented. The first is an intra-organizational scenario that is useful where SiteMinder, the user accounts, and SharePoint are all maintained within the enterprise. The second is a traditional identity federation scenario where the user accounts are maintained outside of the enterprise hosting SharePoint. A federated identity environment features the following advantages:
· Helps control Information Technology (IT) costs and gain efficiencies. Federation targets areas that require lots of manual processes such as user account management, and access management. These manual processes are the focus of cost control.
· Enables compliance with expanding regulatory requirements. A standards-based identity federation can increase security of websites and portals and enable an organization to identify and authenticate a user only once. The organization can then use that identity information to access multiple systems which can include websites of external partners and various portals.
While both scenarios create a federated identity environment, the techniques or methodology used in the two lab scenarios is different. The two lab scenarios are:
1. Lab scenario 1 - Intra-organization scenario. In this lab scenario, SiteMinder is the Trusted Identity Provider for SharePoint and authenticates users to one or more user directories maintained within the organization. Once authenticated, these users (which may be employees, partners or customers) can access SharePoint as well as other applications protected by SiteMinder. This lab scenario uses the CA Federation Manager Add-on to SiteMinder (a.k.a., SiteMinder Federation Security Services) to generate a WS-Federation 1.0 token that is in turn read by SharePoint 2010.
2. Lab scenario 2 - Cross-organization, traditional Federation scenario. In this lab scenario, SiteMinder is deployed at the external partner organization, along with the CA Federation Manager Add-on, and Microsoft AD FS 2.0 is deployed within the enterprise where SharePoint is hosted. SiteMinder authenticates the partners to the partner organization's user directory and generates a SAML 2.0 token. AD FS 2.0, which acts as a security token service, translates the SAML 2.0 token into a WS-Federation token for use with SharePoint. In this lab scenario, we also configure SharePoint's native claims-based Windows provider to illustrate how employees within the enterprise could access SharePoint alongside partners who use the federated approach (The claims-based Windows provider is listed along with the other Identity Providers configured in ADFS 2.0, in the lab it is identified with as ADFSMachine.CompanyA.com).