Set Up Single Sign-On (SSO)

CA Agile Central customers with a SAML 2.0-compliant Identity Provider (IdP) can configure their CA Agile Central subscription to log in to CA Agile Central through Single Sign-On (SSO). The key to secure Internet SSO is the web browser. The browser interacts with the user 's SAML 2.0-compliant Identity Provider, validates the user credentials, creates the SAML assertion, and sends the assertion to CA Agile Central.

This service is only available for customers with active product subscriptions. Free, Sandbox, and Trial subscriptions are not eligible for this service. SSO for CA Agile Central On-Premises subscriptions is available as an LDAP (not SSO) solution. Contact CA Agile Central Support for details.

Note: Neither the CA Agile Central work item connectors nor the CA Agile Central SCM connectors support this feature ; however, these connectors could be used in SSO Exception Mode (see SSO with exceptions section on the Use Advanced Security and Administration page .)


  • The name portion of the CA Agile Central login ID ([email protected]) must be identical to the login ID that the Identity Management System uses. If these login IDs are different, SSO will not work for that user, and you will need to update the CA Agile Central login IDs to match.

    • If you have Identity Management usernames in the format of “peter,” many IdP systems will allow concatenation of the portion. This enables the IdP usernames to match the “[email protected]” format.
  • Your identity provider must synchronize its clock to a reliable time source; otherwise the tokens it generates will be invalid and SSO will fail.

  • In order to set up SSO, your company must have a SAML 2.0-compliant Identity Management System (such as CA SiteMinder, Ping Connect, Oracle Access Manager (COREid), or Tivoli Access Manager), and a technical person (often an IT administrator) who runs it. Your Identity Management System administrator must be able to log in and configure your Identity Management system. For testing purposes, you will likely want to provide this individual with temporary access to CA Agile Central. If you don't have an Identity Management System set up, consider CA SiteMinder. Additionally, Ping Identity or Symplified are both CA Agile Central partners with expertise in implementing SSO.


You must work with CA Agile Central technical support to enable SSO for your subscription.

Follow these steps:
  1. Contact Support to open a new case. CA Agile Central Support will work with your Identity Management System administrator.
  2. CA Agile Central Support sends the CA Agile Central Service Provider metadata.xml file to you. This includes information such as our SSO server, which protocols we support and our public signing key. This metadata.xml is part of the SAML 2.0 standard.
  3. Configure an Identity Provider (IdP) to CA Agile Central Service Provider connection within your software using the CA Agile Central metadata.xml file as an input value.
  4. Ensure that your Identity Provider (IdP) is set to allow SP-initiated SSO sessions.
  5. Export the IdP metadata.xml file with your public key certificate embedded. This file will include your own information such as your SSO server, protocols supported, and your public key.
    • Your SAML_SUBJECT must be in the form of your CA Agile Central ID, for example <customername>@<domain>. CA Agile Central cannot modify this for you. For testing purposes, you may have your CA Agile Central subscription administrator add your IT administrator to your CA Agile Central subscription.
    • If the mapping cannot be met, CA Agile Central user IDs must be changed to match the format presented by the SAML_SUBJECT before this will work.
  6. Securely transfer this file to CA Agile Central Support from the Support link from inside the CA Agile Central product. This can also take place over email if both sides support SSL.
  7. CA Agile Central Support delivers this file to CA Agile Central Operations. CA Agile Central Operations will set up our SSO software for this particular connection. We will also ensure that the correct subscription ID is mapped to the connection and that SSO is enabled for that subscription.
  8. Verify that you can log in through your IdP endpoint.
  9. Provide your users with the redirect URL you get from CA Agile Central Support to log in to CA Agile Central through SSO.

Set up Active Directory Federation Services SSO

Follow these steps:
  1. Open your Active Directory Federation Services 2.0 management application.
  2. Expand Trust Relationships in the left menu, and select Relying Party Trusts.
  3. From the Actions menu, select Add Relying Party Trust.
  4. Select Start to begin the Wizard.
  5. Select the Import data about the relying party from a file option.
  6. Locate the CA Agile Central metadata.xml file on your system and select Open, then select Next on the Wizard screen.
  7. Enter your Display name and select Next.
  8. Select your organization's Authorization rules. Typically, most environments will use the Permit all users option.
  9. Select Next, then select Close.
  10. Ensure the Open the Edit Claim Rules dialog for this relying party trust when the wizard closes field is selected, then select Close.
  11. In the Edit Claim Rules window, select Add Rule.
  12. Select a Claim rule template and select Next.
  13. Add a Claim rule name, select the attribute desired, and modify the attributes.
  14. Select Finish.
  15. Select Close.

Securely Transfer Your Metadata.xml File to CA Agile Central Support

Using the support case you opened with CA Agile Central, send your metadata.xml file to them so they can finish the process. Once this is completed, CA Agile Central Support will confirm your SSO URL and ensure that you are able to log in properly. The provided SSO metadata for Agile Central contains an encryption certificate and a signing certificate.

Follow these steps:
  1. Export your metadata.xml file from your browser to provide to CA Agile Central Support through your case regarding setup of the SSO instance so that CA Agile Central's Operations team can implement this to finalize the setup. You can save the ADFS metadata with the URL https://<server>/FederationMetadata/2007-06/FederationMetadata.xml, where <server> is your server name or IP address.

