SSO and SLO Dialog (SAML 2.0 IdP)

The SSO and SLO step lets you configure single sign-on and single logout operation.
casso10
HID_partnership-sso-asserting
The SSO and SLO step lets you configure single sign-on and single logout operation.
2
Authentication (SAML 2.0 IdP)
The Authentication section lets you specify how users authenticate during single sign-on transactions. Designate the method for authenticating a user who does not have a user session.
This section displays the following settings:
  • Authentication Mode
    Indicates whether a user session is established by authenticating a user locally or delegating authentication to a remote third-party access management system.
    Default:
    Local
    Options
    : Select one of the following options and configure any additional fields for that option:
    • Local—The federation system is handling user authentication. 
      If you select Local for the Authentication Mode field, enter a URL in the Authentication URL field. The URL typically points to a redirect.jsp file; however, if you select the 
      Use Secure URL
       check box, the URL must point to the secureredirect web service.
      Authentication URL
      Specifies a protected URL that federation uses to authenticate users and create a session when a protected resource is requested. If the authentication mode is set to local and a user has not logged in at the asserting party, users are sent to this URL. This URL must point to the redirect.jsp file, unless you select the
      Use Secure URL
      check box. 
      casso10
      Use one of the following paths to the redirectjsp folder as the resource filter. The CA Web Agent Option Pack and the CA Access Gateway use this resource filter.
      • Direct path:
         /affwebservices/redirectjsp/
      • Virtual path:
        Path to the server where the redirectjsp folder exists. A common virtual path is /siteminderagent/redirectjsp, which is set up when you configure the Web Agent with the Web Agent Option Pack or the Access Gateway. The virtual path points to the following virtual directory:
        • Web Agent:
          web_agent_home
          /affwebservices/redirectjsp
        • CA Access Gateway:
          access_gateway_home
          /secure-proxy/Tomcat/webapps/affwebservices/redirectjsp
      Examples: http://
      myserver.idpA.com
      /affwebservices/redirectjsp/redirect.jsphttp://
      myserver.idpA.com
      /siteminderagent/redirectjsp/redirect.jsp 
      myserver i
      dentifies the web server with the Web Agent Option Pack or the 
      CA Access Gateway
       installed at the asserting party. The redirectjsp application is included with these products.
       Protect the Authentication URL with an access control policy. For the policy, configure an authentication scheme, realm, and rule. To add session store attributes to the assertion, enable the Persist Authentication Session Variables check box, which is a setting in the authentication scheme.
      Use Secure URL
      This setting instructs the single sign-on service to encrypt only the SMPORTALURL query parameter. An encrypted SMPORTALURL prevents a malicious user from modifying the value and redirecting authenticated users to a malicious website. The SMPORTALURL is appended to the Authentication URL before the browser redirects the user to establish a session. After the user is authenticated, the browser directs the user back to the destination specified in the SMPORTALURL query parameter.
      If you select the User Secure URL check box, complete the following steps:
      1. Set the Authentication URL field to the following URL: http(s)://
      idp_server:port
      /affwebservices/secure/secureredirect
      2. Protect the secureredirect web service with a policy.
      If the asserting party serves more than one relying partner, the asserting party probably authenticates different users for these different partners. As a result, for each Authentication URL that uses the secureredirect service, include this web service in a different realm for each partner.
      To associate the secureredirect service with different realms, modify the web.xml file and create different resource mappings. Do not copy the secureredirect web service to different locations on your server. Locate the web.xml file in the directory 
      web_agent_home
      /affwebservices/WEB-INF, where 
      web_agent_home
       is the installed location of the web agent.
       
    • Delegated—A third-party web access management (WAM) system is handling user authentication. Complete the additional fields. Learn more about delegated authentication.
    • Credential Selector—Users are presented with a credential selector page that lists multiple Identity Providers. The Identity Providers can be social media, WS-Federation, SAML, or OAuth partners. Users select the appropriate Identity Provider, and that provider authenticates the user. The list of acceptable identity providers is defined in an Authentication Method Group. For all these partners, the user must already be registered with these external partners.
      If you select Credential Selector, complete the following fields:
      Authentication Base URL
      - Defines the hostname of the
      CA Access Gateway
      server on which the credential handling service is installed. Enter the value in the following format: https:
      sps_hostname
       or http:
      sps_hostname
      Authentication Method Groups
      - Specifies the authentication method group of identity providers that must be displayed to users for authentication when the partnership is invoked.
