SAML 2.0 Authentication Scheme--SSO Settings

Contents
casso127
HID_saml2-auth-sso
Contents
The SSO settings are where you configure how single sign-on (SSO) is handled at the Service Provider.
The SSO section of the page includes the following settings:
  • Redirect Mode
    Specifies the method by which the Service Provider redirects the user to the target resource. If you select 302 No Data or 302 Cookie Data, no other configuration is required. If you select Server Redirect or PersistAttributes, additional configuration is required.
    • 302 No Data (default)
      User is redirected by using an HTTP 302 redirect with a session cookie, but no other data.
    • 302 Cookie Data
      User is redirected by using an HTTP 302 redirect with a session cookie and additional cookie data, which
      CA Single Sign-On
      has configured for the Service Provider at the Identity Provider.
    • casso127
      Server Redirect
      Enables header and cookie attribute information received in the assertion to be passed to the custom target application. The SAML 2.0 Assertion Consumer Service or WS-Federation Security Token Consumer Service collects the user credentials then transfers the user to the target application URL using server-side redirects. Server-side redirects are part of the Java Servlet specification. All the standard-compliant servlet containers support server-side redirects.
      To use this mode, follow these requirements:
      • The URL you specify for this mode must be relative to the context of the servlet that is consuming the assertion, which is typically /affwebservices/public/. The root of the context is the root of the Federation Web Services application, typically /affwebservices/.
        All target application files must be in the application root directory. This directory is either:
        —Web Agent:
        web_agent_home
        \webagent\affwebservices
        CA Access Gateway
        :
        sps_home
        \secure-proxy\Tomcat\webapps\affwebservices
      • Define realms, rules, and policies to protect target resources. You define the realms with at least the value /affwebservices/ in the resource filter.
      • Install a custom Java or JSP application on the server that is serving the Federation Web Services application. Federation Web Services is installed with the Web Agent Option Pack or
        CA Access Gateway
        .
        Java servlet technology allows applications to pass information between two resource requests using the setAttribute method of the ServletRequest interface.
        The service that consumes assertions sends the user attribute to the target application before redirecting the user to the target. The service sends the attributes by creating a java.util.HashMap object. The attribute that contains the HashMap of SAML attributes is “Netegrity.AttributeInfo.”
        The service that consumes assertions passes two other Java.lang.String attributes to the custom application:
        —Netegrity.smSessionID attribute represents the
        CA Single Sign-On
        session ID
        —Netegrity.userDN attribute represents the
        CA Single Sign-On
        user DN.
        The custom target application reads these objects from the HTTP request and uses the data found in the hashmap objects.
    • Persist Attributes
      The user is redirected by using an HTTP 302 redirect with a session cookie, but no other data. Additionally, this mode instructs the Policy Server to store attributes that are extracted from an assertion in the session store so they can be supplied as HTTP header variables. For additional configuration, see the instructions for using SAML attributes as HTTP headers.
      To see this option, enable the session store using the
      CA Single Sign-On
      Policy Server Management Console.
      casso127
      If you select Persist Attributes and the assertion contains attributes that are left blank, a value of NULL is written to the session store. This value acts as a placeholder for the empty attribute. The value is passed to any application using the attribute.
  • SSO Service
    Specifies the URI of the Single Sign-On service at an Identity Provider. This URI is the location where the AuthnRequest service redirects an authnrequest message, which contains the Service Provider ID. The default URL is:
    http://
    idp_host:port
    /affwebservices/public/saml2sso
  • Audience
    Specifies the audience for the SAML assertion. The Audience is a URL that identifies the location of a document that describes the terms and conditions of the business agreement between the Identity Provider and the Service Provider. The administrator at the Identity Provider site determines the audience, which matches the audience for the Service Provider.
    The audience value does not exceed 1K and is case-sensitive. For example:
    http://www.ca.com/SampleAudience
  • Target
    (Optional) Specifies the target resource URI at the destination Service Provider site.
