CA Agile Central On-Demand customers with a SAML 2.0-compliant Identity Provider (IdP) can configure their CA Agile Central
to log in to CA Agile Central through Single Sign-On (SSO). The key to secure Internet SSO is the web browser. The browser interacts with the
's SAML 2.0-compliant Identity Provider, validates the user credentials, creates the SAML assertion, and sends the assertion to CA Agile Central.
How It Works
- First, access CA Agile Central using the URL that your Identity Provider created during the setup process, and log in to your Identity Management System.
- Your browser is provided with a SAML token.
- The SAML token is sent to CA Agile Central's Ping Federate Server.
- If you are a valid CA Agile Central user for the selected subscription, an authenticated token is sent back to your web browser.
- The browser sends the authenticated token to CA Agile Central where it is accepted and you are allowed into the corresponding subscription.
In order to set up SSO, your company must have a SAML 2.0-compliant Identity Management System (such as CA SiteMinder, Ping Connect, Oracle Access Manager (COREid), or Tivoli Access Manager), and a technical person (often an IT administrator) who runs it. Your Identity Management System administrator must be able to log in and configure your Identity Management system. For testing purposes, you will likely want to provide this individual with temporary access to CA Agile Central.
If you don't have an Identity Management System set up, consider CA SiteMinder. Additionally, Ping Identity or Symplified are both CA Agile Central partners with expertise in implementing SSO.
- Contact Support to open a new case. CA Agile Central Support will work with your Identity Management System administrator.
- CA Agile Central Support sends the CA Agile Central Service Provider metadata.xml file to you. This includes information such as our SSO server, which protocols we support and our public signing key. This metadata.xml is part of the SAML 2.0 standard.
- Configure an Identity Provider (IdP) to CA Agile Central Service Provider connection within your software using the CA Agile Central metadata.xml file as an input value.
- Ensure that your Identity Provider (IdP) is set to allow SP-initiated SSO sessions.
- Export the IdP metadata.xml file with your public key certificate embedded. This file will include your own information such as your SSO server, protocols supported, and your public key.
- Your SAML_SUBJECT must be in the form of your CA Agile Central ID, for example <customername>@<domain>. CA Agile Central cannot modify this for you. For testing purposes, you may have your CA Agile Central subscription administrator add your IT administrator to your CA Agile Central subscription.
- If the mapping cannot be met, CA Agile Central user IDs must be changed to match the format presented by the SAML_SUBJECT before this will work.
- Securely transfer this file to CA Agile Central Support from the Support link from inside the CA Agile Central product. This can also take place over email if both sides support SSL.
- CA Agile Central Support delivers this file to CA Agile Central Operations. CA Agile Central Operations will set up our SSO software for this particular connection. We will also ensure that the correct subscription ID is mapped to the connection and that SSO is enabled for that subscription.
- Verify that you can log in through your IdP endpoint.
- Provide your users with the re-direct URL for your users to log in to CA Agile Central through SSO.
Set up Active Directory Federation Services (ADFS) SSO
- Open your AD FS 2.0 management application.
- Expand Trust Relationships in the left menu, and select Relying Party Trusts.
- From the Actions menu, select Add Relying Party Trust.
- Select Start to begin the Wizard.
- Select the Import data about the relying party from a file option.
- Locate the CA Agile Central metadata.xml file on your system and select Open, then select Next on the Wizard screen.
- Enter your Display name and select Next.
- Select your organization's Authorization rules. Typically, most environments will use the Permit all users option.
- Select Next, then select Close.
- Ensure the Open the Edit Claim Rules dialog for this relying party trust when the wizard closes
is selected, then select Close.
- In the Edit Claim Rules window, select Add Rule.
- Select a Claim rule template and select Next.
- Add a Claim rule name, select the
desired, and modify the attributes.
*In this example, the Active Directory attribute and map LDAP properties for the outgoing claim. The LDAP attribute is email address. The outgoing claim type is set to Name ID (Depending on your company's IdP configuration, you may need to select another option besides Name ID).
- Select Finish.
- Select Close.
- You can now export your metadata.xml file from your browser to provide to CA Agile Central Support through your case regarding setup of the SSO instance, so that CA Agile Central's Operations team can implement this to finalize the setup. You can save the ADFS metadata with the URL https://<server>/FederationMetadata/2007-06/FederationMetadata.xml, where <server> is your server name or IP address. Once this is completed, CA Agile Central Support will confirm your SSO URL and ensure that you are able to login properly.
