Affiliate Assertions
The following sections are also part of the assertions settings:
casso10
HID_affiliate-assertions-tab
- SAML ProfileSpecifies the SAML profile for sending an assertion. The options are:
- ArtifactThe artifact is a 42-byte hex encoded ID that references an assertion stored in the session server on the producer-side Policy Server. An artifact lets a consumer retrieve an assertion document from a producer.
- POSTThe POST profile embeds a SAML response with the assertion in an HTML form. The browser posts the form at the destination consumer site. SAML POST profile is only supported for SAML version 1.1.
- SAML VersionSpecifies the version of the SAML protocol in use. The choices are SAML 1.0 and 1.1. SAML artifact can support either version. SAML POST can only support SAML 1.1.
- Assertion Consumer URL(Required for SAML POST binding, optional for SAML Artifact binding)Specifies the destination site URL to which the browser must send the assertion. The default URL varies depending on the SAML binding and whetherCA Single Sign-Onor the SAML Affiliate Agent is at the consumer site.
- SAML 1.xIfCA Single Sign-Onis the affiliate at the consumer site, the URL is typically the SAML credential collector. The credential collector is a component of the Federation Web Services application at the consumer.The URL is:https://consumer_server:port/affwebservices/public/samlcc
- SAML 1.0Set this field to the SSLInterceptorURL that is specified for the SAML Affiliate Agent Configuration. Example:https://consumer_server:port/affagent/affiliatesite/test1.htm
consumer_server:portIdentifies the web server and port hosting the Web Agent Option Pack or SPS federation gateway.For SAML 1.x artifact binding, the value of the Assertion Consumer URL field takes precedence over the value of the SMCONSUMERURL query parameter. The query parameter is part of the intersite transfer URL that a user selects to initiate single sign-on. - Audience(Optional) Defines the URL of the document that describes the terms and conditions of the agreement between the producer and the consumer. This value is included in the assertion that is passed to the consumer and can be used for validation purposes. Also, the consumer can parse the actual audience document to obtain relevant information.If the SAML Affiliate Agent is the consumer, the audience value must match the Assertion Audience value in the AffiliateConfig.xml file. The AffiliateConfig.xml file is the configuration file for the SAML Affiliate Agent. For any other SAML consumer, the entered value must match the Audience field hat is configured for the SAML authentication scheme.
- Validity DurationDefines the amount of time, in seconds, that the assertion is valid. If the consumer does not receive the assertion during the assertion validity interval, the consumer considers the assertion invalid.
- Skew TimeDefines the difference, in seconds, between the system clock time of the producer and the system clock time of the consumer. The skew time is added to the validity duration.Times are relative to GMT.
- Sign AssertionEnables the producer to sign the assertion with its private key. The signature adds security to the assertion response being passed across a secure back-channel.
- Signing Alias(Optional) Specifies the alias that is associated with a specific private key in theCA Single Sign-Onkey database. By completing this field, you are indicating which private key the producer uses to sign assertions or assertion responses.Note:Be sure that the private key is in the key database before you specify its associated alias in this field.Limits:an alphanumeric character string
- Allow NotificationProvides event notification services only for a site where the SAML Affiliate Agent is the consumer. If the SAML Affiliate Agent is the consumer, this setting enables aCA Single Sign-Onproducer to receive event notifications about which affiliate resources a user accessed.
The following sections are also part of the assertions settings:
- Enables the sharing of session information between the producer and the consumer.
- Configures consumer attributes, which pass user attributes, DN attributes, or static data from the Policy Server to the consumer in an assertion.