Affiliate General Settings

The following sections are also part of the general page:
casso126
HID_affiliate-saml1-general
The following fields and controls are on the General page for SAML 1.x affiliates:
  • Name
    Defines the name of the consumer. This name must be unique across all affiliate domains.
  • Description
    Defines a brief description of the consumer.
  • Password
    Defines the password that a consumer uses to identify itself to the producer site so it can retrieve an assertion.
  • Confirm Password
    Confirms the password entered in the Password field.
  • casso126
    Active
    Indicates whether the legacy federation configuration is in use for a particular partnership. If the Policy Server is using the legacy federation configuration, confirm this check box is selected. If you have recreated a federated partnership with similar values for identity settings, such as source ID, clear this check box before activating the federated partnership.
    CA Single Sign-On
    cannot work with a legacy and partnership configuration that use the same identity values or a name collision occurs.
  • Use Secure URL
    This setting instructs the single sign-on service to encrypt only the SMPORTALURL query parameter. An encrypted SMPORTALURL prevents a malicious user from modifying the value and redirecting authenticated users to a malicious website. The SMPORTALURL is appended to the Authentication URL before the browser redirects the user to establish a session. After the user is authenticated, the browser directs the user back to the destination specified in the SMPORTALURL query parameter.
    If you select the Use Secure URL check box, complete the following steps:
    1. Set the Authentication URL field to the following URL: http(s)://
    idp_server:port
    /affwebservices/secure/secureredirect
    2. Protect the secureredirect web service with a policy.
    If the asserting party serves more than one relying partner, the asserting party probably authenticates different users for these different partners. As a result, for each Authentication URL that uses the secureredirect service, include this web service in a different realm for each partner.
    To associate the secureredirect service with different realms, modify the web.xml file and create different resource mappings. Do not copy the secureredirect web service to different locations on your server. Locate the web.xml file in the directory 
    web_agent_home
    /affwebservices/WEB-INF, where 
    web_agent_home
     is the installed location of the web agent.
  • Authentication URL
    Specifies a protected URL that federation uses to authenticate users and create a session when a protected resource is requested. If the authentication mode is set to local and a user has not logged in at the asserting party, users are sent to this URL. This URL must point to the redirect.jsp file, unless you select the Use Secure URL check box. 
    Example: http://
    myserver.idpA.com
    /siteminderagent/redirectjsp/redirect.jsp 
    myserver 
    identifies the web server with the Web Agent Option Pack or the SPS federation gateway. The redirect.jsp file is included with the Web Agent Option Pack or SPS federation gateway that is installed at the asserting party.
     Protect the Authentication URL with an access control policy. For the policy, configure an authentication scheme, realm, and rule. To add session store attributes to the assertion, enable the Persist Authentication Session Variables check box, which is a setting in the authentication scheme.
The following sections are also part of the general page:
  • Restrictions
    Lets you configure IP address and time restrictions on the assertion generation policy for the Service Provider.
    • Time
    • Set
      Opens the Time dialog so you can configure the availability of the Resource Partner. When you add a time restriction, the Service Provider functions only during the period specified.
    • Clear
    • IP Addresses
    Lists restricted IP addresses that are configured for the policy for the Service Provider resources. You can specify an IP address, range of IP addresses, or a subnet mask of the web server. A browser must be running on this server for the user to access a Service Provider.
    • Add
      Opens an empty Add IP Address dialog from where you can create an IP address restriction.
  • Advanced
    Configures a plug-in to customize the content of the assertion. Provides an option to set a one-time use condition for the assertion.
    • Assertion Customization Plug-in
      The following parameters let you customize the content of the assertion:
      • Full Java Class Name
        Defines the Java class name of the plug-in that the Assertion Generator invokes at run time.
        The Assertion Generator invokes the plug-in at run time. The plug-in class can parse and modify the assertion, and then return the result to the Assertion Generator for final processing.
        Only one plug-in is allowed for each consumer. For example, com.mycompany.assertiongenerator.AssertionSample
      • Parameters
        (Optional) Defines a string of parameters that gets passed to the plug-in as a parameter at run time. The string can contain any value; there is no specific syntax to follow.
      • Additional Assertion Configuration
        The following setting applies a condition to the use of the assertion at the SP.
        • Set DoNotCache Condition
          Instructs the IdP to add the <DoNotCacheCondition> element within the <Conditions> element of an assertion. This condition tells the SP that is receiving the assertion to use the assertion immediately and not retain it for future use. The <DoNotCacheCondition> element is useful because information in an assertion can change or expire. Instead of reusing the assertion, the SP must request a new assertion from the IdP.