SAML 2.0 - Authentifizierungsschema - Erweiterte Einstellungen

Proxy
casso1283
HID_saml2-auth-advanced
casso1283
The Advanced dialog is where you specify advanced configuration for the Message Extension Consumer API. In addition, this dialog is where you configure optional redirect URLs for assertion processing errors during authentication.
The dialog contains the following settings:
Message Consumer Plugin
Full Java Class Name
(Optional) Specifies the fully qualified Java class name of a class which implements a Message Consumer Plug-in interface for the authentication scheme.
  • Parameter
If you enter a value for the Full Java Class Name field, the API passes the parameter sting in this field to the specified plugin.
Status Redirect URLs and Modes
Assertion-based authentication can fail at the site that consumes assertions for various reasons. If authentication does fail, Federation Security Services provides functionality to direct the user to different applications (URLs) for further processing. For example, when user disambiguation fails,
CA Single Sign-on
can redirect the user to a provisioning system. The provisioning system can create a user account that is based on the information found in SAML assertion.
Note:
Error redirection happens only when the system can parse the request successfully and get the information necessary to identify the asserting and relying partners.
The following options redirect the user to a configured URL based on the condition that caused the failure.
User Not Found URL
(Optional) Identifies the URL where
CA Single Sign-on
redirects the user when the user is not found. This status applies when the single sign-on message does not have a LoginID, or the user directory does not contain the LoginID.
  • Invalid SSO Message URL
    (Optional) Identifies the URL where
    CA Single Sign-on
    redirects the user for one of the following conditions:
    • The single sign-on message is invalid based on rules that are listed in the SAML schemas.
    • The consumer requires an encrypted assertion but the single sign-on message does not contain an encrypted assertion.
  • Unaccepted User Credential (SSO Message) URL
    (Optional) Identifies the redirect URL for all other error conditions other than when a user is not found or the single sign-on message is invalid. The assertion is valid, but
    CA Single Sign-on
    does not accept the message for certain reasons, such as:
    • XML digital signature validation fails
    • XML decryption operation fails
    • XML validation of conditions fails, such as an expired message or an audience mismatch.
    • None of the assertions in SSO message contain an authentication statement.
Mode
Specifies the method by which
CA Single Sign-on
redirects the user to the redirect URL. The options are:
  • 302 No Data (default)
    Redirects the user with an HTTP 302 redirect with a session cookie but no other data.
  • HTTP Post
    Redirects the user using HTTP Post protocol.
Proxy
    • Server
      Gibt die Protokoll- und Autoritätsteile von der URL für einen Proxyserver oder für einen Webserver an, der sich vor der Betriebsumgebung befindet, wo das Web-Agent-Optionspaket ist. Der Wert "Server" stellt sicher, dass die SAML-Antwort an das korrekte Ziel geleitet wird.
      Die Syntax für den Wert "Server" ist
      protocol:authority
      , wobei:
      protocol
      gleich "http:" oder "https:" ist
      authority gleich
      "//host.domain.com" oder "//host.domain.com:port" ist.
      Beispiel: http://myproxy.ca.com.
      CA Single Sign-on
      verwendet den Wert "Server" auch, um URLs in XML-Meldungen zu validieren. Zum Beispiel das Zielattribut in einer SAML 2.0-Meldung.
      Konfigurieren Sie die Servereinstellung in folgenden Situationen:
      • Ein Proxyserver steht zwischen dem Client und der Betriebsumgebung, in der Federation-Webservices ausgeführt werden. Federation-Webservices sind im Web-Agent-Optionspaket installiert.
      • Der
        CA Single Sign-on
        CA Access Gateway
        ist in Ihrer Umgebung, auch wenn der
        CA Access Gateway
        ein Federation-Gateway ist.
      • Ein beliebiger Webserver, der sich vor der Betriebsumgebung befindet, in der das Web-Agent-Optionspaket installiert ist.