SAML 2.0 Remote IdP Entity Configuration

Contents
casso126
HID_remote-idp-entity-configuration
Contents
The Configure Entity step contains the configuration details of a federation entity.
Configure SAML 2.0 Remote IdP Entity
The Configure SAML 2.0 Remote IdP Entity section is where you identify the entity. The following fields are not self-explanatory:
  • casso126
    Entity ID
    Identifies the federation entity to a partner. The Entity ID is a universal identifier like a domain name. If the Entity ID represents a
    remote partner,
    this value must be unique. If the Entity ID represents a
    local partner,
    it can be reused on the same system. For example, if the Entity ID represents a local asserting party, this same ID can be used in more than one partnership.
     An Entity ID that represents a remote partner can only belong to a single active partnership.
    Value:
    URI (URL recommended)
    Note the following guidelines:
    • The entity ID must be a URI, but an absolute URL is recommended.
    • If the entity ID is a URL:
      • The host part of the URL must be a name rooted in the organization's primary DNS domain.
      • The URL must not contain a port number, a query string, or a fragment identifier.
    • Do not use the ampersand (&) in the Entity ID because it is recognized as a separate query parameter.
    • Do not specify a URN.
    • The entity ID for a remote partner be globally unique to avoid name collisions within and across the federation.
    Examples of Valid Entity IDs
    • CompanyA:portal1
    • http://idp_name.forwardinc.com/idp
    • https://idp_name.example.edu/sp
    Examples of Invalid Entity IDs:
    • http://idp.ca.com/affwebservices/public/saml2sso?SPID=http://toto.tiit.fr?key=toto&test=1
    • http://idp.ca.com/affwebservices/public/saml2sso?SPID=http://toto.tiit.fr?key=toto (This URL can work, but we do not advise you use this syntax)
    Entity Name
    Names the entity object in the policy store. The Entity Name must be a unique value. Federation uses the Entity Name internally to distinguish an entity at a particular site. This value is not used externally and the remote partner is not aware of this value.
    Note:
    The Entity Name can be the same value as the Entity ID, but the value is never shared with any other entity at the site.
    Value:
    An alphanumeric string
    Example:
    Partner1
    Description
    Specifies additional information to describe the entity.
    Value:
    Alphanumeric string up to 1024 characters.
    Base URL
    Specifies the base location of the server that is visible to the intended users of the federation. This server is typically the server where
    CA Single Sign-On
    is installed. However, the server can be the URL of the server that hosts federation services, such as the Single Sign-on service. The base URL enables
    CA Single Sign-On
    to generate relative URLs in other parts of the configuration, making configuration more efficient.
    You can edit the Base URL. For example, you can configure virtual hosts for the
    CA Single Sign-On
    system. One virtual host handles the UI communication. The other virtual host handles the user traffic that the embedded Apache Web Server processes. You can edit the Base URL to point only to the server and HTTP port of the Apache Web Server.
    Value:
    valid URL
    Example:
    https://fedserver.ca.com:5555
    Note the following important guidelines for modifying this field:
    If you modify the base URL, do not put a forward slash at the end of the base URL. A final slash results in two slashes being appended to other URLs that use this base URL.
    If you are using more than one
    CA Single Sign-On
    for failover support, set this field to the host name and port of the system managing failover to the other systems. This system can be a load balancer or proxy server.
  • Entity Name
    Names the entity in the policy store. The Entity Name must be a unique value. Federation uses the Entity Name internally to distinguish an entity at a particular site. This value is not used externally and the remote partner is not aware of this value.
    The Entity Name can be the same value as the Entity ID, but the value is never shared with any other entity at the site.
    Value:
    Alphanumeric string
    Example:
    Partner1
  • Remote SSO Service URLs
    Identifies the single sign-on service at this remote IdP. Click Add Row to include an entry to the table.
    Define at least one SSO service.
    The table includes the following columns:
    • Binding
      Specifies the binding that is used for single sign-on by this entity.
      Default:
      HTTP-Redirect
      Limits:
      HTTP-Redirect, SOAP
    • URL
      Identifies the URL for the single sign-on service at the IdP.
      Value:
      a valid URL
      Example if 
      CA Single Sign-On
      is the producer:
      http://
      federation_server
      :8054/affwebservices/public/saml2sso
    • Delete
      Removes the entry from the table.
  • Remote SOAP Artifact Resolution URLs
    (Required only for HTTP-Artifact) Identifies the Artifact Resolution Service at the remote IdP.
    The URL entries include the following settings:
    • Index
      Specifies an index number that identifies the URL of the Artifact Resolution Service at the IdP. The index determines the order in which Artifact Resolution Service URLs are tried, when more than one is defined.
      Default:
      0
      Value:
      unique integer from 0 through 99999.
    • URL
      Specifies the URL for the Artifact Resolution Service. If SSL is enabled for this service, the URL must start with
      https://
      .
  • Remote SLO Service URLs
    (Optional) Identifies the single logout service at the remote IdP. The table includes the following columns:
    • Binding
      Specifies the binding for SLO by this entity.
      Default:
      HTTP-Redirect
      Options:
      HTTP-Redirect, SOAP
    • Location URL
      Specifies the URL of the single logout service at this remote IdP.
      • The URL is: http:/
        server:port
        /affwebservices/public/saml2slo
        server:port
        is the server where
        CA Single Sign-On
        is installed.
      • For third-party vendors, the URL represents the service handling single logout responses.
    • Response Location URL
      (Optional) Specifies the URL of the single logout service at this remote IdP. A Response Location URL is useful for a configuration where there is one service for single logout requests and one service for single logout responses.
      • For 
        CA Single Sign-On
        ,
         this value is always the same as the SLO Location URL:
        http://
        server:port
        /affwebservices/public/saml2slo
        server:port
        is the server where 
        CA Single Sign-On
        is installed.
      • For third-party vendors, the URL represents the service handling single logout responses.
Manage Name ID Service URLs
(Optional) Identifies the manage name ID service at the remote Id. Click Add Row to add an entry to the table.
The table includes the following columns:
  • Binding
    Specifies the binding that is used for the manage name ID service by this entity.
    Default:
    SOAP
    Options:
    HTTP-Redirect, HTTP-POST (read, but unused)
  • Location URL
    Specifies the URL of the Manage Name ID service at this remote IdP.
    For 
    CA Single Sign-On
    this value is:
    http://
    sp_server:port
    /affwebservices/public/saml2nidsoap
    sp_server:port
    specifies the server and port number at the SP that is hosting 
    CA Single Sign-On
    .
  • Response Location URL
    (Optional) Specifies a Response Location URL, which is useful when there is one service for requests and one service for responses. This setting does not apply for the SOAP binding.
    For 
    CA Single Sign-On
    , this value is always the same as the Location URL:
    http://
    stmndr_server:port
    /affwebservices/public/saml2nidsoap
    stmndr_server:port
    is the server at the SP where 
    CA Single Sign-On
    is installed.
  • Remote Attribute Service URLs
    (Optional). Lists the URLs of various Attribute Services at this IdP. Enter the URL of the attribute service that can support attribute queries from an SP. You can add multiple entries by adding rows to the table.
    Example:
    http://host.forwardinc.com/affwebservices/public/saml2attrsvc
Signature and Encryption Options
The Signature and Encryption Options section lets you define the signing and encryption behaviors for federated transactions. The section contains the following fields:
  • Verification Certificate Alias
    (Optional) Specifies the alias that is associated with a specific certificate in the certificate data store. The alias that you provide instructs the Policy Server which certificate to use to verify signed assertions and SLO requests.
    Select an alias from the pull-down list. If the certificate is not in the certificate data store, click Import to import a certificate.
     
