SSO and SLO Dialog (SAML 2.0 IdP)
The SSO and SLO step lets you configure single sign-on and single logout operation.
The SSO and SLO step lets you configure single sign-on and single logout operation.
Authentication (SAML 2.0 IdP)
The Authentication section lets you specify how users authenticate during single sign-on transactions. Designate the method for authenticating a user who does not have a user session.
This section displays the following settings:
- Authentication ModeIndicates whether a user session is established by authenticating a user locally or delegating authentication to a remote third-party access management system.Default:LocalOptions: Select one of the following options and configure any additional fields for that option:
- Local—The federation system is handling user authentication.If you select Local for the Authentication Mode field, enter a URL in the Authentication URL field. The URL typically points to a redirect.jsp file; however, if you select theUse Secure URLcheck box, the URL must point to the secureredirect web service.Authentication URLSpecifies a protected URL that federation uses to authenticate users and create a session when a protected resource is requested. If the authentication mode is set to local and a user has not logged in at the asserting party, users are sent to this URL. This URL must point to the redirect.jsp file, unless you select theUse Secure URLcheck box.Examples: http://casso10Use one of the following paths to the redirectjsp folder as the resource filter. The CA Web Agent Option Pack and the CA Access Gateway use this resource filter.
myserver.idpA.com/affwebservices/redirectjsp/redirect.jsphttp://myserver.idpA.com/siteminderagent/redirectjsp/redirect.jspmyserver identifies the web server with the Web Agent Option Pack or theCA Access Gatewayinstalled at the asserting party. The redirectjsp application is included with these products.Protect the Authentication URL with an access control policy. For the policy, configure an authentication scheme, realm, and rule. To add session store attributes to the assertion, enable the Persist Authentication Session Variables check box, which is a setting in the authentication scheme.Use Secure URLThis setting instructs the single sign-on service to encrypt only the SMPORTALURL query parameter. An encrypted SMPORTALURL prevents a malicious user from modifying the value and redirecting authenticated users to a malicious website. The SMPORTALURL is appended to the Authentication URL before the browser redirects the user to establish a session. After the user is authenticated, the browser directs the user back to the destination specified in the SMPORTALURL query parameter.If you select the User Secure URL check box, complete the following steps:1. Set the Authentication URL field to the following URL: http(s)://idp_server:port/affwebservices/secure/secureredirect2. Protect the secureredirect web service with a policy.If the asserting party serves more than one relying partner, the asserting party probably authenticates different users for these different partners. As a result, for each Authentication URL that uses the secureredirect service, include this web service in a different realm for each partner.To associate the secureredirect service with different realms, modify the web.xml file and create different resource mappings. Do not copy the secureredirect web service to different locations on your server. Locate the web.xml file in the directoryweb_agent_home/affwebservices/WEB-INF, whereweb_agent_homeis the installed location of the web agent.
- Direct path:/affwebservices/redirectjsp/
- Virtual path:Path to the server where the redirectjsp folder exists. A common virtual path is /siteminderagent/redirectjsp, which is set up when you configure the Web Agent with the Web Agent Option Pack or the Access Gateway. The virtual path points to the following virtual directory:
- Web Agent:web_agent_home/affwebservices/redirectjsp
- CA Access Gateway:access_gateway_home/secure-proxy/Tomcat/webapps/affwebservices/redirectjsp
- Delegated—A third-party web access management (WAM) system is handling user authentication. Complete the additional fields. Learn more about delegated authentication.
- Credential Selector—Users are presented with a credential selector page that lists multiple Identity Providers. The Identity Providers can be social media, WS-Federation, SAML, or OAuth partners. Users select the appropriate Identity Provider, and that provider authenticates the user. The list of acceptable identity providers is defined in an Authentication Method Group. For all these partners, the user must already be registered with these external partners.If you select Credential Selector, complete the following fields:Authentication Base URL- Defines the hostname of theCA Access Gatewayserver on which the credential handling service is installed. Enter the value in the following format: https:sps_hostnameor http:sps_hostnameAuthentication Method Groups- Specifies the authentication method group of identity providers that must be displayed to users for authentication when the partnership is invoked.