  • casso10
    Delegated Authentication Type (Delegated Mode only)
    Specifies whether the third-party authentication is accomplished by passing an open-format cookie or a query string with the user login ID and other information. This field is displayed only if Delegated is chosen as the Authentication Mode.
    Options: Query String, Open-format Cookie
    • Query string
      -
      To use a query string, the third party builds a redirect string and adds a query parameter named LoginIDHash to this string. The LoginIDHash parameter is a combination of the login ID of the user and a shared secret. These two values are combined and then processed through a hashing algorithm.
      Do not use the query string method in a production environment. The query string redirection method is only for a testing environment as a proof of concept.
      The query string option does not produce a FIPS-compliant partnership.
    • Open-format cookie - To use the open-format cookie, the third-party system can use a
      CA SiteMinder® Federation
      Java, or .NET SDK to create the cookie. Alternatively, use a programming language to create a cookie manually. The third-party redirects the browser to your federation system, who retrieves the user ID.
  • Delegated Authentication URL (Delegated Mode only)
    Specifies the URL of the third-party web access management system that handles user authentication. If a user initiates a request at the local system, the user is redirected to the web access management system for authentication. After successful authentication, the user is redirected back to the local system.
    This URL is not relevant if a user initiates a request at the web access management system first.
    Value:
    A valid URL beginning with http:// or https://
  • casso10
    Track Delegated Authentication Status
    Tracks whether delegated authentication is successful. If delegated authentication fails, this setting determines the behavior of the federation system. By default, this check box is selected. If a user does not provide credentials when accessing a protected resource configured for delegated authentication, delegated authentication fails. If that user tries accessing the resource again in the same browser session, the browser displays a 404 error. Also, the federation system writes an error message to the affwebservices.log and the FWSTrace.log files. The error message indicates that the credentials for delegated authentication are missing. The federation system does not redirect the user back to the delegated authentication URL to provide credentials.
    To have the federation system redirect the user back to the delegated authentication URL in the same browser session, clear this check box. By disabling tracking, a user can try accessing the resource again in the same browser session without receiving a 404 error. Instead, the federation system redirects the browser to the delegated authentication URL. The user is prompted again for credentials.
  • Query String Parameters for Delegated Authentication
    If you select Query String, for the Delegated Authentication Type field, complete these additional settings:
    • Hash Secret
      Determines the shared secret that is appended to the user login ID to create of the LoginIDHash query parameter. This setting is only relevant when you select the query string option as the delegated authentication type.
    • Confirm Hash Secret
      Verifies the hash secret. Enter the value of the hash secret again.
  • Open-format Cookie Parameters for Delegated Authentication
    If you select the open-format cookie, the user is redirected to the third-party application by an HTTP 302 redirect. The third-party WAM system authenticates the user and shares the user credentials with CA SSO at the asserting party in an open-format cookie.
    If you select the open-format cookie option for delegated authentication, the following additional fields are displayed:
    Open-format Cookie Name
    Specifies the name of the cookie.
    Encryption Transformation
    Indicates the encryption transformation that must be used to decrypt the open-format cookie. Use the same value that the third-party WAM system used to encrypt the open-format cookie.
    Encryption Password
    Indicates the password that is used to decrypt the cookie. Use the same value that the third-party WAM system used to encrypt the open-format cookie.
    Confirm Password
    Confirms the encryption password entry.
    Enable HMAC
    Indicates that the software generates a Hash Message Authentication Code (HMAC) using the encryption password provided in this dialog.
    Message authentication codes (MACs) can verify the integrity of information that is sent between two parties. The two parties share a secret key for calculation and verification of the message authentication values. A Hash Message Authentication Code (HMAC) is a MAC mechanism that is based on cryptographic hash functions.
    If you select the Enable HMAC checkbox, the system generates an HMAC value for its open-format cookie. The software prepends the HMAC value to the open-format cookie value then encrypts the entire string. The system places the encrypted string in the open-format cookie, which is then passed to the target application.
    Cookie Skew Time (Seconds)
    Specifies the number of seconds subtracted from the current system time to account for the difference in the system clocks. The difference is between your federation system and the third-party application handling delegated authentication. The software applies the skew time to the generation and consumption of the open-format cookie.
    Value:
     Enter a value in seconds.
    Override Authentication Class with Open Format Cookie Value
    Select this check box to override the configured authentication class URI with the URI sent by a remote third-party access management system and included in the assertion to the SP.
