SAML 2.0 Authentication Scheme--SSO Settings
Contents
casso10
HID_saml2-auth-sso
Contents
The SSO settings are where you configure how single sign-on (SSO) is handled at the Service Provider.
The SSO section of the page includes the following settings:
- Redirect ModeSpecifies the method by which the Service Provider redirects the user to the target resource. If you select 302 No Data or 302 Cookie Data, no other configuration is required. If you select Server Redirect or PersistAttributes, additional configuration is required.
- 302 No Data (default)User is redirected by using an HTTP 302 redirect with a session cookie, but no other data.
- 302 Cookie DataUser is redirected by using an HTTP 302 redirect with a session cookie and additional cookie data, whichCA Single Sign-Onhas configured for the Service Provider at the Identity Provider.
- casso10Server RedirectEnables header and cookie attribute information received in the assertion to be passed to the custom target application. The SAML 2.0 Assertion Consumer Service or WS-Federation Security Token Consumer Service collects the user credentials then transfers the user to the target application URL using server-side redirects. Server-side redirects are part of the Java Servlet specification. All the standard-compliant servlet containers support server-side redirects.To use this mode, follow these requirements:
- The URL you specify for this mode must be relative to the context of the servlet that is consuming the assertion, which is typically /affwebservices/public/. The root of the context is the root of the Federation Web Services application, typically /affwebservices/.All target application files must be in the application root directory. This directory is either:—Web Agent:web_agent_home\webagent\affwebservices—CA Access Gateway:sps_home\secure-proxy\Tomcat\webapps\affwebservices
- Define realms, rules, and policies to protect target resources. You define the realms with at least the value /affwebservices/ in the resource filter.
- Install a custom Java or JSP application on the server that is serving the Federation Web Services application. Federation Web Services is installed with the Web Agent Option Pack orCA Access Gateway.Java servlet technology allows applications to pass information between two resource requests using the setAttribute method of the ServletRequest interface.The service that consumes assertions sends the user attribute to the target application before redirecting the user to the target. The service sends the attributes by creating a java.util.HashMap object. The attribute that contains the HashMap of SAML attributes is “Netegrity.AttributeInfo.”The service that consumes assertions passes two other Java.lang.String attributes to the custom application:—Netegrity.smSessionID attribute represents theCA Single Sign-Onsession ID—Netegrity.userDN attribute represents theCA Single Sign-Onuser DN.The custom target application reads these objects from the HTTP request and uses the data found in the hashmap objects.
- Persist AttributesThe user is redirected by using an HTTP 302 redirect with a session cookie, but no other data. Additionally, this mode instructs the Policy Server to store attributes that are extracted from an assertion in the session store so they can be supplied as HTTP header variables. For additional configuration, see the instructions for using SAML attributes as HTTP headers.To see this option, enable the session store using theCA Single Sign-OnPolicy Server Management Console.casso10If you select Persist Attributes and the assertion contains attributes that are left blank, a value of NULL is written to the session store. This value acts as a placeholder for the empty attribute. The value is passed to any application using the attribute.
- SSO ServiceSpecifies the URI of the Single Sign-On service at an Identity Provider. This URI is the location where the AuthnRequest service redirects an authnrequest message, which contains the Service Provider ID. The default URL is:http://idp_host:port/affwebservices/public/saml2sso
- AudienceSpecifies the audience for the SAML assertion. The Audience is a URL that identifies the location of a document that describes the terms and conditions of the business agreement between the Identity Provider and the Service Provider. The administrator at the Identity Provider site determines the audience, which matches the audience for the Service Provider.The audience value does not exceed 1K and is case-sensitive. For example:http://www.ca.com/SampleAudience
- Target(Optional) Specifies the target resource URI at the destination Service Provider site.The Service Provider does not have to use the default target. The link that initiates single sign-on can contain a query parameter that specifies the target.
- Allow IdP to Create New User IdentifierIf the Service Provider sends an AuthnRequest message to the Identity Provider to get an assertion, checking this box sets the AllowCreate attribute in the AuthnRequest message to true. The AllowCreate attribute instructs the Identity Provider to generate a new value for the NameID. The AllowCreate feature is enabled at the Identity Provider. This new value for the NameID is included in the assertion.
- Enhanced Client and Proxy ProfileEnables processing of requests using the SAML 2.0 Enhanced Client and Proxy (ECP) Profile.
- Sign Auth RequestsInstructs the Policy Server at the Service Provider to sign the AuthnRequest after it is generated. This check box is required if the Identity Provider requires signed AuthnRequests. The AuthnRequest Service redirects the signed AuthnRequest to the single sign-on service URL.
- Relay State Overrides Target(Optional) Replaces the value specified in the Target field with the value of the Relay State query parameter for SP-initiated or IdP-initiated single sign-on. This check box gives you more control over the target because using the Relay State query parameter lets you dynamically define the target.
Bindings
SAML 2.0 Auth Scheme--Bindings--Artifact
Bindings-Artifact
If the Service Provider supports the artifact binding, configure the settings in this section. For SAML 2.0 artifact single sign-on, the settings include:
- Artifact
Defines the HTTP-Artifact profile configuration.
HTTP Artifact
Enables the artifact binding (when enabled, the following associated controls are activated).
- Sign ArtifactResolveIndicates that the artifact resolve message requires signing. The request retrieves the original SAML message from the Service Provider.If you select this check box, the Identity Provider is configured to require a signed artifact resolve message.Digital signature processing is enabled to sign the artifact resolve message.
- Override system generated IdP Source IDAllows you to specify an IdP Source ID in the associated field. The default is an SHA-1 hash of the IdP ID. Values must be a 40-digit hexadecimal number.
- Require Signed ArtifactResponseIndicates that the Service Provider only accepts the artifact response, which requires signing.If you select this check box, the Identity Provider is configured to sign the artifact response.Digital signature processing is enabled to process the signed response.
- IndexEnabled upon selecting HTTP-Artifact check box, this field assigns an AssertionConsumerServiceIndex parameter for the artifact binding. If you have multiple endpoints in a federated network, assign an index for the Assertion Consumer Service. The index value tells the Identity Provider where to send the response. Enter an integer in the range of 0-65535.
- Resolution ServiceSpecifies the URL of the Artifact Resolution Service at the Identity Provider. The default URL is:http://host:port/affwebservices/saml2artifactresolution
- Source IDDefines the source ID of the Identity Provider.The SAML specification standard defines a source ID as a 20-byte binary, hex-encoded number that identifies the party issuing the assertion. The Service Provider uses this ID to identify an assertion issuer.The value of the Source ID is automatically generated based on the IdP ID value, which is located in the General settings of the authentication scheme. When you select the option Override system generated IdP Source ID, enter a value the Identity Provider supplies to you in an out-of-band communication.
SAML 2.0 Auth Scheme--Bindings--POST
Bindings-POST
If the Service Provider supports the POST binding, configure the settings in this section. For SAML 2.0 POST, the settings include:
- Post
- HTTP PostIndicates that the POST binding is enabled for the Identity Provider.
- Enforce Single Use PolicyEnforces the single use policy, preventing SAML 2.0 assertions from being reused at a Service Provider to establish a second session.
- IndexEnabled upon selecting HTTP-Post check box, this field assigns an AssertionConsumerServiceIndex parameter for the artifact binding. If you have multiple endpoints in a federated network, assign an index for the Assertion Consumer Service. The index value tells the Identity Provider where to send the response.Value:0 through 65535