- casso10Delegated Authentication Type (Delegated Mode only)Specifies whether the third-party authentication is accomplished by passing an open-format cookie or a query string with the user login ID and other information. This field is displayed only if Delegated is chosen as the Authentication Mode.Options: Query String, Open-format Cookie
- Query string-To use a query string, the third party builds a redirect string and adds a query parameter named LoginIDHash to this string. The LoginIDHash parameter is a combination of the login ID of the user and a shared secret. These two values are combined and then processed through a hashing algorithm.Do not use the query string method in a production environment. The query string redirection method is only for a testing environment as a proof of concept.The query string option does not produce a FIPS-compliant partnership.
- Open-format cookie - To use the open-format cookie, the third-party system can use aCA SiteMinder® FederationJava, or .NET SDK to create the cookie. Alternatively, use a programming language to create a cookie manually. The third-party redirects the browser to your federation system, who retrieves the user ID.
- Delegated Authentication URL (Delegated Mode only)Specifies the URL of the third-party web access management system that handles user authentication. If a user initiates a request at the local system, the user is redirected to the web access management system for authentication. After successful authentication, the user is redirected back to the local system.This URL is not relevant if a user initiates a request at the web access management system first.Value:A valid URL beginning with http:// or https://
- casso10Track Delegated Authentication StatusTracks whether delegated authentication is successful. If delegated authentication fails, this setting determines the behavior of the federation system. By default, this check box is selected. If a user does not provide credentials when accessing a protected resource configured for delegated authentication, delegated authentication fails. If that user tries accessing the resource again in the same browser session, the browser displays a 404 error. Also, the federation system writes an error message to the affwebservices.log and the FWSTrace.log files. The error message indicates that the credentials for delegated authentication are missing. The federation system does not redirect the user back to the delegated authentication URL to provide credentials.To have the federation system redirect the user back to the delegated authentication URL in the same browser session, clear this check box. By disabling tracking, a user can try accessing the resource again in the same browser session without receiving a 404 error. Instead, the federation system redirects the browser to the delegated authentication URL. The user is prompted again for credentials.
- Query String Parameters for Delegated AuthenticationIf you select Query String, for the Delegated Authentication Type field, complete these additional settings:
- Hash SecretDetermines the shared secret that is appended to the user login ID to create of the LoginIDHash query parameter. This setting is only relevant when you select the query string option as the delegated authentication type.
- Confirm Hash SecretVerifies the hash secret. Enter the value of the hash secret again.
- Open-format Cookie Parameters for Delegated AuthenticationIf you select the open-format cookie, the user is redirected to the third-party application by an HTTP 302 redirect. The third-party WAM system authenticates the user and shares the user credentials with CA SSO at the asserting party in an open-format cookie.If you select the open-format cookie option for delegated authentication, the following additional fields are displayed:Open-format Cookie NameSpecifies the name of the cookie.Encryption TransformationIndicates the encryption transformation that must be used to decrypt the open-format cookie. Use the same value that the third-party WAM system used to encrypt the open-format cookie.Encryption PasswordIndicates the password that is used to decrypt the cookie. Use the same value that the third-party WAM system used to encrypt the open-format cookie.Confirm PasswordConfirms the encryption password entry.Enable HMACIndicates that the software generates a Hash Message Authentication Code (HMAC) using the encryption password provided in this dialog.Message authentication codes (MACs) can verify the integrity of information that is sent between two parties. The two parties share a secret key for calculation and verification of the message authentication values. A Hash Message Authentication Code (HMAC) is a MAC mechanism that is based on cryptographic hash functions.If you select the Enable HMAC checkbox, the system generates an HMAC value for its open-format cookie. The software prepends the HMAC value to the open-format cookie value then encrypts the entire string. The system places the encrypted string in the open-format cookie, which is then passed to the target application.Cookie Skew Time (Seconds)Specifies the number of seconds subtracted from the current system time to account for the difference in the system clocks. The difference is between your federation system and the third-party application handling delegated authentication. The software applies the skew time to the generation and consumption of the open-format cookie.Value:Enter a value in seconds.Override Authentication Class with Open Format Cookie ValueSelect this check box to override the configured authentication class URI with the URI sent by a remote third-party access management system and included in the assertion to the SP.