  • Authentication Class
    Specifies the URI provided in the AuthnContextClassRef element in the assertion, which describes how a federated user is authenticated. If the user is going to authenticate locally, accept the default URI for Password. If the user is authenticated by a remote third-party access management system, edit this field to reflect the authentication method.
    Default:
    urn:oasis:names:tc:SAML:2.0:ac:classes:Password
    Local authentication mode value:
    urn:oasis:names:tc:SAML:2.0:ac:classes:Password
    Delegated authentication mode value:
    Valid URI for the AuthnContextClassRef element, which is defined in the SAML specification.
  • Configure AuthnContext
    Defines the method the Identity Provider uses to determine the authentication context that it places in the assertion. Options include:
    • Use Predefined Authentication Class
      Instructs the Identity Provider to use a hard-coded authentication class URI in the assertion. This URI is the value specified in the Authentication Class field. If you select this option, configure the following field:
      Authentication Class
      Specifies the URI provided in the AuthnContextClassRef element in the assertion, which describes how a federated user is authenticated. Accept the default URI for Password.
      Default:
      urn:oasis:names:tc:SAML:2.0:ac:classes:Password
    • Automatically Detect Authentication Class
      Instructs the Identity Provider to map the AuthnContext class to the protection level for the session that is based on a configured authentication context template. If you select this option, configure the Authentication Context Template field. This setting Identifies the template that the Identity Provider uses to map the authentication context to the associated protection level for a given user session.  Select Create Template to create a template instead of choosing an existing one. 
  • IgnoreRequestedAuthnContext
    Instructs the Identity Provider to disregard the <RequestedAuthnContext> element in the authentication request it receives from the Service Provider. The Identity Provider determines the authentication context using an pre-defined authentication class or an authentication context template.
  • Idle Timeout (Hours:Minutes)
    Determines the amount of time that an authorized user session can remain inactive before the federation system terminates the session. If you are concerned about users leaving their workstations after accessing a protected resource, set the idle timeout to a short period. If the session times out, users must reauthenticate before accessing the resources again.
    This setting is enabled by default. To specify no session idle timeout, clear the check box. The default session idle timeout is one hour.
    Default
    : 1 hour
    • Hours
      Specifies the number of hours for the idle timeout period.
    • Minutes
      Specifies the number of minutes for the idle timeout period.
  • Maximum Timeout (Hours:Minutes)
    Determines the maximum amount of time a user session can be active before the federation system challenges the user to reauthenticate.
    This setting is enabled by default. To specify no maximum session length, clear the check box.
    Default
    : 2 hours
    • Hours
      Specifies the number of hours for the maximum session length.
    • Minutes
      Specifies the number of minutes for the maximum session length.
  • Update session for ForceAuthn
    Select this check box to update the assertion with the current session start time, and max and idle timeouts. This check box is valid when credentials are requested by the SP and the authentication request includes a forced authentication query parameter.
    This setting is unchecked by default. The original session start time and timeouts are used when generating the assertion.
  • Enable Enhanced Session Assurance
    Select this check box to protect the resources that are specified in the realm (of the Policy domain model) or the component (of the application model). You can also protect the authentication requests of certain federation partnerships. The session assurance end point collects the DeviceDNA™ from the user and validates the session. This feature requires session assurance end points.
SSO (SAML 2.0 IdP)
The SSO section lets you configure single sign-on (SSO). This section displays the following settings:
  • Authentication Request Binding
    Specifies the types of bindings the IdP allows when it receives an authentication request from the SP.
    Options
    : HTTP-Redirect, HTTP-POST
  • SSO Binding
    Determines which single sign-on profile is used for processing requests. You can select all bindings; the local entity determines the sequence in which the bindings are tried.
    Options:
    HTTP-Artifact, HTTP-POST, Enhanced Client and Proxy
    Guidelines for this setting:
    • If you select Artifact binding, select an artifact encoding (URL or FORM). The encoding defines how the artifact comes back to the relying party. If you select the URL option, the artifact is sent back as a query parameter in a URL. If you select FORM, the artifact is posted as form data. For artifact binding, the assertion is sent over a secure back channel. Therefore, configure the settings in the Back Channel section.
    • When you select an SSO binding, configure at least one Assertion Consumer Service with a matching binding.
    • Choose the ECP profile if the entities in the partnership are communicating indirectly through an enhanced client. An enhanced client can be a browser or other user agent, or an enhanced proxy, such as a wireless proxy for a wireless device.