    The certificate must be in the certificate data store before you specify its associated alias in this field.
    Value:
    A selection from the drop-down list
  • Secondary Verification Certificate Alias
    (Optional) Specifies a second verification certificate alias for a certificate in the certificate data store. If signature verification of a request or response fails using the configured verification certificate alias, the local SP uses this secondary certificate alias. The remote IdP sends the verification certificate to the SP before any transaction occurs, using metadata or some other means. Specifying a secondary alias is useful if an IdP rolls over its signing certificate. A rollover can occur for any reason, such as when a certificate expires, a private key is compromised, or the private key size changes. If the certificate is not already in the certificate data store, click 
    Import
     to import it.
    Value: 
    Selection from the drop-down list. 
  • Signed Authentication Requests Required
    Indicates that AuthnRequest messages are signed, or the IdP does not accept it.
Supported Name ID Formats and Attributes (SAML 2.0)
casso126
casso126
The Supported Name ID Formats and Attributes section allows you to specify the Name ID formats that the entity support. Additionally, for an Identity Provider it indicates the attributes to add to an assertion.
The Name Identifier names a user in a unique way in the assertion and specifies which attributes to include in the assertion. The format of the Name Identifier establishes the type of content that is used for the ID. For example, the format can be the User DN, in which case the content can be a uid.
Attributes added to an assertion can further identify a user and enable an application using the assertion to be customized for each user.
  • Supported Name ID Formats
    Lists all the Name ID formats that the entity supports. Select all the formats that apply.
    For a description of each format, see the
    Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0
    specification.
  •  
    Supported Assertion Attributes (local and remote IdP)
    Specifies the attributes that the asserting party includes in the assertion. The table includes the following columns:
    •  
      Assertion Attribute
      Indicates the specific user directory attribute that is included in the assertion.
      Value: 
      Name of a valid user directory attribute
       
    •  
      Supported Format
      Designates the format of the attribute.
      Options:
       Unspecified, Basic, URI