- Authentication ClassSpecifies the URI provided in the AuthnContextClassRef element in the assertion, which describes how a federated user is authenticated. If the user is going to authenticate locally, accept the default URI for Password. If the user is authenticated by a remote third-party access management system, edit this field to reflect the authentication method.Default:urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordLocal authentication mode value:urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordDelegated authentication mode value:Valid URI for the AuthnContextClassRef element, which is defined in the SAML specification.
- Configure AuthnContextDefines the method the Identity Provider uses to determine the authentication context that it places in the assertion. Options include:
- Use Predefined Authentication ClassInstructs the Identity Provider to use a hard-coded authentication class URI in the assertion. This URI is the value specified in the Authentication Class field. If you select this option, configure the following field:Authentication ClassSpecifies the URI provided in the AuthnContextClassRef element in the assertion, which describes how a federated user is authenticated. Accept the default URI for Password.Default:urn:oasis:names:tc:SAML:2.0:ac:classes:Password
- Automatically Detect Authentication ClassInstructs the Identity Provider to map the AuthnContext class to the protection level for the session that is based on a configured authentication context template. If you select this option, configure the Authentication Context Template field. This setting Identifies the template that the Identity Provider uses to map the authentication context to the associated protection level for a given user session. Select Create Template to create a template instead of choosing an existing one.
- IgnoreRequestedAuthnContextInstructs the Identity Provider to disregard the <RequestedAuthnContext> element in the authentication request it receives from the Service Provider. The Identity Provider determines the authentication context using an pre-defined authentication class or an authentication context template.
- Idle Timeout (Hours:Minutes)Determines the amount of time that an authorized user session can remain inactive before the federation system terminates the session. If you are concerned about users leaving their workstations after accessing a protected resource, set the idle timeout to a short period. If the session times out, users must reauthenticate before accessing the resources again.This setting is enabled by default. To specify no session idle timeout, clear the check box. The default session idle timeout is one hour.Default: 1 hour
- HoursSpecifies the number of hours for the idle timeout period.
- MinutesSpecifies the number of minutes for the idle timeout period.
- Maximum Timeout (Hours:Minutes)Determines the maximum amount of time a user session can be active before the federation system challenges the user to reauthenticate.This setting is enabled by default. To specify no maximum session length, clear the check box.Default: 2 hours
- HoursSpecifies the number of hours for the maximum session length.
- MinutesSpecifies the number of minutes for the maximum session length.
- Update session for ForceAuthnSelect this check box to update the assertion with the current session start time, and max and idle timeouts. This check box is valid when credentials are requested by the SP and the authentication request includes a forced authentication query parameter.This setting is unchecked by default. The original session start time and timeouts are used when generating the assertion.
- Enable Enhanced Session AssuranceSelect this check box to protect the resources that are specified in the realm (of the Policy domain model) or the component (of the application model). You can also protect the authentication requests of certain federation partnerships. The session assurance end point collects the DeviceDNA™ from the user and validates the session. This feature requires session assurance end points.
SSO (SAML 2.0 IdP)
The SSO section lets you configure single sign-on (SSO). This section displays the following settings:
- Authentication Request BindingSpecifies the types of bindings the IdP allows when it receives an authentication request from the SP.Options: HTTP-Redirect, HTTP-POST
- SSO BindingDetermines which single sign-on profile is used for processing requests. You can select all bindings; the local entity determines the sequence in which the bindings are tried.Options:HTTP-Artifact, HTTP-POST, Enhanced Client and ProxyGuidelines for this setting:
- If you select Artifact binding, select an artifact encoding (URL or FORM). The encoding defines how the artifact comes back to the relying party. If you select the URL option, the artifact is sent back as a query parameter in a URL. If you select FORM, the artifact is posted as form data. For artifact binding, the assertion is sent over a secure back channel. Therefore, configure the settings in the Back Channel section.
- When you select an SSO binding, configure at least one Assertion Consumer Service with a matching binding.
- Choose the ECP profile if the entities in the partnership are communicating indirectly through an enhanced client. An enhanced client can be a browser or other user agent, or an enhanced proxy, such as a wireless proxy for a wireless device.