    If you select Enhanced Client and Proxy Profile, you need an Assertion Consumer Service service with the PAOS binding.
  • casso10
    Artifact Protection Type
    Defines how the back channel is protected for HTTP-Artifact single sign-on. The legacy option indicates that
    CA Single Sign-On
    protects the back channel. The partnership option indicates that the federation component within
    CA Single Sign-On
    protects the back channel.
    If you recreate your
    eTrust SiteMinder FSS
    configuration in the partnership federation model, you can use your original method of protecting the back channel. The legacy option lets the configuration use the existing URL for the Assertion Retrieval Service (SAML 1.x) or Artifact Resolution Service (SAML 2.0). By selecting legacy as the option,
    CA Single Sign-On
    accepts the request. You do not have to modify the URL. If the artifact service URL is from the legacy configuration but only the partnership option is selected for this setting,
    CA Single Sign-On
    rejects the request.
    With the legacy option be sure to enforce the policy that protects the artifact service. This policy is a component of the Federation Web Services.
    CA Single Sign-On
    creates policies for Federation Web Services automatically, but you are required to enforce the protection of these policies. You are required to indicate which partnership is permitted access to the service that retrieves artifacts.
    Options:
    Legacy, Partnership
  • Artifact Encoding
    Specifies how the artifact is encoded when sent to the relying party for HTTP-artifact single sign-on.
    Options:
    URL, Form
    If you select URL, the artifact is added to a URL-encoded query string. If you select Form, the artifact is added to a hidden form control in a form.
  • Audience
    Specifies the URL of the audience. The audience URL identifies the location of a document that describes the terms and conditions of the business agreement between the asserting and relying parties. The administrator at the asserting party determines the audience. This value must match the Audience value specified at the relying party.
    Value:
    a URL.
    The audience value cannot exceed 1024 and is case-sensitive. 
    Example:
    http://www.ca.com/fedserver
  • Accept ACS URL in the Authnrequest
    Lets the system accept and process the Assertion Consumer Service URL in the incoming authentication request from the relying party. Select this check box to validate that the URL is present and valid, and it is in the metadata.
  • Transactions Allowed
    Indicates which partner can initiate single sign-on. Controlling which partner initiates single sign-on enables you to manage federation calls. For an SP initiated only value, an SP can require a specific authentication context returned in the assertion before permitting access to a resource.
  • SSO Validity Duration (Seconds)
    Specifies a number of seconds for which a generated assertion is valid. For single sign-on, the SSO Validity Duration and Skew Time instruct the Policy Server how to calculate the total time that the single sign-on request is valid. In a test environment, you can increase the Validity Duration above 60, the default, if the following message is in the trace log:
    Assertion rejected (_b6717b8c00a5c32838208078738c05ce6237)  - 
    current time (Fri Sep 09 17:28:33 EDT 2005) is after SessionNotOnOrAfter
    time (Fri Sep 09 17:28:20 EDT 2005)
    Value:
     Enter a positive integer.
    Default: 
    60
  • Recommended SP Session Duration
    Specifies the length that the session at the SP is active.
    In the <AuthnStatement> of the assertion, the Policy Server calculates the SessionNotOnOrAfter attribute using the formula current_time + validity_duration + skew_time. When an SP attempts to set the session timeout to this value, the session is too brief. You can solve this problem by using the value of the SSO validity duration or manipulating the SessionNotOnOrAfter value.
    Options:
    • Use Assertion Validity
      Calculates the SessionNotOnOrAfter value that is based on the SSO Validity Duration setting.
    • Customize Assertion Session Duration
      Select one of the following options:
      Omit
      –Instructs the IdP not to include the SessionNotOnOrAfter parameter in the assertion.
      IDP Session
      –Calculates the SessionNotOnOrAfter value that is based on the IdP session timeout. The timeout is configured in the IdP realm for the authentication URL. Using this option can synchronize the IdP and SP session timeout values.
      Custom
      –Sets the timeout to a customized value in hours and minutes.
  • Enable Negative Authentication Response
    Specifies that the Service Provider receives notification when a user authentication request fails.
  • Enable User Consent
    To enhance user privacy, you can require that a user consent to have the asserting party share identity information with the SP. If you select the Enable User Consent check box, the asserting party prompts the user for consent. The asserting party passes its value in assertion.