  2. Verify that you are not sending encrypted SAML assertions. If you are sending encrypted SAML assertions, remove or disable the encryption certificate from the ADFS server.

Frequently Asked Questions

  • Will users be logged out automatically?
    Disabling a user in your IdP system will not immediately end their session in CA Agile Central. A logged-in user will continue to have access until they log out of CA Agile Central, their session times out, or a subscription administrator disables the account in CA Agile Central.

  • Who holds the public key certificates (is there a third-party clearing house like Ping Identity) or is CA Agile Central providing the certificate server?
    For on-demand users, CA Agile Central has a PingFederate server installed, which holds a copy of the public key for your Identity Management System. This allows us to validate tokens without storing any private certificates. If you have more than one subscription ID, you will need to create a different Service Provider connection for each CA Agile Central subscription ID you would like to authenticate with SSO.

  • Can we provide our own certificate servers?
    Yes, you can use any SAML-2.0 compliant Identity Management System behind your firewall to communicate with our PingFederate server. You need to provide this certificate in the format requested above.

  • This is for authentication . Are you doing authorization, too, or do you plan to do so?
    No, we have no plans to do authorization.

  • What are some of the challenges we need to be aware of?
    SSO requires some configuration time on both sides. The Identity Management System is typically managed by your IT Department, a group that CA Agile Central does not always work with. It may take some time to identify the contact in your IT group who can create the new Service Provider connection and public key XML metadata file that CA Agile Central will need to enable SSO. Please be sure to identify this individual before setting up any calls with CA Agile Central Support.

  • Is there a best practice for adoption, for example start with a small group and scale, or just turn it on and go?
    For existing customers, there is a hybrid mode that allows both SSO and CA Agile Central authentication. We recommend using this mode while setting it up, and only switching to SSO-only authentication after all users have been able to log in using SSO. Remember, if you do switch to SSO-only authentication, users will only be able to log in to CA Agile Central from behind your corporate firewall. If you want users to be able to log in to CA Agile Central when at home (or from any web location that is not behind your firewall), you should set up your CA Agile Central connection for hybrid mode.

  • What happens if a user forgets their password?
    The answer depends on what kind of SSO the subscription has been configured for:
    • Subscriptions using SSO only mode will have to reset with their internal IT team, since CA Agile Central doesn't have access to that password repository.
    • Subscriptions using SSO hybrid mode can either reset their CA Agile Central password, (SSO token still won't work) or reset their SSO password internally (CA Agile Central password still won't work).

    • Today users get password expiration notification emails warning that their password will expire soon. Will those be eliminated when we switch to SSO only with exceptions mode?
      Yes, these will be eliminated for anyone not on the exception list.

    • After switching to SSO only with exceptions mode, can an SSO-only user get to the password change in the profile page, or will that section no longer be displayed?
      This will no longer display on the profile page.

    • What would happen if an SSO-only user goes to the CA Agile Central login page and selects Forgot my password?
      The CA Agile Central system will send them a link with the SSO information for your subscription.
  • Can we use integrations and apps?
    Currently, integrations do not support SAML-based authentication. It is possible to write an integration that can acquire a SAML token from an Identity Provider, but no one has done this yet. Customers who are using integrations or the Web Services API will most likely want to use SSO with exceptions mode or an API key. Use of the Web Services API through custom CA Agile Central applications in the browser is supported, since they can get a cookie as part of the login process.

  • How long does it take to get it working?
    Once you identify the proper contact in your IT Department, it takes a few days to get SSO running.

  • Is CA Agile Central's SSO available for all CA Agile Central editions and is there an extra cost?
    SSO is included with Unlimited Edition subscriptions at no extra cost.

  • Can we test this on Sandbox?
    SSO is not available on It can safely be tested in hybrid mode on production without interfering with other users in your subscription.

  • If I disable a user's SSO account, are they immediately logged out of CA Agile Central?
    No. If they were logged into CA Agile Central when their SSO account was disabled, they will still be able to access CA Agile Central until they log out or until their session times out and they are forced to re-authenticate.

  • How do I export a metadata file from ADFS?
    In general, the ADFS metadata is here: https://<server>/FederationMetadata/2007-06/FederationMetadata.xml, where <server> is your server name or IP address. You can save the file.

  • What does an example metadata file look like?
    <md:EntityDescriptor entityID="" cacheDuration="PT1440M" ID="OIvWOHILu615UWA1jGGTkq6SvQa" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
      <ds:Signature xmlns:ds="">
          <ds:CanonicalizationMethod Algorithm=""/>
          <ds:SignatureMethod Algorithm=""/>
          <ds:Reference URI="#OIvWOHILu615UWA1jGGTkq6SvQa">
              <ds:Transform Algorithm=""/>
              <ds:Transform Algorithm=""/>
            <ds:DigestMethod Algorithm=""/>
      <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <md:AssertionConsumerService isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="" index="0"/>
      <md:ContactPerson contactType="administrative">
        <md:Company>CA Agile Central Software Development Corp.</md:Company>
        <md:EmailAddress>[email protected]</md:EmailAddress>


Need more help? The CA Agile Central Community is your one-stop shop for self-service and support. To submit feedback or cases to CA Agile Central Support, find answers, and collaborate with others, please join us in the CA Agile Central Community.