- casso10Artifact Protection TypeDefines how the back channel is protected for HTTP-Artifact single sign-on. The legacy option indicates thatCA Single Sign-Onprotects the back channel. The partnership option indicates that the federation component withinCA Single Sign-Onprotects the back channel.If you recreate youreTrust SiteMinder FSSconfiguration in the partnership federation model, you can use your original method of protecting the back channel. The legacy option lets the configuration use the existing URL for the Assertion Retrieval Service (SAML 1.x) or Artifact Resolution Service (SAML 2.0). By selecting legacy as the option,CA Single Sign-Onaccepts the request. You do not have to modify the URL. If the artifact service URL is from the legacy configuration but only the partnership option is selected for this setting,CA Single Sign-Onrejects the request.With the legacy option be sure to enforce the policy that protects the artifact service. This policy is a component of the Federation Web Services.CA Single Sign-Oncreates policies for Federation Web Services automatically, but you are required to enforce the protection of these policies. You are required to indicate which partnership is permitted access to the service that retrieves artifacts.Options:Legacy, Partnership
- Artifact EncodingSpecifies how the artifact is encoded when sent to the relying party for HTTP-artifact single sign-on.Options:URL, FormIf you select URL, the artifact is added to a URL-encoded query string. If you select Form, the artifact is added to a hidden form control in a form.
- AudienceSpecifies the URL of the audience. The audience URL identifies the location of a document that describes the terms and conditions of the business agreement between the asserting and relying parties. The administrator at the asserting party determines the audience. This value must match the Audience value specified at the relying party.Value:a URL.The audience value cannot exceed 1024 and is case-sensitive.Example:http://www.ca.com/fedserver
- Accept ACS URL in the AuthnrequestLets the system accept and process the Assertion Consumer Service URL in the incoming authentication request from the relying party. Select this check box to validate that the URL is present and valid, and it is in the metadata.
- Transactions AllowedIndicates which partner can initiate single sign-on. Controlling which partner initiates single sign-on enables you to manage federation calls. For an SP initiated only value, an SP can require a specific authentication context returned in the assertion before permitting access to a resource.
- SSO Validity Duration (Seconds)Specifies a number of seconds for which a generated assertion is valid. For single sign-on, the SSO Validity Duration and Skew Time instruct the Policy Server how to calculate the total time that the single sign-on request is valid. In a test environment, you can increase the Validity Duration above 60, the default, if the following message is in the trace log:Assertion rejected (_b6717b8c00a5c32838208078738c05ce6237) -current time (Fri Sep 09 17:28:33 EDT 2005) is after SessionNotOnOrAftertime (Fri Sep 09 17:28:20 EDT 2005)Value:Enter a positive integer.Default:60
- Recommended SP Session DurationSpecifies the length that the session at the SP is active.In the <AuthnStatement> of the assertion, the Policy Server calculates the SessionNotOnOrAfter attribute using the formula current_time + validity_duration + skew_time. When an SP attempts to set the session timeout to this value, the session is too brief. You can solve this problem by using the value of the SSO validity duration or manipulating the SessionNotOnOrAfter value.Options:
- Use Assertion ValidityCalculates the SessionNotOnOrAfter value that is based on the SSO Validity Duration setting.
- Customize Assertion Session DurationSelect one of the following options:Omit–Instructs the IdP not to include the SessionNotOnOrAfter parameter in the assertion.IDP Session–Calculates the SessionNotOnOrAfter value that is based on the IdP session timeout. The timeout is configured in the IdP realm for the authentication URL. Using this option can synchronize the IdP and SP session timeout values.Custom–Sets the timeout to a customized value in hours and minutes.
- Enable Negative Authentication ResponseSpecifies that the Service Provider receives notification when a user authentication request fails.