    If this check box is enabled, the following two fields are displayed:
    • User Consent Service URL
      Specifies the URL for the User Consent service at the asserting party. The default is http://
      idp_site:
      8999/affwebservices/public/saml2userconsent
    • User Consent Post Form
      Names the custom auto-POST HTML form for user consent. Enter only the name of the form, not the path to the form. The user can configure the HTML form that the asserting party provides to the user for getting consent. This form can be customized to suit your business needs.
      The physical page must reside in the directory %NETE_WA_ROOT%\customization, where %NETE_WA_ROOT% is the location of the Web Agent Option Pack. If the Web Agent and Web Agent Option Pack are installed on the same system, they are installed in the same directory, for example, webagent\customization.
  • Minimum Authentication Level
    Specifies the minimum level at which the user must have authenticated to gain access to a realm. If the user has authenticated at this level or higher, the Identity Provider generates an assertion for the user. If the user is not authenticated at this level or higher, they are redirected to the Authentication URL to authenticate at this level.
  • Custom Post Form
    Names the custom auto-POST HTML form for HTTP-POST single sign-on. Enter only the name of the form, not the path to the form. The Policy Server provides a form named defaultpostform.html. A customized auto-POST enables the Policy Server to send SAML information to the consumer. The physical page must reside in the directory %NETE_WA_ROOT%\customization, where %NETE_WA_ROOT% is the location of the Web Agent Option Pack. If the Web Agent and Web Agent Option Pack are installed on the same system, they are installed in the same directory, for example, webagent\customization.
  • Validation Period
    To see this check box, enable the Session Server using the Policy Server Management Console.
    Determines the maximum period between the agent calls to the Policy Server for validating a session. The session validation calls inform the Policy Server that a user is still active and confirm that the user session is still valid. To specify the validation period, enter values in the Hours, Minutes, and Seconds fields. If you are configuring the system to provide a Windows user security context, set this value high, for example, 15-30 minutes. 
    The session validation period must be less than the specified Idle Timeout value.
  • Set OneTimeUseCondition
    Instructs the SP to use the assertion immediately and not retain it for future use. The assertion is intended only for one-time use. The OneTimeUse condition is useful because the information in an assertion can change or expire and the SP uses an assertion with up-to-date information. Instead of reusing the assertion, the SP must request a new assertion from the IdP.
  • Assertion Consumer URLs
    This section lets you assign index values for Assertion Consumer Service URLs. Assigning index numbers enables different Assertion Consumer Service entries to be used for different protocol bindings. The relying party simply includes the index number for the appropriate URL in the AuthnRequest it sends to the asserting party.
    The table in this section contains the following fields:
    • Index
      Specifies the index number for the URL of an Assertion Consumer Service at the relying party.
      Default:
      0
      Value
      : Unique integer between 0 through 65535
    • Binding
      Specifies the single sign-on binding you are using for the Assertion Consumer Service.
      An unsolicited request can initiate single sign-on at the asserting party. If the link that triggers the request includes the ProtocolBinding query parameter, the binding specified in this query parameter overrides the value for this field.
      Default:
      HTTP-POST
      Options
      : HTTP-Artifact, HTTP-POST, PAOS
    • URL
      Specifies the URL of the Assertion Consumer Service at the relying party.
      Default (
      CA Single Sign-On
      as SP)
      : http://
      sp_server:port
      /affwebservices/public/saml2assertionconsumer
    • Default
      (Optional) Indicates that the selected URL serves as the default entry. Select the check box next to the entry you want to use as the default.
SLO (SAML 2.0 IdP)
The SLO section lets you configure single logout (SLO). This section displays the following settings:
  • SLO Binding
    Specifies whether the single logout profile is enabled at the asserting party and which binding is in use. HTTP-Redirect binding sends SLO messages using HTTP GET requests. SOAP binding does not rely on HTTP after the initial request and sends messages across a back channel.
    Options: 
    HTTP-Redirect, HTTP-POST, SOAP
  • SLO Confirm URL
    Specifies the URL where the user is redirected when the single logout process is complete. Typically, the Confirm URL points to a location at the site that initiated single logout. If SLO is initiated at your site, the system uses this URL. The URL resource must be a local resource that is accessible to your site, not a resource in a federated partner domain. For example, if the local domain is acme.com and your partner is example.com, then the SLO Confirm URL must be in acme.com.
    Value:
    valid URL 
  • SLO Validity Duration (Seconds)
    Specifies the number of seconds for which a SLO request is valid.