Frequently Asked Questions
- Who holds the public key certificates (is there a third-party clearing house like Ping Identity) or is CA Agile Central providing the certificate server?
For on-demand users, CA Agile Central has a Ping Federate server installed, which holds a copy of the public key for your Identity Management System. This allows us to validate tokens without storing any private certificates. If you have more than one subscription ID, you will need to create a different Service Provider connection for each CA Agile Central subscription ID you would like to authenticate with SSO.
- Can we provide our own certificate servers?
Yes, you can use any SAML-2.0 compliant Identity Management System behind your firewall to communicate with our Ping Federate server. You need to provide this certificate in the format requested above.
- This is for
. Are you doing authorization, too, or do you plan
No, we have no plans to do authorization.
- What are some of the challenges we need to be aware of?
SSO requires some configuration time on both sides. The Identity Management System is typically managed by your IT Department, a group that CA Agile Central does not always work with. It may take some time to identify the contact in your IT group who can create the new Service Provider connection and public key XML metadata file that CA Agile Central will need to enable SSO. Please be sure to identify this individual before setting up any calls with CA Agile Central Support.
- Is there a best practice for adoption, for example start with a small group and scale, or just turn it on and go?
For existing customers, there is a hybrid mode that allows both SSO and CA Agile Central authentication. We recommend using this mode while setting it up, and only switching to SSO-only authentication after all users have been able to log in using SSO. Remember, if you do switch to SSO-only authentication, users will only be able to log in to CA Agile Central from behind your corporate firewall. If you want users to be able to log in to CA Agile Central when at home (or from any web location that is not behind your firewall), you should set up your CA Agile Central connection for hybrid mode.
- What happens if a user forgets their password?
The answer depends on what kind of SSO the subscription has been configured for:
- Subscriptions using SSO only mode will have to reset with their internal IT team, since CA Agile Central doesn't have access to that password repository.
- Subscriptions using SSO hybrid mode can either reset their CA Agile Central password, (SSO token still won't work) or reset their SSO password internally (CA Agile Central password still won't work).
- Today users get password expiration notification emails warning that their password will expire soon. Will those be eliminated when we switch to SSO only with exceptions mode?
Yes, these will be eliminated for anyone not on the exception list.
- After switching to SSO only with exceptions mode, can an SSO-only user get to the password change in the profile page, or will that section no longer be displayed?
This will no longer display on the profile page.
- What would happen if an SSO-only user goes to the CA Agile Central login page and selects Forgot my password?
The CA Agile Central system will send them a link with the SSO information for your subscription.
- Can we use integrations and apps?
Currently, integrations do not support SAML-based authentication. It is possible to write an integration that can acquire a SAML token from an Identity Provider, but no one has done this yet. Customers who are using integrations or the Web Services API will most likely want to use SSO with exceptions mode or an API key. Use of the Web Services API through custom CA Agile Central applications in the browser is supported, since they can get a cookie as part of the login process.
- How long does it take to get it working?
Once you identify the proper contact in your IT Department, it takes a few days to get SSO running.
- Is CA Agile Central's SSO available for all CA Agile Central editions and is there an extra cost?
SSO is included with Unlimited Edition subscriptions at no extra cost. If you are using Enterprise Edition, contact your CA Agile Central account manager to discuss upgrading to Unlimited Edition.
- Can we test this on Sandbox?
SSO is not available on sandbox.rallydev.com. It can safely be tested in hybrid mode on production without interfering with other users in your subscription.
- If I disable a user's SSO account, are they immediately logged out of CA Agile Central?
No. If they were logged into CA Agile Central when their SSO account was disabled, they will still be able to access CA Agile Central until they log out or until their session times out and they are forced to re-authenticate.
- How do I export a metadata file from ADFS?
In general, the ADFS metadata is here: https://<server>/FederationMetadata/2007-06/FederationMetadata.xml, where <server> is your server name or IP address. You can save the file.
- If I don't use an identity provider (IdP), can I still enable SSO?
Maybe. Please reach out to your account representative and ask to engage our Technical Services team to begin the discovery process.
- What does an example metadata file look like?
<md:EntityDescriptor entityID="sso.rallydev.com" cacheDuration="PT1440M" ID="OIvWOHILu615UWA1jGGTkq6SvQa" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<md:AssertionConsumerService isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sso.rallydev.com/sp/ACS.saml2" index="0"/>
<md:Company>CA Agile Central Software Development Corp.</md:Company>