    The Service Provider does not have to use the default target. The link that initiates single sign-on can contain a query parameter that specifies the target.
  • Allow IdP to Create New User Identifier
    If the Service Provider sends an AuthnRequest message to the Identity Provider to get an assertion, checking this box sets the AllowCreate attribute in the AuthnRequest message to true. The AllowCreate attribute instructs the Identity Provider to generate a new value for the NameID. The AllowCreate feature is enabled at the Identity Provider. This new value for the NameID is included in the assertion.
  • Enhanced Client and Proxy Profile
    Enables processing of requests using the SAML 2.0 Enhanced Client and Proxy (ECP) Profile.
  • Sign Auth Requests
    Instructs the Policy Server at the Service Provider to sign the AuthnRequest after it is generated. This check box is required if the Identity Provider requires signed AuthnRequests. The AuthnRequest Service redirects the signed AuthnRequest to the single sign-on service URL.
  • Relay State Overrides Target
    (Optional) Replaces the value specified in the Target field with the value of the Relay State query parameter for SP-initiated or IdP-initiated single sign-on. This check box gives you more control over the target because using the Relay State query parameter lets you dynamically define the target.
Bindings
The bindings section is where you configure the Artifact and POST single sign-on bindings that you want the Service Provider to support.
SAML 2.0 Auth Scheme--Bindings--Artifact
Bindings-Artifact
If the Service Provider supports the artifact binding, configure the settings in this section. For SAML 2.0 artifact single sign-on, the settings include:
  • Artifact
Defines the HTTP-Artifact profile configuration.
HTTP Artifact
Enables the artifact binding (when enabled, the following associated controls are activated).
  • Sign ArtifactResolve
    Indicates that the artifact resolve message requires signing. The request retrieves the original SAML message from the Service Provider.
    If you select this check box, the Identity Provider is configured to require a signed artifact resolve message.
    Digital signature processing is enabled to sign the artifact resolve message.
  • Override system generated IdP Source ID
    Allows you to specify an IdP Source ID in the associated field. The default is an SHA-1 hash of the IdP ID. Values must be a 40-digit hexadecimal number.
  • Require Signed ArtifactResponse
    Indicates that the Service Provider only accepts the artifact response, which requires signing.
    If you select this check box, the Identity Provider is configured to sign the artifact response.
    Digital signature processing is enabled to process the signed response.
  • Index
    Enabled upon selecting HTTP-Artifact check box, this field assigns an AssertionConsumerServiceIndex parameter for the artifact binding. If you have multiple endpoints in a federated network, assign an index for the Assertion Consumer Service. The index value tells the Identity Provider where to send the response. Enter an integer in the range of 0-65535.
  • Resolution Service
    Specifies the URL of the Artifact Resolution Service at the Identity Provider. The default URL is:
    http://
    host:port
    /affwebservices/saml2artifactresolution
  • Source ID
    Defines the source ID of the Identity Provider.
    The SAML specification standard defines a source ID as a 20-byte binary, hex-encoded number that identifies the party issuing the assertion. The Service Provider uses this ID to identify an assertion issuer.
    The value of the Source ID is automatically generated based on the IdP ID value, which is located in the General settings of the authentication scheme. When you select the option Override system generated IdP Source ID, enter a value the Identity Provider supplies to you in an out-of-band communication.
SAML 2.0 Auth Scheme--Bindings--POST
Bindings-POST
If the Service Provider supports the POST binding, configure the settings in this section. For SAML 2.0 POST, the settings include:
  • Post
    • HTTP Post
      Indicates that the POST binding is enabled for the Identity Provider.
    • Enforce Single Use Policy
      Enforces the single use policy, preventing SAML 2.0 assertions from being reused at a Service Provider to establish a second session.
    • Index
      Enabled upon selecting HTTP-Post check box, this field assigns an AssertionConsumerServiceIndex parameter for the artifact binding. If you have multiple endpoints in a federated network, assign an index for the Assertion Consumer Service. The index value tells the Identity Provider where to send the response.
      Value:
      0 through 65535