    Default:
    60
    seconds
    Value:
    a positive integer
  • Relay state overrides SLO Confirm URL (HTTP-Redirect only)
    Replaces the URL in the SLO Confirm URL field with the value of the Relay State query parameter included with the single logout request. This check box gives you more control over the single logout confirmation target. The Relay State query parameter lets you dynamically define the confirmation URL for SLO requests.
  • Reuse Session Index
    Indicates whether 
    CA Single Sign-On
     sends the same session index in the assertion for the same partner in a single browser session. A user can federate multiple times with the same partner using the same browser window. Selecting this option instructs the IdP to send the same session index in each assertion. If you disable this option, 
    CA Single Sign-On
     generates a new session index every time single sign-on occurs. 
    You can enable this option to help ensure single logout with third-party partners that do not honor the session index passed in newer assertions.
    This setting is relevant only if single logout is enabled.
  • SLO Service URLs
    Lists the available SLO service URLs. The table includes the following entries:
    • Select
      Indicates that this value is the entry for the SLO Service URL.
    • Binding
      Indicates the binding for the SLO connection.
      Options:
      HTTP-Redirect, SOAP
    • Location URL
      Specifies the URL of the single logout service at the remote partner where the single logout request is sent.
      Value:
      valid URL
      If your federation system is at the remote SP, use the following URLs:
      HTTP-Redirect binding: 
      http://
      sp_host:port
      /affwebservices/public/saml2slo
      HTTP-POST binding: 
      http://sp_host:port/affwebservices/public/saml2slo
      SOAP binding: 
      http://
      sp_host:port
      /affwebservices/public/saml2slosoap
      If a third-party federation product is at the SP, use the URL appropriate for that product.
  • Response Location URL
    (Optional) Specifies the URL of the single logout service for the entity. The Response Location URL is used in a configuration where there is one service for single logout requests and one service for single logout responses. By default, if only the Location URL is provided, it is used for the request and the response.
    Value:
    valid URL
Manage Name ID Service
This section describes the fields for configuring the Manage Name ID Service.
  • MNI Binding: SOAP
    Enable the Manage Name ID service. SOAP is the only supported binding. If you select this option, the User Lookup for Attribute and Name ID Services section appears. Specify a user directory search specification in the Custom field. The value you enter lets the Policy Server know how to locate the user record in the user directory.  Enter a search string appropriate for the directory type, such as:
    LDAP:
     uid=%s
    ODBC:
     name=%s
  • Encrypt Name ID
    Encrypt the name ID.
  • Require Encrypted Name ID
    Requires an encrypted name ID in received messages
  • Sign Request
    Signs the ManageNameID request message.
  • Require Signed Request
    Requires a signed ManageNameID request message.
  • Sign Response
    Signs the ManageNameId response message.
  • Require Signed Response
    Requires a signed ManageNameID response message.
  • Delete Name ID
    Clears the user directory attribute holding the user NameID for this partnership.Note that you select either Delete Name ID or Enable Notification to make the feature functional.
  • SOAP Timeout (seconds)
    Specifies the number of minutes to wait until the request times out.
    Default
    : 60
  • Retry Count
    Specifies the number of times to retry a request.
    Default
    : 3
  • Retry Boundary (minutes)
    Specifies the number of minutes to wait before attempting a retry on message failure.
    Default
    : 15
  • (Optional) Enable Notification
    Instructs the
    CA Single Sign-On
     federation entity to notify the customer application when a user is terminated. A notification tells the NameID service in the background when a NameID termination succeeds. Enable notifications if the customer who owns the requested application wants to control the removal of a user from the user directory. 
  • Notification URL
    Specifies the URL of the remote IdP or SP across which the local federated entity sends the notification that the NameID for a federated user is terminated.
  • Notify TimeOut (Seconds)
    Specifies the number of seconds to wait until the notification request is times out.
  • Notification Auth Type
    Specifies whether the customer requires credentials when sending a termination. If you select Basic, the notification service makes a call-out in the background across the Notification URL. The customer application can authenticate that
    CA Single Sign-On
     federation is allowed to make this call-out. If you select Basic, specify values for the Notify Username and NotifyPassword settings. These values serve as credentials when a call-out is sent across the notification channel.
    Options
    : NoAuth, Basic
  • Notify Username
    Specifies a user name for the Notification Service. This name is part of the credentials for the customer application to verify the entity communicating across the notification URL. 
