CA Agile Central customers with a SAML 2.0-compliant Identity Provider (IdP) can configure their CA Agile Central
to log in to CA Agile Central through Single Sign-On (SSO). The key to secure Internet SSO is the web browser. The browser interacts with the
's SAML 2.0-compliant Identity Provider, validates the user credentials, creates the SAML assertion, and sends the assertion to CA Agile Central.
This service is only available for customers with active product subscriptions. Free, Sandbox, and Trial subscriptions are not eligible for this service. SSO for CA Agile Central On-Premises subscriptions is available as an LDAP (not SSO) solution. Contact CA Agile Central Support for details.
The name portion of the CA Agile Central login ID ([email protected]) must be identical to the login ID that the Identity Management System uses. If these login IDs are different, SSO will not work for that user, and you will need to update the CA Agile Central login IDs to match.
- If you have Identity Management usernames in the format of “peter,” many IdP systems will allow concatenation of the @company.com portion. This enables the IdP usernames to match the “[email protected]” format.
Your identity provider must synchronize its clock to a reliable time source; otherwise the tokens it generates will be invalid and SSO will fail.
In order to set up SSO, your company must have a SAML 2.0-compliant Identity Management System (such as CA SiteMinder, Ping Connect, Oracle Access Manager (COREid), or Tivoli Access Manager), and a technical person (often an IT administrator) who runs it. Your Identity Management System administrator must be able to log in and configure your Identity Management system. For testing purposes, you will likely want to provide this individual with temporary access to CA Agile Central. If you don't have an Identity Management System set up, consider CA SiteMinder. Additionally, Ping Identity or Symplified are both CA Agile Central partners with expertise in implementing SSO.
You must work with CA Agile Central technical support to enable SSO for your subscription.
Follow these steps:
- Contact Support to open a new case. CA Agile Central Support will work with your Identity Management System administrator.
- CA Agile Central Support sends the CA Agile Central Service Provider metadata.xml file to you. This includes information such as our SSO server, which protocols we support and our public signing key. This metadata.xml is part of the SAML 2.0 standard.
- Configure an Identity Provider (IdP) to CA Agile Central Service Provider connection within your software using the CA Agile Central metadata.xml file as an input value.
- Ensure that your Identity Provider (IdP) is set to allow SP-initiated SSO sessions.
- Export the IdP metadata.xml file with your public key certificate embedded. This file will include your own information such as your SSO server, protocols supported, and your public key.
- Your SAML_SUBJECT must be in the form of your CA Agile Central ID, for example <customername>@<domain>. CA Agile Central cannot modify this for you. For testing purposes, you may have your CA Agile Central subscription administrator add your IT administrator to your CA Agile Central subscription.
- If the mapping cannot be met, CA Agile Central user IDs must be changed to match the format presented by the SAML_SUBJECT before this will work.
- Securely transfer this file to CA Agile Central Support from the Support link from inside the CA Agile Central product. This can also take place over email if both sides support SSL.
- CA Agile Central Support delivers this file to CA Agile Central Operations. CA Agile Central Operations will set up our SSO software for this particular connection. We will also ensure that the correct subscription ID is mapped to the connection and that SSO is enabled for that subscription.
- Verify that you can log in through your IdP endpoint.
- Provide your users with the redirect URL you get from CA Agile Central Support to log in to CA Agile Central through SSO.
Set up Active Directory Federation Services SSO
Follow these steps:
- Open your Active Directory Federation Services 2.0 management application.
- Expand Trust Relationships in the left menu, and select Relying Party Trusts.
- From the Actions menu, select Add Relying Party Trust.
- Select Start to begin the Wizard.
- Select the Import data about the relying party from a file option.
- Locate the CA Agile Central metadata.xml file on your system and select Open, then select Next on the Wizard screen.
- Enter your Display name and select Next.
- Select your organization's Authorization rules. Typically, most environments will use the Permit all users option.
- Select Next, then select Close.
- Ensure the Open the Edit Claim Rules dialog for this relying party trust when the wizard closes
is selected, then select Close.
- In the Edit Claim Rules window, select Add Rule.
- Select a Claim rule template and select Next.
- Add a Claim rule name, select the
desired, and modify the attributes.
- Select Finish.
- Select Close.
Securely Transfer Your Metadata.xml File to CA Agile Central Support
Using the support case you opened with CA Agile Central, send your metadata.xml file to them so they can finish the process. Once this is completed, CA Agile Central Support will confirm your SSO URL and ensure that you are able to log in properly. The provided SSO metadata for Agile Central contains an encryption certificate and a signing certificate.
Follow these steps:
Export your metadata.xml file from your browser to provide to CA Agile Central Support through your case regarding setup of the SSO instance so that CA Agile Central's Operations team can implement this to finalize the setup. You can save the ADFS metadata with the URL https://<server>/FederationMetadata/2007-06/FederationMetadata.xml, where <server> is your server name or IP address.
- Verify that you are not sending encrypted SAML assertions. If you are sending encrypted SAML assertions, remove or disable the encryption certificate from the ADFS server.
Frequently Asked Questions