- Enable User ConsentTo enhance user privacy, you can require that a user consent to have the asserting party share identity information with the SP. If you select the Enable User Consent check box, the asserting party prompts the user for consent. The asserting party passes its value in assertion.If this check box is enabled, the following two fields are displayed:
- User Consent Service URLSpecifies the URL for the User Consent service at the asserting party. The default is http://idp_site:8999/affwebservices/public/saml2userconsent
- User Consent Post FormNames the custom auto-POST HTML form for user consent. Enter only the name of the form, not the path to the form. The user can configure the HTML form that the asserting party provides to the user for getting consent. This form can be customized to suit your business needs.The physical page must reside in the directory %NETE_WA_ROOT%\customization, where %NETE_WA_ROOT% is the location of the Web Agent Option Pack. If the Web Agent and Web Agent Option Pack are installed on the same system, they are installed in the same directory, for example, webagent\customization.
- Minimum Authentication LevelSpecifies the minimum level at which the user must have authenticated to gain access to a realm. If the user has authenticated at this level or higher, the Identity Provider generates an assertion for the user. If the user is not authenticated at this level or higher, they are redirected to the Authentication URL to authenticate at this level.
- Custom Post FormNames the custom auto-POST HTML form for HTTP-POST single sign-on. Enter only the name of the form, not the path to the form. The Policy Server provides a form named defaultpostform.html. A customized auto-POST enables the Policy Server to send SAML information to the consumer. The physical page must reside in the directory %NETE_WA_ROOT%\customization, where %NETE_WA_ROOT% is the location of the Web Agent Option Pack. If the Web Agent and Web Agent Option Pack are installed on the same system, they are installed in the same directory, for example, webagent\customization.
- Validation PeriodTo see this check box, enable the Session Server using the Policy Server Management Console.Determines the maximum period between the agent calls to the Policy Server for validating a session. The session validation calls inform the Policy Server that a user is still active and confirm that the user session is still valid. To specify the validation period, enter values in the Hours, Minutes, and Seconds fields. If you are configuring the system to provide a Windows user security context, set this value high, for example, 15-30 minutes.The session validation period must be less than the specified Idle Timeout value.
- Set OneTimeUseConditionInstructs the SP to use the assertion immediately and not retain it for future use. The assertion is intended only for one-time use. The OneTimeUse condition is useful because the information in an assertion can change or expire and the SP uses an assertion with up-to-date information. Instead of reusing the assertion, the SP must request a new assertion from the IdP.
- Assertion Consumer URLsThis section lets you assign index values for Assertion Consumer Service URLs. Assigning index numbers enables different Assertion Consumer Service entries to be used for different protocol bindings. The relying party simply includes the index number for the appropriate URL in the AuthnRequest it sends to the asserting party.The table in this section contains the following fields:
- IndexSpecifies the index number for the URL of an Assertion Consumer Service at the relying party.Default:0Value: Unique integer between 0 through 65535
- BindingSpecifies the single sign-on binding you are using for the Assertion Consumer Service.An unsolicited request can initiate single sign-on at the asserting party. If the link that triggers the request includes the ProtocolBinding query parameter, the binding specified in this query parameter overrides the value for this field.Default:HTTP-POSTOptions: HTTP-Artifact, HTTP-POST, PAOS
- URLSpecifies the URL of the Assertion Consumer Service at the relying party.Default (: http://CA Single Sign-Onas SP)sp_server:port/affwebservices/public/saml2assertionconsumer
- Default(Optional) Indicates that the selected URL serves as the default entry. Select the check box next to the entry you want to use as the default.
SLO (SAML 2.0 IdP)
The SLO section lets you configure single logout (SLO). This section displays the following settings:
- SLO BindingSpecifies whether the single logout profile is enabled at the asserting party and which binding is in use. HTTP-Redirect binding sends SLO messages using HTTP GET requests. SOAP binding does not rely on HTTP after the initial request and sends messages across a back channel.Options:HTTP-Redirect, HTTP-POST, SOAP
- SLO Confirm URLSpecifies the URL where the user is redirected when the single logout process is complete. Typically, the Confirm URL points to a location at the site that initiated single logout. If SLO is initiated at your site, the system uses this URL. The URL resource must be a local resource that is accessible to your site, not a resource in a federated partner domain. For example, if the local domain is acme.com and your partner is example.com, then the SLO Confirm URL must be in acme.com.Value:valid URL
- SLO Validity Duration (Seconds)Specifies the number of seconds for which a SLO request is valid.Default:60secondsValue:a positive integer
- Relay state overrides SLO Confirm URL (HTTP-Redirect only)Replaces the URL in the SLO Confirm URL field with the value of the Relay State query parameter included with the single logout request. This check box gives you more control over the single logout confirmation target. The Relay State query parameter lets you dynamically define the confirmation URL for SLO requests.
