Integrate CSA with a Single Sign-On Solution

While CSA provides a Single Sign-On solution using CA SiteMinder, there are a variety of scenarios where you may need to perform the integration with CSA using another Single Sign-On solution. For example, you may be using:

  • An implementation where you need to authenticate with an Single Sign-On vendor other than CA SiteMinder.

  • A different deployment architecture than what is provided by CSA.

  • A different version of CA SiteMinder than what is supported by CSA.

  • An entirely different architecture than that which is supported.

In such cases it makes sense to create a custom Single Sign-On solution so that you can extend the provided implementation to your own.

For the Cloud Service Management Console and for the Marketplace Portal, Single Sign-On cannot be enabled at the same time as CAC.

Verify the CSA Provider Organization's LDAP Server Configuration

You should verify that an LDAP user can log into the Cloud Service Management Console and the Marketplace Portal, which should already be configured. By performing this verification, you can be confident that any login issues that occur after integration have nothing to do with this particular configuration.

If there are any login issues, then update or configure the LDAP server for both the provider organization and the consumer organization from the Cloud Service Management Console, which is the interface from which you perform all administration tasks for both the Cloud Service Management Console and the Marketplace Portal.

Note: You must configure the CSA Provider organization to use the same LDAP server used by the custom SSO Server. If you do not configure this access point, no one will be able to access the Cloud Service Management Console.

To configure or update the provider organization's LDAP server:

  1. Launch the Cloud Service Management Console by typing the following URL in a supported web browser: https://<csahostname>:8444/csa where <csahostname> is the fully‑qualified domain name of the system on which the Cloud Service Management Console resides.

    Launch the Cloud Service Management Console using an IPv6 address by typing the following URL in a supported web browser: https://<ipv6_address>:8444/csa/login

  2. Log in to the Cloud Service Management Console as a CSA Administrator.

  3. Click the Administration tile.

  4. In the left-navigation frame, select the provider organization.

  5. From the provider organization's navigation frame, select LDAP.

  6. Update the LDAP server information.

  7. Click Save.

Verify the CSA Consumer Organization's LDAP Server Configuration

Note The same LDAP server must be used by the CSA Provider organization, CSA consumer organization and custom SSO Server.

To configure or update the consumer organization's LDAP server:

  1. Launch the Cloud Service Management Console by typing the following URL in a supported web browser: https://<csahostname>:8444/csa where <csahostname> is the fully‑qualified domain name of the system on which the Cloud Service Management Console resides.

    Launch the Cloud Service Management Console using an IPv6 address by typing the following URL in a supported web browser: https://<ipv6_address>:8444/csa/login

  2. Log in to the Cloud Service Management Console as the CSA Administrator.

  3. Click the Administration tile.

  4. In the left-navigation frame, select a consumer organization.

  5. From the consumer organization's navigation frame, select LDAP.

  6. Update the LDAP server information.

  7. Click Save.

  8. Repeat these steps for every consumer organization configured in CSA.

Only the /csa and /mpp contexts are supported (this is required by the SSO proxy setup).

Configure the Custom SSO Server to Work with CSA

To configure your custom SSO server to work with CSA, follow the instructions provided with your SSO application.

Stop CSA

See Stop CSA for instructions.

Configure the Cloud Service Management Console

To configure the Cloud Service Management Console:

  1. Update the applicationContext-security.xml file as appropriate for your custom SSO solution (based on the Spring Security Framework documentation).

  2. Update the csa.properties file by uncommenting the string enableSSO=true and setting the value of csa.subscriber.portal.url to {<protocol>}://{<host>}/mpp/org/{<orgName>}.

Configure the Marketplace Portal

To configure the Marketplace Portal:

  1. Change proxy in the mpp.json file to the IP address of the proxy to be used by SSO. See the Configure Proxy Mapping section for details.

  2. Update the applicationContext-security.xml file as appropriate for your custom SSO solution (based on the Spring Security Framework documentation).

  3. Update the applicationContext.xml file as appropriate for your custom SSO solution (based on the Spring Security Framework documentation).

Configure Proxy Mapping

To configure proxy mapping:

  1. Map the /csa proxy to the CSA deployment.

    Caution Use only /csa as the alias. Using another alias may cause CSA to fail.
    For example, when configuring the alias in an Apache proxy server, set the following:
    ProxyPass /csa/ https://<csahostname>:8444/csa/
    ProxyPassReverse /csa/ https://<csahostname>:8444/csa/

  2. Map the /idm-service proxy to the Identity Management component deployment.

  3. Map the /mpp proxy to the Marketplace Portal deployment.

Start CSA

See Start CSA for instructions.

Verify the Single Sign-On Integration

You should verify that the Single Sign-On integration works by logging into both the Cloud Service Management Console and the Marketplace Portal using the newly-integrated Single Sign-On solution.