Two kinds of users: employees of customer (user1) and external users (user2).
When user1 or user2 browses to the “Customer Portal” (CP), CP will redirect them to ADFS. ADFS will find out (Home Realm Discovery) whether this is an internal user (user1) or an external user (user2).
- Internal users (user1) are authenticated by ADFS using (on-premise Customer internal) Active Directory.
- External users (user2) are redirected by ADFS to CA SSO (formerly called SiteMinder). CA SSO presents a login page to user2 where he must enter his credentials, CA SSO will look up the user in the userstore (LDAP). If found and the credentials are correct, user2 is authenticated.
When CA SSO authenticates an external user (user2) it will return a valid (SAML) token to ADFS. ADFS accepts this token and in turn provides an valid (SAML) token to CP. When ADFS authenticates an internal user (user1) it will return a valid (SAML) token to CP as well.
- How can this be achieved?
- Should this be done by defining a partnership federation?
There must be a kind of trust relation created between CA SSO and ADFS.
Within CA SSO you can create the following partnership relations:
SAML2 IDP ->SP;
SAML2 SP ->IDP;
SAML1.1 Producer -> Consumer
SAML1.1 Consumer -> Producer
WSFED IP -> RP
WSFED RP -> IP
OAUTH Client -> Authz Server;
Which of the above is the correct partnership?
In case of user2 CA SSO is the identity provider (IdP), so is ADFS the service provider?
- Within SSO 12.8 we also have OpenID Connect. Can this be used for the use case above.