- Reuse Session IndexIndicates whetherCA Single Sign-Onsends the same session index in the assertion for the same partner in a single browser session. A user can federate multiple times with the same partner using the same browser window. Selecting this option instructs the IdP to send the same session index in each assertion. If you disable this option,CA Single Sign-Ongenerates a new session index every time single sign-on occurs.You can enable this option to help ensure single logout with third-party partners that do not honor the session index passed in newer assertions.This setting is relevant only if single logout is enabled.
- SLO Service URLsLists the available SLO service URLs. The table includes the following entries:
- SelectIndicates that this value is the entry for the SLO Service URL.
- BindingIndicates the binding for the SLO connection.Options:HTTP-Redirect, SOAP
- Location URLSpecifies the URL of the single logout service at the remote partner where the single logout request is sent.Value:valid URLIf your federation system is at the remote SP, use the following URLs:HTTP-Redirect binding:http://sp_host:port/affwebservices/public/saml2sloHTTP-POST binding:http://sp_host:port/affwebservices/public/saml2sloSOAP binding:http://sp_host:port/affwebservices/public/saml2slosoapIf a third-party federation product is at the SP, use the URL appropriate for that product.
- Response Location URL(Optional) Specifies the URL of the single logout service for the entity. The Response Location URL is used in a configuration where there is one service for single logout requests and one service for single logout responses. By default, if only the Location URL is provided, it is used for the request and the response.Value:valid URL
Manage Name ID Service
This section describes the fields for configuring the Manage Name ID Service.
- MNI Binding: SOAPEnable the Manage Name ID service. SOAP is the only supported binding. If you select this option, the User Lookup for Attribute and Name ID Services section appears. Specify a user directory search specification in the Custom field. The value you enter lets the Policy Server know how to locate the user record in the user directory. Enter a search string appropriate for the directory type, such as:LDAP:uid=%sODBC:name=%s
- Encrypt Name IDEncrypt the name ID.
- Require Encrypted Name IDRequires an encrypted name ID in received messages
- Sign RequestSigns the ManageNameID request message.
- Require Signed RequestRequires a signed ManageNameID request message.
- Sign ResponseSigns the ManageNameId response message.
- Require Signed ResponseRequires a signed ManageNameID response message.
- Delete Name IDClears the user directory attribute holding the user NameID for this partnership.Note that you select either Delete Name ID or Enable Notification to make the feature functional.
- SOAP Timeout (seconds)Specifies the number of minutes to wait until the request times out.Default: 60
- Retry CountSpecifies the number of times to retry a request.Default: 3
- Retry Boundary (minutes)Specifies the number of minutes to wait before attempting a retry on message failure.Default: 15
- (Optional) Enable NotificationInstructs theCA Single Sign-Onfederation entity to notify the customer application when a user is terminated. A notification tells the NameID service in the background when a NameID termination succeeds. Enable notifications if the customer who owns the requested application wants to control the removal of a user from the user directory.
- Notification URLSpecifies the URL of the remote IdP or SP across which the local federated entity sends the notification that the NameID for a federated user is terminated.
- Notify TimeOut (Seconds)Specifies the number of seconds to wait until the notification request is times out.
- Notification Auth TypeSpecifies whether the customer requires credentials when sending a termination. If you select Basic, the notification service makes a call-out in the background across the Notification URL. The customer application can authenticate thatCA Single Sign-Onfederation is allowed to make this call-out. If you select Basic, specify values for the Notify Username and NotifyPassword settings. These values serve as credentials when a call-out is sent across the notification channel.Options: NoAuth, Basic
- Notify UsernameSpecifies a user name for the Notification Service. This name is part of the credentials for the customer application to verify the entity communicating across the notification URL.
- NotifyPasswordSpecifies a password for the Notification Service. This password is part of the credentials for the customer application to verify the entity communicating across the notification URL. A customer application supplies this authentication to ensure that a valid client is sending the notification.
