Single Sign-on Dialog (OAuth)

The Single Sign-On step lets you configure single sign-on operation.
casso127
HID_partnership-sso-oauth
The Single Sign-On step lets you configure single sign-on operation.
  • Client Authentication ID (OAuth 2.0)
    Defines the client ID that the authorization server generates when the client application registers successfully..
  • Client Secret and Confirm Client Secret (OAuth 2.0)
    Indicates the secret associated with the ClientID. Update the value of this setting with the secret associated with the ClientID. The authorization serverauthentication server provides this value when the application is successfully registered.
  • Consumer Key (OAuth 1.0a)
    Defines the consumer key that the authorization server generates when the client application registers successfully.
  • Consumer Secret and Confirm Consumer Secret (OAuth 1.0a)
    Defines the secret value of the consumer key.
  • Authorization Service URL
    Provides the authorization server end-point URL for this provider. This URL must generate an authorization token after successful authentication of a user.
    For example, the authorization URL for Google is https://accounts.google.com/o/oauth2/auth.
  • Support Authorization Header (OAuth 2.0)
    Specifies whether an authorization server must verify the authorization header for the client credentials. If you select this option, the system sends the client credentials in the authorization header. If you do not select this option, the system sends the client credentials in the request-body by using the client ID and client secret.
    OAuth 2.0 recommends that you do not send the client credentials in the request-body unless you cannot directly use a password-based HTTP authentication scheme.
  • Remote Server Timeout
    Defines the maximum time that an OAuth client must wait for a response from an OAuth authorization server.
  • Access Token Service URL
    Provides an access token end-point URL. A user can query for an access token by exchanging authorization code along with application configuration details.
    For example, the access token URL for Google is https://accounts.google.com/o/oauth2/token.
  • Validate Access Token Type (OAuth 2.0)
    Specifies if the type of the access token that is being sent from the OAuth authentication server must be validated against the access token types that are supported.
  • Access Token Query Parameter
    Identifies the access token that the identity provider sends for the access token request.
  • Supported Access Token Types (OAuth 2.0)
    Specifies the access token types that are supported. You can add the supported access token types by using the Add Row option.
    If an authorization server does not report the token type that it uses, OAuth recommends that you do not configure the supported access token type value for the authorization server.
  • Authz Server Offset (Seconds) (OAuth 1.0a)
    Defines the time to offset your local machine time to synchronize with the time of an authorization server.
  • Protection Level
    Allows single sign-on for authentication schemes of equal or lower protection levels within the same policy domain. The protection level requires additional authentication to access resources with higher protection level schemes.
    Value:
    1 through 1000.
    Authentication schemes have a default protection level that you can change. Use high protection levels for critical resources and lower-level schemes for commonly accessible resources.
  • Enable Synchronous Auditing
    Indicates that
    CA Single Sign-On
    must log Policy Server and Web Agent actions before it allows access to resources.
    CA Single Sign-On
    does not allow access to the realm resources until after the activity has been recorded in the audit logs.
  • Use Persistent Session
    (Optional) Specifies that user sessions are tracked and saved in the session store and in cookies. The Policy Server has access to this information for use in authentication decisions.
    Select this check box to enable persistent sessions. Selecting this check box is required for the single logout and single use policies features.
    To see this check box, enable the Session Server using the
    CA Single Sign-On
    Policy Server Management Console.
  • Validation Period
    To see this check box, enable the Session Server using the Policy Server Management Console.
    Determines the maximum period between the agent calls to the Policy Server for validating a session. The session validation calls inform the Policy Server that a user is still active and confirm that the user session is still valid.
    To specify the validation period, enter values in the Hours, Minutes, and Seconds fields. If you are configuring the system to provide a Windows user security context, set this value high, for example, 15-30 minutes. If active sessions are fewer than the Agent maximum user session cache value, the Agent does not have to revalidate a session.
    The session validation period must be less than the specified Idle Timeout value.