SAML 2.0 Remote SP Entity Configuration
casso126
HID_remote-sp-entity-config
The Configure Entity step contains the configuration details of a federation entity.
Configure SAML 2.0 Remote SP Entity
The Configure SAML 2.0 Remote SP Entity section lets you identify the entity.
- Entity IDIdentifies the federation entity to a partner. The Entity ID is a universal identifier like a domain name. If the Entity ID represents aremote partner,this value must be unique. If the Entity ID represents alocal partner, it can be reused on the same system. For example, if the Entity ID represents a local IdP, this same ID can be used in more than one IdP-to-SP partnership.
- An Entity ID that represents a remote partner can only belong to a single active partnership.Value:URI (URL recommended)Note the following guidelines:
- The entity ID must be a URI, but an absolute URL is recommended.
- If the entity ID is a URL:
- The host part of the URL must be a name rooted in the organization's primary DNS domain.
- The URL must not contain a port number, a query string, or a fragment identifier.
- Do not use the ampersand (&) in the Entity ID because it is recognized as a separate query parameter.
- Do not specify a URN.
- The entity ID for a remote partner be globally unique to avoid name collisions within and across the federation.
Examples of Valid Entity IDs- CompanyA:portal1
- http://idp_name.forwardinc.com/idp
- https://idp_name.example.edu/sp
Examples of Invalid Entity IDs:- http://idp.ca.com/affwebservices/public/saml2sso?SPID=http://toto.tiit.fr?key=toto&test=1
- http://idp.ca.com/affwebservices/public/saml2sso?SPID=http://toto.tiit.fr?key=toto (This URL can work, but we do not advise you use this syntax)
- Entity NameNames the entity object in the database. The Entity Name must be a unique value. The system uses the Entity Name internally to distinguish an entity at a particular site. This value is not used externally and the remote partner is not aware of this value. The Entity Name can be the same value as the Entity ID, but the value is never shared with any other entity at the site.Value:An alphanumeric stringExample:Partner1
- DescriptionSpecifies additional information to describe the entity.Value:An alphanumeric string up to 1024 characters.
Assertion Consumer Service URLs
The Assertion Consumer Service URLs section specifies the service at this remote SP that consumes assertions. Click Add Row to add an entry to the table.
Be sure to define at least one Assertion Consumer Service entry.
The table includes the following columns:
- IndexSpecifies the index number that is associated with the URL of the Assertion Consumer Service.Default:0Value: Unique integer from 0 through 99999.
- BindingSpecifies the binding that this end point uses for single sign-on.The IdP can initiate single sign-on with an unsolicited request. If the request includes the ProtocolBinding query parameter, the binding specified in the query parameter overrides the value that is selected for this field.Options:HTTP-Artifact, HTTP-POST, SOAP
- URLSpecifies the URL for the Assertion Consumer Service. If SSL is enabled for the service, the URL must start withhttps: //.
- DefaultIndicates that the selected Assertion Consumer Service entry serve as the default URL for consuming assertions. Only one entry can be set to be the default.
SLO Service URLs
(Optional) In this section, identify the single logout service at this remote SP. Click Add Row to add an entry to the table.
The table includes the following columns:
- BindingSpecifies the binding that is used for SLO by this entity.Default:HTTP-RedirectOptions:HTTP-Redirect, SOAP
- Location URLSpecifies the URL of the single logout service at this remote SP.
- ForCA Single Sign-On, this value is:http://sp_server:port/affwebservices/public/saml2slosp_server:portspecifies the server and port number at the SP that is hostingCA Single Sign-On.
- For third-party vendors, the URL represents the single logout service.
- Response Location URL(Optional) Specifies the URL of the single logout service at this remote SP. A Response Location URL is useful when there is one service for single logout requests and one service for single logout responses.
- ForCA Single Sign-On, this value is always the same as the SLO Location URL:http://sp_server:port/affwebservices/public/saml2slosp_server:portis the server at the SP whereCA Single Sign-Onis installed.
- For third-party vendors, the URL represents the service handling single logout responses.
Manage Name ID Service URLs
(Optional) Identifies the manage name ID service at the remote SP. Click Add Row to add an entry to the table.
The table includes the following columns:
- BindingSpecifies the binding that is used for the mange name ID service by this entity.Default:SOAPOptions:HTTP-Redirect, HTTP-POST (read, but unused)
- Location URLSpecifies the URL of the Mange Name ID service at this remote SP.
- ForCA Single Sign-On, this value is:http://sp_server:port/affwebservices/public/saml2nidsoapsp_server:portspecifies the server and port number at the SP that is hostingCA Single Sign-On.
- Response Location URL(Optional) Specifies a Response Location URL, which is useful when there is one service for requests and one service for responses. Does not apply for the SOAP binding.
- ForCA Single Sign-On, this value is always the same as the Location URL:http://sp_server:port/affwebservices/public/saml2nidsoapsp_server:portis the server at the SP whereCA Single Sign-Onis installed.
Signature and Encryption Options
The Signature and Encryption Options define the signing and encryption behaviors for federated transactions. This section contains the following settings:
- Verification Certificate Alias(Optional) Specifies the alias that is associated with a specific certificate in the certificate data store. The alias that you provide instructs the Policy Server which certificate to use to verify signed assertions and SLO requests.Select an alias from the pull-down list. If the certificate is not available, clickImportto import it. The certificate must be in the certificate data store before you specify its associated alias in this field.Value:Selection from the drop-down list
- Secondary Verification Certificate Alias(Optional) Specifies a second verification certificate alias in the certificate data store. If the signature verification of requests or responses fails using the verification certificate alias, the IdP uses this secondary verification alias to verify the signature. The remote SP sends the verification certificate to the IdP before any transaction occurs, using metadata or some other means. Specifying a secondary alias is useful if an SP rolls over its signing certificate. A rollover can occur for any reason, such as when a certificate expires, a private key is compromised, or the private key size changes. If the certificate is not already in the certificate data store, clickImportto import one.Value:Selection from the drop-down list.
- Encryption Certificate Alias(Optional) Specifies the alias that is associated with a specific certificate in the certificate data store. By completing this field, you are indicating which certificate the remote SP supplies to the IdP, which the IdP uses for encryption. The SP performs decryption with its private key.Select an alias from the pull-down list or click Import to import a certificate if the desired key is not available. The certificate must be in the certificate data store before you specify its associated alias in this field.Value:Selection from the drop-down list
- Sign Authentication RequestsIndicates that AuthnRequest messages that the SP sends requires a signature. Signing the request secures trust between the two sides of the partnership.
Supported Name ID Formats
casso126
The Supported Name ID Formats section allows you to specify the Name ID formats that the entity support.
The Name Identifier names a user in a unique way in the assertion and specifies which attributes to include in the assertion. The format of the Name Identifier establishes the type of content that is used for the ID. For example, the format can be the User DN, in which case the content can be a uid.
- Supported Name ID FormatsLists all the Name ID formats that the entity supports. Select all the formats that apply.For a description of each format, see theAssertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0specification.