- Notify Confirm PasswordConfirms the NotifyPassword value.
Back Channel (SAML 2.0 IdP)
The Back Channel section is where you configure the authentication method across the back channel. The back channel has different purposes depending on the following criteria:
- HTTP-Artifact single sign-on is configured.
- Single logout using the SOAP binding is configured
- Your federation system is the Identity Provider or Service Provider.
- Communication is over an incoming or outgoing channel.
The Back Channel section displays the following settings:
- Incoming Configuration/Outgoing ConfigurationConfigure an incoming or outgoing back channel as necessary by the selected bindings. The back channel has only one configuration. If two services use the same channel, these two services use the same back channel configuration. For example, the incoming channel for a local IdP supports HTTP-Artifact SSO and SLO over SOAP. These two services must use the same back channel configuration.
- Authentication MethodSpecifies the authentication method that protects the back channel.Default:NoAuthOptions:Basic, Client Cert, NoAuthBasicIndicates that a Basic authentication scheme is protecting the communication across the back channel.Note:If SSL is enabled for the back channel connection, you can still select Basic authentication.If you select Basic authentication, configure the following additional settings:
- Back channel user name(Basic auth -- Outgoing channel only). Specifies the user name of the SP when using Basic authentication across the back channel. Enter the name of the partnership that is configured at the remote IdP. For example, at the remote IdP, a partnership named Partners1 is defined between CompanyA (IdP) and CompanyB (SP). At CompanyB, the local SP, the value you enter is Partners1, to associate this user name with the associated partnership at the IdP.
- PasswordSpecifies the user password for the back channel user name. This password is only relevant if you use Basic or Basic over SSL as the authentication method across the back channel.The two partners agree on this password.
- Confirm PasswordReconfirms the password entry.
- Back Channel Timeout (seconds)(Outgoing channel only) Specifies the maximum amount of time the system waits for a response after sending a back channel request to the Artifact Resolution Service. Specify an interval in seconds.Default:300 secondsValue:positive integer
- Client CertIndicates that an X.509 client certificate authentication scheme protects the communication to the Artifact Resolution Service across the back channel.Client cert authentication requires the use of SSL for all endpoint URLs. Endpoint URLs locate the various SAML services on a server, such as the Artifact Resolution Service. The SSL requirement means that the URL to the service must begin withhttps://.To implement Client Cert authentication, the SP sends a certificate to the asserting party before any transaction occurs. The asserting party stores the certificate in its database. Both partners must have the certificate that enabled the SSL connection in their respective databases or Client Cert authentication does not work.During the authentication process, the relying party sends its certificate to the asserting party. The asserting party compares the received certificate with the certificate in its database to verify that they match. If there is a match, the asserting party lets the relying party access the Artifact Resolution Service.If you select Client Cert authentication, configure the following additional setting:
- Client Certificate AliasSpecifies the alias that is associated with a client certificate in the key database. Select the alias from the drop-down list.
- Back Channel Timeout (seconds)(Outgoing channel only). Specifies the maximum amount of timeCA Single Sign-Onwaits for a response after sending a back channel request to the Artifact Resolution Service. Specify an interval in seconds.Default:300 secondsValue:positive integer
- NoAuthIndicates that the relying party is not required to supply credentials. The back channel and Artifact Resolution Service are not secured. You can still enable SSL with this option. The back channel traffic is encrypted but no credentials are exchanged between parties.Select NoAuth for testing purposes, but not for production, except when your federation system is configured for SSL-enabled failover and it sits behind a proxy server. The proxy server handles the authentication when it has the server certificate. In this case, all IdP->SP partnerships use NoAuth as the authentication type.
Attribute Service at the IdP
You can configure an Identity Provider to act as an Attribute Authority. The Authority can respond to an attribute query from a SAML requester. The requester can then authorize a user based on the retrieved attributes.