  • NotifyPassword
    Specifies a password for the Notification Service. This password is part of the credentials for the customer application to verify the entity communicating across the notification URL. A customer application supplies this authentication to ensure that a valid client is sending the notification.
  • Notify Confirm Password
    Confirms the NotifyPassword value.
Back Channel (SAML 2.0 IdP)
casso10
The Back Channel section is where you configure the authentication method across the back channel. The back channel has different purposes depending on the following criteria:
  • HTTP-Artifact single sign-on is configured.
  • Single logout using the SOAP binding is configured
  • Your federation system is the Identity Provider or Service Provider.
  • Communication is over an incoming or outgoing channel.
The Back Channel section displays the following settings:
  • Incoming Configuration/Outgoing Configuration
    Configure an incoming or outgoing back channel as necessary by the selected bindings. The back channel has only one configuration. If two services use the same channel, these two services use the same back channel configuration. For example, the incoming channel for a local IdP supports HTTP-Artifact SSO and SLO over SOAP. These two services must use the same back channel configuration.
  • Authentication Method
    Specifies the authentication method that protects the back channel.
    Default:
    NoAuth
    Options:
    Basic, Client Cert, NoAuth
    Basic
    Indicates that a Basic authentication scheme is protecting the communication across the back channel.
    Note:
    If SSL is enabled for the back channel connection, you can still select Basic authentication.
    If you select Basic authentication, configure the following additional settings:
    • Back channel user name
      (Basic auth -- Outgoing channel only). Specifies the user name of the SP when using Basic authentication across the back channel. Enter the name of the partnership that is configured at the remote IdP. For example, at the remote IdP, a partnership named Partners1 is defined between CompanyA (IdP) and CompanyB (SP). At CompanyB, the local SP, the value you enter is Partners1, to associate this user name with the associated partnership at the IdP.
    • Password
      Specifies the user password for the back channel user name. This password is only relevant if you use Basic or Basic over SSL as the authentication method across the back channel.
      The two partners agree on this password.
    • Confirm Password
      Reconfirms the password entry.
    • Back Channel Timeout (seconds)
      (Outgoing channel only) Specifies the maximum amount of time the system waits for a response after sending a back channel request to the Artifact Resolution Service. Specify an interval in seconds.
      Default:
      300 seconds
      Value:
      positive integer
  • Client Cert
    Indicates that an X.509 client certificate authentication scheme protects the communication to the Artifact Resolution Service across the back channel.
    Client cert authentication requires the use of SSL for all endpoint URLs. Endpoint URLs locate the various SAML services on a server, such as the Artifact Resolution Service. The SSL requirement means that the URL to the service must begin with
    https://
    .
    To implement Client Cert authentication, the SP sends a certificate to the asserting party before any transaction occurs. The asserting party stores the certificate in its database. Both partners must have the certificate that enabled the SSL connection in their respective databases or Client Cert authentication does not work.
    During the authentication process, the relying party sends its certificate to the asserting party. The asserting party compares the received certificate with the certificate in its database to verify that they match. If there is a match, the asserting party lets the relying party access the Artifact Resolution Service.
    If you select Client Cert authentication, configure the following additional setting:
    • Client Certificate Alias
      Specifies the alias that is associated with a client certificate in the key database. Select the alias from the drop-down list.
    • Back Channel Timeout (seconds)
      (Outgoing channel only). Specifies the maximum amount of time
      CA Single Sign-On
      waits for a response after sending a back channel request to the Artifact Resolution Service. Specify an interval in seconds.
      Default:
      300 seconds
      Value:
      positive integer
  • NoAuth
    Indicates that the relying party is not required to supply credentials. The back channel and Artifact Resolution Service are not secured. You can still enable SSL with this option. The back channel traffic is encrypted but no credentials are exchanged between parties.
    Select NoAuth for testing purposes, but not for production, except when your federation system is configured for SSL-enabled failover and it sits behind a proxy server. The proxy server handles the authentication when it has the server certificate. In this case, all IdP->SP partnerships use NoAuth as the authentication type.
Attribute Service at the IdP
You can configure an Identity Provider to act as an Attribute Authority. The Authority can respond to an attribute query from a SAML requester. The requester can then authorize a user based on the retrieved attributes.
