Federation Changed Features

 
sm1252sp1
Enhancement in AuthnRequest for CA Single Sign-On 12.52 SP1 CR06
 
The following elements are added in AuthnRequest as part of CA Single Sign-On 12.52 SP1 CR06:
  • Issuer Format
  • AttributeConsumingServiceIndex
Issuer Format
In an SP to IdP partnership for SAML 2.0, the
SSO and SLO
dialog now includes a new field,
Issuer Format
, that specifies the IdP to identify itself in the assertion using the format selected for the Issuer. A CA Single Sign-On SP assumes that the IdP uses the entity identifier format by default when it returns the assertion.
A CA Single Sign-on IdP only supports the entity identifier format; if the SP sends any other format in the authentication request, a CA Single Sign-On IdP returns a 500 error. Either do not select a format or select only
Entity Identifier
.
The URI for this format is:
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName
urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos
urn:oasis:names:tc:SAML:2.0:nameid-format:entity
IssuerFormat.png
AttributeConsumingServiceIndex
The CA Single Sign-on SP now supports the use of
AttributeConsumingServiceIndex
as a query parameter in the authentication request. This parameter specifies the index of an user attribute group that the SP-side application requires from the Identity Provider. The SP-side application might need specific user attributes, for example, email and phone number. If the SSO-initiating URL to the AuthnRequest service includes the AttributeConsumingServiceIndex query parameter, this parameter is sent as part of the authentication request to the remote IdP. The attribute groups are part of an XML metadata file that is shared with the remote entity in a communication separate from the SSO transaction. You have to manually add the attribute groups to the metadata.xml file.
This parameter enables the SP to request specific user attributes from the IdP. This query parameter is optional.
Example:
http://wa.cons.com/affwebservices/public/saml2authnrequest?ProviderID=idp&AttributeConsumingServiceIndex=3
CAPKI Upgrade for Federation
Federation is upgraded to use CAPKI 4.3.4 to fix the following OpenSSL vulnerabilities:
  • CVE-2014-0224: An SSL/TLS MITM vulnerability exists in OpenSSL 0.9.8y and earlier. An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. A Man-in-the-middle (MITM) attack can exploit this vulnerability where the attacker can decrypt and modify traffic from the attacked client and server.
  • CVE-2014-0221: DTLS recursion flaw exists in OpenSSL 0.9.8y and earlier. By sending an invalid DTLS handshake to an OpenSSL DTLS client, the code can be made to recurse, eventually crashing in a DoS attack.
  • CVE-2014-3470: Anonymous ECDH denial of service flaw exists in OpenSSL 0.9.8y and earlier. OpenSSL TLS clients enabling anonymous ECDH cipher suites are subject to a denial of service attack.
  • CVE-2014-0076: Fix for the attack described in the paper "Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack".
For more information about the vulnerabilities, see the OpenSSL documentation.