AroraS
Yes CA SSO can perform the same functions as "PingFederate Federation Hub" to a good degree. I love they way PING markets this as a marquee feature.
Federation hub use cases
Bridging an IdP to an SP
Bridging an IdP to multiple SPs
Bridging multiple IdPs to an SP
Bridging multiple IdPs to multiple SPs
Circling back to CA SSO. The same instance of CA SSO can act as an IdP and also as an SP using two different Partnerships.
Partnership-A : CA SSO is SP and Application-Y is IdP. Create "SP -> IdP Partnership".
Partnership-B : CA SSO is IdP and Application-X is SP. Create "IdP -> SP Partnership".
* * * Assuming both Partnership use the same Identity Store.
Here is where the magic happens, within Partnership-A, in the TARGET field, define the "IdP Initiated URL for Partnership-B" i.e. https://FQDN/affwebservices/public/saml2sso?SPID=X.
Here is how the flow would work for the use case "We need to perform SSO initiated from application Y to the application X over a web connection".
- Application-Y will send a SAML Assertion to CA SSO (acting as SP). This will invoke Partnership-A.
- CA SSO (acting as SP) will consume the SAML Assertion, authenticate the user, generate a SMSession, Persist Attributes from SAML Assertion into Session Store (using Persist Authentication Session Variables feature).
- CA SSO (acting as SP), will then issue a 302 redirect to the URL defined in TARGET within Partnership-A.
- TARGET URL is https://FQDN/affwebservices/public/saml2sso?SPID=X.
- This will trigger Partnership-B (CA SSO acting as IdP).
- Since user is already authenticated and has a SMSession, Partnership-B (assuming has the same UD / IdentityStore as Partnership-A) will read attributes from Session Store "and/or" user directory. Inject that into a SAML Assertion. Then POST to Application-X.
The only thing that I think that PINGFederate Federation hub does unique which CA SSO does not do is this statement below. |
---|
IMPORTANTPingFederate includes the Entity ID of the original identity provider (Authenticating Authority) in SAML 2.0 assertions so that the service provider can determine the original issuer of the assertions. This is especially important when bridging multiple identity providers to one service provider—the service provider should take the information about the original issuer into consideration before granting access to protected resources |
However like I mentioned, if the use case is SSO it is possible.
Regards
Hubert