The Attribute Service section contains the following fields for attribute query support:
- EnableLets the Identity Provider act as an Attribute Authority. As an Attribute Authority, the system can respond to a query message from a SAML requester. If you select this option, the User Lookup for Attribute and Name ID Services section appears. Specify a user directory search specification in the Custom field. The value you enter lets the Policy Server know how to locate the user record in the user directory. Enter a search string appropriate for the directory type, such as:LDAP:uid=%sODBC:name=%s
- Require Signed Attribute QueryIndicates that the Attribute Authority requires a digitally signed attribute query from the SAML Requester.
- casso10Enable Proxied QueryIndicates that a third-party IdP responds to the attribute query. The proxied query feature is for a deployment where a third party is acting as the IdP and the Attribute Authority. The local Policy Server system that you are configuring has two roles when implementing a proxied query. The system acts as the SP and Attribute Requester relative to the third-party IdP. The local system also acts as an IdP and Attribute Authority relative to the SP that owns the requested application.A proxied query occurs when the following conditions are met:
The Policy Server queries the third-party IdP. If the IdP finds the attribute, it returns a query response. The Policy Server adds the attributes from the response to the session store. The system then returns the response with the attributes to the SP who owns the application. This SP is the original attribute requester.The URL for the attribute service at the IdP are configured at the SP partnership.
- The attribute is not found in the user directory or session store of the local system.
- The user is initially authenticated by the third-party IdP.
- Validity Duration SecondsSpecifies the number of seconds that the assertion is valid.
- Signing OptionsDesignates the signing requirements for attribute assertions and responses.
- Sign AssertionInstructs the Attribute Authority to sign only the attribute assertion. The SAML response is not signed.
- Sign ResponseInstructs the Attribute Authority to sign only the SAML response.
- Sign BothInstructs the Attribute Authority to sign the attribute assertion and the SAML response.
- Sign NeitherInstructs the Attribute Authority not to sign the attribute assertion nor the SAML response.
- User LookupDefines search specifications for user directory name spaces. The Attribute Authority uses the search specification to locate the user locally. The search specification must include the NameID of the subject from the attribute query to locate the user.Enter a search specification in the field for the namespace type you are using.At least one search specification is required
IDP Discovery (SAML 2.0 IdP)
The IDP Discovery section lets you configure the Identity Provider Discovery profile. This profile enables the relying party to determine which asserting party a principal is using.
This section displays the following settings:
- Enable IDP DiscoveryEnables or disables the Identity Provider Discovery profile.
- Service URLSpecifies the URL of the Identity Provider Discovery Profile servlet at the local entity.
- Common DomainSpecifies the domain of the common domain cookie where the Identity Provider Discovery Service stores information about the asserting party. This domain must be a parent domain of the host in the Service URL.Value:a valid cookie domain
- Enable Persistent CookieIndicates that the cookie must be persistent.
Status Redirect URL (SAML 2.0 IdP)
The Status Redirect URL section lets you determine how a browser redirects a user when HTTP 500, 400, and 405 errors occur.
Select the redirect options that you want enabled then enter an associated URL.
The options are:
- Enable Server Error RedirectServer Error Redirect URL:Specifies the URL where the browser redirects the user when an HTTP 500 Server error occurs. A user can encounter a 500 error because an unexpected condition prevents the web server from fulfilling the client request. If this type of error occurs, the user is sent to the specified URL for further processing.Example:http://www.redirectmachine.com/error_pages/server_error.html
- Enable Invalid Request RedirectInvalid Request Redirect URL: Specifies the URL where the browser redirects the user when an HTTP 400 Bad Request or a 405 Method Not Allowed error occurs. A user can encounter a 400 error because a request is malformed. A user can also get a 405 error because the web server does not allow a particular method or action to be performed. If these types of errors occur, the user is sent to the specified URL for further processing.Example: http://www.redirectmachine.com/error_pages/invalidreq_error.html
- Enable Unauthorized Access RedirectUnauthorized Access Redirect URL:Specifies the URL where the user is redirected when an HTTP 403 Forbidden error occurs. This error occurs because the user is not authorized for a federated transaction. A 403 error can also occur because the URL in a request points to the wrong target, such as a directory instead of a file.Example: http://www.redirectmachine.com/error_pages/unauthorized_error.htm
- 302 No Data (default)Redirects the user by an HTTP 302 redirect with a session cookie, but no other data.
- HTTP PostRedirects the user using HTTP-POST protocol.