SAML 1.1 Local Producer Entity Dialog
Contents
casso127
HID_local-saml1-producer-entity
Contents
Configure SAML 1.1 Local Producer Entity
The Configure Local SAML 1.1 Producer Entity section lets you identify the entity. The settings include:
- casso127Entity IDIdentifies the federation entity to a partner. The Entity ID is a universal identifier like a domain name. If the Entity ID represents aremote partner,this value must be unique. If the Entity ID represents alocal partner,it can be reused on the same system. For example, if the Entity ID represents a local asserting party, this same ID can be used in more than one partnership.An Entity ID that represents a remote partner can only belong to a single active partnership.Value:URI (URL recommended)Note the following guidelines:
- The entity ID must be a URI, but an absolute URL is recommended.
- If the entity ID is a URL:
- The host part of the URL must be a name rooted in the organization's primary DNS domain.
- The URL must not contain a port number, a query string, or a fragment identifier.
- Do not use the ampersand (&) in the Entity ID because it is recognized as a separate query parameter.
- Do not specify a URN.
- The entity ID for a remote partner be globally unique to avoid name collisions within and across the federation.
Examples of Valid Entity IDsExamples of Invalid Entity IDs:- http://idp.ca.com/affwebservices/public/saml2sso?SPID=http://toto.tiit.fr?key=toto(This URL can work, but we do not advise you use this syntax)
Entity NameNames the entity object for in the policy store. The Entity Name must be a unique value.CA Single Sign-Onuses the Entity Name internally to distinguish an entity at a particular site. This value is not used externally and the remote partner is not aware of this value.Note:The Entity Name can be the same value as the Entity ID, but the value is not shared with any other entity at the site.Value:An alphanumeric stringExample:Partner1DescriptionSpecifies additional information to describe the entity.Value:An alphanumeric string up to 1024 charactersSource ID(SAML 1.1 HTTP-Artifact only) Specifies a unique ID in the SAML artifact that identifies the producer. The consumer uses this ID to identify an assertion issuer.The SAML specification defines a source ID as a 20-byte binary, hex-encoded number that identifies the producer. The Source ID value you specify must be the 40-byte Hex representation of that value.We recommend that you specify the SHA1 hash of the Entity ID as the Source ID value. If you do not enter a value for this parameter, the product uses this value by default.Default:SHA1 hash of the Entity IDBase URLSpecifies the base location of the server that is visible to the intended users of the federation. This server is typically whereCA Single Sign-Onis installed. The server can also be the URL of the server that hosts federation services. The base URL enablesCA Single Sign-Onto generate relative URLs in other parts of the configuration, making configuration more efficient.You can edit the Base URL. For example, you can possibly configure virtual hosts for theCA Single Sign-Onsystem. One virtual host handles the Administrative UI communication. The other virtual host handles the user traffic that the embedded Apache Web Server processed. In this case, you can edit the Base URL to point only to the server and HTTP port of the Apache Web Server.Value:valid URLExample:https://fedserver.ca.com:5555Note the following important guidelines for modifying this field:- If you modify the base URL, do not put a forward slash at the end of the base URL. A final slash results in two slashes being appended to other URLs that use this base URL.
- For failover support, the value of this field is the host name and port of the system managing failover to the other systems. This system can be a load balancer or proxy server.
Default Signature Options (SAML 1.1 Local Producer)
The Default Signature section defines the signing behavior for federated communication. The section contains the following setting:
- Signing Private Key Alias(Optional) Specifies the alias that is associated with a specific private key in the certificate data store. By completing this field, you are indicating which private key the asserting party uses to sign assertions, assertion responses, and requests.If the key you want to use is not already in the certificate data store, you can click Import to import it before proceeding.Note:The private key is already stored in the certificate data store before you specify its associated alias in this field.Value:selection from the drop-down list
Supported Name ID Formats and Attributes
casso127
The Supported Name ID Formats and Attributes section has two functions:
- Specifies the Name ID formats that the entity supports.The Name Identifier names a user in a unique way in the assertion and specifies which attributes to include in the assertion. The format of the Name Identifier establishes the type of content that is used for the ID. For example, the format can be the User DN so the content can be a uid.
- For the asserting party, you specify attributes to include in an assertion.Attributes added to an assertion can further identify a user and enable an application using the assertion to be customized for each user.
Supported Name ID Formats and Attributes
From the list of options, select all the formats that apply. To select all formats, select Select Name ID Formats.
For a description of each format, see the specification for the SAML or WS-Federation profile.
- Supported Assertion AttributesSpecifies the attributes that the producer includes in the assertion. Click Add to include an attribute in the table. The table includes the following columns:
- Assertion AttributeIndicates the specific attribute in the assertion.Value:name of a valid assertion attribute
- NamespaceDesignates a collection that uniquely identifies names.Value:Any namespace name
- DeleteClick the icon and the entry is removed from the table.