CA SSO SAML Configuration

This guide provides instructions to configure SAML trust between HYPR-SP and CA Single Sign-On (CA SSO). CA SSO will be configured as a federation IdP for HYPR-SP.

Prerequisites

  • Access to CA SSO administrative console.
  • Access to HYPR Control Center (Vault).
  • HYPR-SP installed and HYPR-SP service running. Ensure HYPR-SP SAML metadata is available in a web browser with the following URL:
    https://<your_server>/hyprsp/metadata
  • CA SSO local SAML2 IDP Entity configured.

Assumptions

These instructions assume you have CA SSO Policy Server and CA Secure Proxy Server (CA Access Gateway) installed and federation/SAML configured.

CA SSO Configuration

Configure HYPR-SP as Remote Entity

In a web browser open the following URL for your HYPR server and download the HYPR-SP metadata file:
https://<your_server>/hyprsp/metadata

Name the file hyprSP_metadata.xml.

Log into the CA SSO administration console and navigate to:
Federation > Entities. Click "Import Metadata".

Click "Browse" and select hyprSP_metadata.xml from the previous step.

For "Import As", select "Remote Entity".
For "Operation", select "Create New".
Click Next.

On the "Choose Entity" screen, enter an Entity Name, for example HYPR-SP.
Click Next.

On the "Import Certificates" screen, enter the certificate alias information.
Click Next.

Review the "Confirm" screen and click Finish.

The new HYPR-SP will show up in the Federation Entity List.

Update Certificate and Private Key List

Navigate to:
Infrastructure > X509 Certificate Management > Trusted Certificates and Private Keys and click Get Updates.

This will update the certificate list. Ensure that the HYPR-SP signing certificate is listed.

Create a new Federation Partnership

Navigate to:
Federation > Partnership Federation > Partnerships
Click "Create Partnership" and select "SAML2 IDP -> SP"

In Step 1 (Configure Partnership), enter values as shown below.

Field

Description

Partnership Name

Provide a name for this federation partnership.

Local IDP

Select CA SSO local IDP Entity.

Remote SP

Select HYPR-SP created in the previous step.

Skew Time (Seconds)

Keep default.

User Directories and Search order

Select user directory that contains user accounts.

Click Next.

In Step 2 (Federation Users), select federated user accounts.
Click Next.

In Step 3 (Assertion Configuration), configure per your environment.
Click Next.

In Step 4 (SSO and SLO), provide values per your environment.
Click Next.

In Step 5 (Signature and Encryption), select IdP signing private key and SP signing certificate.
Click Next.

Review Step 6 (Confirm).
Click Finish.

Activate the Partnership
Activate the new federation partnership.

Export SAML IDP Metadata
From the "Federation Partnership List", select Action and select Export Metadata to download CA SSO IdP metadata file.

SCP (transfer) CA SSO IdP metadata file to HYPR server and place it in directory /opt/hypr.

HYPR Configuration

Log into the HYPR Control Center Vault admin console and navigate to samlSPConfigs settings.
Edit the following values.
Restart HYPR-SP service.

Test Device Registration

In a web browser, enter the HYPR-SP URL. It should be in the following format:
https://<hyper_server>/hyprsp

Click the link "Get Started" to start SP initiated SAML authentication flow to CA SSO.

Once CA SSO performs a successful user authentication, it will respond back with a valid SAML token. This SAML token is consumed by HYPR-SP to create a user session and display the User Device Registration Portal to the user.

Next, follow instructions for device registration.