WS-Federation Auth Scheme--SAML Profiles
The page contains the following fields:
casso10
HID_wsfed-auth-scheme-saml-profiles
The page contains the following fields:
- Redirect ModeIndicates the method by which the Resource Partner redirects the user to the target resource. If you select 302 No Data or 302 Cookie Data, no other configuration is required. If you select Server Redirect or PersistAttributes, additional configuration is required.
- 302 No Data(Default). Indicates that an HTTP 302 redirect sends the user to the target with a session cookie, but no other data.
- 302 Cookie DataIndicates that an HTTP 302 redirect sends the user to the target with a session cookie and additional cookie data for the Resource Partner.
- casso10Server RedirectEnables header and cookie attribute information received in the assertion to be passed to the custom target application. The SAML 2.0 Assertion Consumer Service or WS-Federation Security Token Consumer Service collects the user credentials then transfers the user to the target application URL using server-side redirects. Server-side redirects are part of the Java Servlet specification. All the standard-compliant servlet containers support server-side redirects.To use this mode, follow these requirements:
- The URL you specify for this mode must be relative to the context of the servlet that is consuming the assertion, which is typically /affwebservices/public/. The root of the context is the root of the Federation Web Services application, typically /affwebservices/.All target application files must be in the application root directory. This directory is either:—Web Agent:web_agent_home\webagent\affwebservices—CA Access Gateway:sps_home\secure-proxy\Tomcat\webapps\affwebservices
- Define realms, rules, and policies to protect target resources. You define the realms with at least the value /affwebservices/ in the resource filter.
- Install a custom Java or JSP application on the server that is serving the Federation Web Services application. Federation Web Services is installed with the Web Agent Option Pack orCA Access Gateway.Java servlet technology allows applications to pass information between two resource requests using the setAttribute method of the ServletRequest interface.The service that consumes assertions sends the user attribute to the target application before redirecting the user to the target. The service sends the attributes by creating a java.util.HashMap object. The attribute that contains the HashMap of SAML attributes is “Netegrity.AttributeInfo.”The service that consumes assertions passes two other Java.lang.String attributes to the custom application:—Netegrity.smSessionID attribute represents theCA Single Sign-Onsession ID—Netegrity.userDN attribute represents theCA Single Sign-Onuser DN.The custom target application reads these objects from the HTTP request and uses the data found in the hashmap objects.
- PersistAttributesIndicates that an HTTP 302 redirect sends the user to the target with a session cookie, but no other data. Additionally, this mode instructs the Policy Server to store attributes that are extracted from an assertion in the session store so they can be supplied as HTTP header variables. For additional configuration, see the instructions for using SAML attributes as HTTP headers.casso10If you select Persist Attributes and the assertion contains attributes that are left blank, a value of NULL is written to the session store. This value acts as a placeholder for the empty attribute. The value is passed to any application using the attribute.
- TargetSpecifies the target resource URI at the Service Provider destination site.
- Enforce Single Use PolicyEnforces the one-time use of a policy. Selecting this option prevents assertions from being reused at a Resource Partner to establish a second session.
The Signout section lets you configure how the Resource Partner responds to a signout request.
The settings in this section are:
- Enable SignoutJava.lang.String attributesEnables WS-Federation signout.
- SignoutURLSpecifies the URL of the signout servlet at the Account Partner. The default URL is the recommended entry:https://<ap_service:port>/affwebservices/public/wsfeddispatcherThe WSFedDispatcher Service receives all incoming WS-Federation messages and forwards the request processing to the appropriate service based on the query parameter data. Although there is a wsfedsignout service, use the wsfeddispatcher URL for the SignoutURL.
The User Disambiguation section defines how to obtain user information from an assertion in an incoming <RequestSecurityTokenResponse> message.
The tab includes the following fields and controls:
User Disambiguation
- Xpath QuerySpecifies an XPath query. The XPath query tells the authentication scheme where in the assertion to locate a specific entry, which then serves as the user login ID. The value that the query obtains becomes part of the search specification to look up a user store entry.The default XPath query that is used when none is configured, is:/Assertion/Subject/NameID/text()Xpath queries must not contain namespace prefixes. The following is an invalid Xpath query:/saml:Response/saml:Assertion/saml:AuthenticationStatement/saml:Subject/saml:NameIdentifier/text()The valid Xpath query is://Response/Assertion/AuthenticationStatement/Subject/NameIdentifier/text()ExampleTo obtain the attribute “FirstName” from the assertion for authentication, the XPath query is:/Assertion/AttributeStatement/Attribute[@Name=”FirstName”]/AttributeValue/text()
- User LookupDisplays namespace types where you can enter a search specification for locating a user record in a user directory. Use the Custom field for a namespace that is not listed.Enter a search specification for the user store type you are using. The search specification combines a user store attribute and the value that the Xpath query identifies. The authentication scheme uses the search specification locate a user record in the user store.Use %s to represent the login ID value.For example, the login ID is user1. If you specify Username=%s in the Search Specification field, the resulting string is Username=user1. This string is compared against a record in the user directory to find the correct record for authentication.You can also specify filters with multiple %s variables. For example:|(uid=%s)(email=%[email protected])|(abcAliasName=%s)(cn=%s)The results would be:|(uid=user1)([email protected])|(abcAliasName=user1)(cn=user1)