CA SSO SAML Configuration

This guide provides instructions to configure SAML trust between HYPR-SP and CA Single Sign-On (CA SSO). CA SSO will be configured as a federation IdP for HYPR-SP.

Prerequisites

  • Access to CA SSO administrative console.
  • Access to HYPR Control Center (Vault).
  • HYPR-SP installed and HYPR-SP service running. Ensure HYPR-SP SAML metadata is available in a web browser with the following URL:
    https://<your_server>/hyprsp/metadata
  • CA SSO local SAML2 IDP Entity configured.

Assumptions

These instructions assume you have CA SSO Policy Server and CA Secure Proxy Server (CA Access Gateway) installed and federation/SAML configured.

CA SSO Configuration

Configure HYPR-SP as Remote Entity

In a web browser open the following URL for your HYPR server and download the HYPR-SP metadata file:
https://<your_server>/hyprsp/metadata

Name the file hyprSP_metadata.xml.

Log into the CA SSO administration console and navigate to:
Federation > Entities. Click "Import Metadata".

Click "Browse" and select hyprSP_metadata.xml from the previous step.

14561456

For "Import As", select "Remote Entity".
For "Operation", select "Create New".
Click Next.

On the "Choose Entity" screen, enter an Entity Name, for example HYPR-SP.
Click Next.

22162216

On the "Import Certificates" screen, enter the certificate alias information.
Click Next.

20482048

Review the "Confirm" screen and click Finish.

14861486

The new HYPR-SP will show up in the Federation Entity List.

10541054

Update Certificate and Private Key List

Navigate to:
Infrastructure > X509 Certificate Management > Trusted Certificates and Private Keys and click Get Updates.

This will update the certificate list. Ensure that the HYPR-SP signing certificate is listed.

12891289

Create a new Federation Partnership

Navigate to:
Federation > Partnership Federation > Partnerships
Click "Create Partnership" and select "SAML2 IDP -> SP"

516516

In Step 1 (Configure Partnership), enter values as shown below.

FieldDescription
Partnership NameProvide a name for this federation partnership.
Local IDPSelect CA SSO local IDP Entity.
Remote SPSelect HYPR-SP created in the previous step.
Skew Time (Seconds)Keep default.
User Directories and Search orderSelect user directory that contains user accounts.
11901190

Click Next.

In Step 2 (Federation Users), select federated user accounts.
Click Next.

26862686

In Step 3 (Assertion Configuration), configure per your environment.
Click Next.

26902690

In Step 4 (SSO and SLO), provide values per your environment.
Click Next.

27022702

In Step 5 (Signature and Encryption), select IdP signing private key and SP signing certificate.
Click Next.

10091009

Review Step 6 (Confirm).
Click Finish.

Activate the Partnership
Activate the new federation partnership.

10461046 10501050

Export SAML IDP Metadata
From the "Federation Partnership List", select Action and select Export Metadata to download CA SSO IdP metadata file.

SCP (transfer) CA SSO IdP metadata file to HYPR server and place it in directory /opt/hypr.

10451045

HYPR Configuration

Log into the HYPR Control Center Vault admin console and navigate to samlSPConfigs settings.
Edit the following values.
Restart HYPR-SP service.

12481248

Test Device Registration

In a web browser, enter the HYPR-SP URL. It should be in the following format:
https://<hyper_server>/hyprsp

Click the link "Get Started" to start SP initiated SAML authentication flow to CA SSO.

Once CA SSO performs a successful user authentication, it will respond back with a valid SAML token. This SAML token is consumed by HYPR-SP to create a user session and display the User Device Registration Portal to the user.

Next, follow instructions for device registration.