The Attribute Service section contains the following fields for attribute query support:
  • Enable
    Lets the Identity Provider act as an Attribute Authority. As an Attribute Authority, the system can respond to a query message from a SAML requester. If you select this option, the User Lookup for Attribute and Name ID Services section appears. Specify a user directory search specification in the Custom field. The value you enter lets the Policy Server know how to locate the user record in the user directory.  Enter a search string appropriate for the directory type, such as:
    LDAP:
     uid=%s
    ODBC:
     name=%s
  • Require Signed Attribute Query
    Indicates that the Attribute Authority requires a digitally signed attribute query from the SAML Requester.
  • casso10
    Enable Proxied Query
    Indicates that a third-party IdP responds to the attribute query. The proxied query feature is for a deployment where a third party is acting as the IdP and the Attribute Authority. The local Policy Server system that you are configuring has two roles when implementing a proxied query. The system acts as the SP and Attribute Requester relative to the third-party IdP. The local system also acts as an IdP and Attribute Authority relative to the SP that owns the requested application.
    A proxied query occurs when the following conditions are met:
    • The attribute is not found in the user directory or session store of the local system.
    • The user is initially authenticated by the third-party IdP.
    The Policy Server queries the third-party IdP. If the IdP finds the attribute, it returns a query response. The Policy Server adds the attributes from the response to the session store. The system then returns the response with the attributes to the SP who owns the application. This SP is the original attribute requester.
    The URL for the attribute service at the IdP are configured at the SP partnership.
  • Validity Duration Seconds
    Specifies the number of seconds that the assertion is valid.
  • Signing Options
    Designates the signing requirements for attribute assertions and responses.
    • Sign Assertion
      Instructs the Attribute Authority to sign only the attribute assertion. The SAML response is not signed.
    • Sign Response
      Instructs the Attribute Authority to sign only the SAML response.
    • Sign Both
      Instructs the Attribute Authority to sign the attribute assertion and the SAML response.
    • Sign Neither
      Instructs the Attribute Authority not to sign the attribute assertion nor the SAML response.
  • User Lookup
    Defines search specifications for user directory name spaces. The Attribute Authority uses the search specification to locate the user locally. The search specification must include the NameID of the subject from the attribute query to locate the user.
    Enter a search specification in the field for the namespace type you are using.
    At least one search specification is required
IDP Discovery (SAML 2.0 IdP)
The IDP Discovery section lets you configure the Identity Provider Discovery profile. This profile enables the relying party to determine which asserting party a principal is using.
This section displays the following settings:
  • Enable IDP Discovery
    Enables or disables the Identity Provider Discovery profile.
  • Service URL
    Specifies the URL of the Identity Provider Discovery Profile servlet at the local entity.
  • Common Domain
    Specifies the domain of the common domain cookie where the Identity Provider Discovery Service stores information about the asserting party. This domain must be a parent domain of the host in the Service URL.
    Value:
    a valid cookie domain
  • Enable Persistent Cookie
    Indicates that the cookie must be persistent.
Status Redirect URL (SAML 2.0 IdP)
The Status Redirect URL section lets you determine how a browser redirects a user when HTTP 500, 400, and 405 errors occur.
Select the redirect options that you want enabled then enter an associated URL.
The options are:
  • Enable Server Error Redirect
    Server Error Redirect URL:
    Specifies the URL where the browser redirects the user when an HTTP 500 Server error occurs. A user can encounter a 500 error because an unexpected condition prevents the web server from fulfilling the client request. If this type of error occurs, the user is sent to the specified URL for further processing.
    Example:
    http://www.redirectmachine.com/error_pages/server_error.html
  • Enable Invalid Request Redirect
    Invalid Request Redirect URL
    : Specifies the URL where the browser redirects the user when an HTTP 400 Bad Request or a 405 Method Not Allowed error occurs. A user can encounter a 400 error because a request is malformed. A user can also get a 405 error because the web server does not allow a particular method or action to be performed. If these types of errors occur, the user is sent to the specified URL for further processing.
    Example: http://www.redirectmachine.com/error_pages/invalidreq_error.html
  • Enable Unauthorized Access Redirect
    Unauthorized Access Redirect URL:
    Specifies the URL where the user is redirected when an HTTP 403 Forbidden error occurs. This error occurs because the user is not authorized for a federated transaction. A 403 error can also occur because the URL in a request points to the wrong target, such as a directory instead of a file.
    Example
    : http://www.redirectmachine.com/error_pages/unauthorized_error.htm
  • 302 No Data (default)
    Redirects the user by an HTTP 302 redirect with a session cookie, but no other data.
  • HTTP Post
    Redirects the user using HTTP-POST protocol.