Here are instructions for configuring single sign-on (SSO) between Ops Manager and CA Identity and Access Management.

Creating a partnership between CA and Ops Manager involves the following steps:

  1. Installing and configuring the prerequisites. For more information, see Prerequisites.

  2. Configuring CA SSO as an identity provider (IDP). For more information, see Configure CA as the SAML identity provider for Ops Manager.

  3. Configuring the service provider (SP). For more information, see Configure Ops Manager as the SAML service provider for CA single sign-on.

Prerequisites

To configure SSO between CA and Ops Manager, you must have:

  • An installation of CA SSO v12.52 or later.

  • Configured user store and session store.

  • A signed certificate by a certificate authority (CA).

  • A protected IDP URL with CA SSO by creating:

    • Authentication scheme
    • Domain
    • Realm
    • Rules and policy

  • An Ops Manager environment at https://console.SYSTEM-DOMAIN, where SYSTEM-DOMAIN is the system domain of your Ops Manager installation.

Configuring CA as the SAML identity provider for Ops Manager

To configure CA SSO as the SAML IDP for Ops Manager:

  1. Download the SP metadata.

    1. Go to https://login.SYSTEM-DOMAIN/saml/metadata, where SYSTEM-DOMAIN is the system domain of your Ops Manager installation.
    2. Log in to CA SSO.
    3. Go to Federation.
    4. Select Partnership Federation
    5. In the Actions menu, select Export Metadata.
    6. Save the exported metadata in an XML file.

  2. Follow the procedure in Configure TAS for VMs as a Service Provider for SAML in Configuring Authentication and Enterprise SSO for TAS for VMs to set the IDP metadata on Ops Manager.

  3. Paste the contents of the XML file into the Provider metadata field.

  4. Click Save.

  5. Return to the Ops Manager Installation Dashboard.

  6. Click Review Pending Changes.

  7. Click Apply Changes.

Configuring Ops Manager as the SAML service provider for CA Single sign-on

This section explains how to configure Ops Manager as the SAML SP for CA SSO.

Configure identity provider and service provider entities

To configure IDP and SP entities in CA SSO:

  1. Go to https://login.SYSTEM-DOMAIN/, where SYSTEM-DOMAIN is the system domain of your Ops Manager installation.

  2. Log in to CA SSO.

  3. Go to Federation.

  4. Click Partnership Federation.

  5. Click Entity.

  6. Click Create Entity.

  7. To create a local entity, configure the fields with the following values:

    • Entity Location: Local
    • Entity Type: SAML2 IDP
    • Entity ID: Enter an ID for your local identity provider. For example, https://ca-technologies.xxx.com.
    • Entity Name: Create a name for your local identity provider.
    • Base URL: Enter the fully-qualified domain name for the host service CA SSO Federation Web Services.
    • Signing Private Key Alias: Select the private key alias or import a private key.
    • Signed Authentication Requests Required: Select No.
    • Supported NameID format: Enter urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress and urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified to select both email address and unspecified as supported NameID formats.

  8. To create a remote entity:

    1. Click Import Metadata.
    2. Download the SP metadata from https://login.SYSTEM-DOMAIN/saml/metadata, where SYSTEM-DOMAIN is the system domain of your Ops Manager installation.
    3. Save the SP metadata to an XML file.
    4. Browse and select the saved XML metadata you downloaded in the previous step.
    5. Provide a name for the Remote Service Provider Entity.
    6. Provide an alias for the Signing Certificate imported from the metadata.

      Ops Manager signs the outgoing SAML authentication requests.

    7. Click Save.

Configure partnership between CA SSO and Ops Manager

To configure a partnership between CA SSO and Ops Manager:

  1. Go to https://login.SYSTEM-DOMAIN/, where SYSTEM-DOMAIN is the system domain of your Ops Manager installation.

  2. Log in to CA SSO.

  3. Go to Federation.

  4. Click Partnership Federation.

  5. Click Create Partnership.

  6. To configure the partnership, configure the fields with the following values:

    • Add Partnership Name: Enter a name for your partnership.
    • (Optional) Description: Enter a relevant description for your partnership.
    • Local IPD ID: Enter the Local Service Provider ID you created in Configure Identity Provider and Service Provider Entities.
    • Remote SP ID: Enter the Remote SP ID you created in Configure Identity Provider and Service Provider Entities.
    • Base URL: This field will be pre-populated.
    • Skew Time: Enter any skew time required by your environment.
    • User Directories and Search Order: Select the required directories in the required search order.

  7. Click Next.

  8. On the Federation Users page, accept the default values.

  9. Click Next.

  10. To complete the Name ID Format section:

    1. Select Email Address from the Name ID Format dropdown.
    2. Select User Attribute from the Name ID Type dropdown.

      Ops Manager does not support processing SAML Assertion Attributes at this time. You can skip filling out the Assertion Attributes fields.

  11. Click Next.

  12. To complete the SSO and SLO section:

    1. Enter the Authentication URL that is protected by CA SSO under prerequisites.
    2. For SSO Binding, click HTTP-POST.
    3. In the Audience field, enter http://login.SYSTEM-DOMAIN, where SYSTEM-DOMAIN is the system domain of your Ops Manager installation.

      span class="note__title">ImportantThe Audience field requires http:// instead of https://. This is only a naming convention within the schema and does not determine connection security.

    4. Select Both IDP and SP Initiated from the Transactions Allowed dropdown.
    5. The Assertion Consumer Service URL field is be pre-populated using information from the SP entity.

  13. Click Next.

  14. To complete the Configure Signature and Encryption section:

    1. In the Signing Private Key Alias dropdown, verify that the correct Private Key Alias is selected.
    2. Verify that the correct Verification Certificate Alias is selected in the Verification Certificate Analysis dropdown. This alias should be the same certificate created when you imported the remote SP entity ID in Remote Service Provider Entity ID.
    3. Select Sign Both from the Post Signature Options dropdown.

      NoteOps Manager does not support encryption options at this time.

    4. Click Finish.

  15. To activate the partnership, expand the Action dropdown for your partnership and click Activate.

check-circle-line exclamation-circle-line close-line
Scroll to top icon