SAML Service Provider--General Settings

The settings on this dialog box identify the Service Provider for which the Identity Provider generates assertions.
casso127
HID_service-provider-general
The settings on this dialog box identify the Service Provider for which the Identity Provider generates assertions.
 
 
General Settings
The General settings let you specify general information about the Service Provider.
The settings on this tab are as follows:
  •  
    Name
    Names the Service Provider. This name is unique across all affiliate domains.
  •  
    SP ID
    Specifies a URI that uniquely identifies the Service Provider, such as, sp.example.com.
  •  
    Authentication URL
    Specifies a protected URL that federation uses to authenticate users and create a session when a protected resource is requested. If the authentication mode is set to local and a user has not logged in at the asserting party, users are sent to this URL. This URL must point to the redirect.jsp file, unless you select the Use Secure URL check box.
    Example: http://
    myserver.idpA.com
    /siteminderagent/redirectjsp/redirect.jsp
    myserver 
    identifies the web server with the Web Agent Option Pack or the SPS federation gateway. The redirect.jsp file is included with the Web Agent Option Pack or SPS federation gateway that is installed at the asserting party.
      Protect the Authentication URL with an access control policy. For the policy, configure an authentication scheme, realm, and rule. To add session store attributes to the assertion, enable the Persist Authentication Session Variables check box, which is a setting in the authentication scheme.
  • casso127
    Active
    Indicates whether the legacy federation configuration is in use for a particular partnership. If the Policy Server is using the legacy federation configuration, confirm this check box is selected. If you have recreated a federated partnership with similar values for identity settings, such as source ID, clear this check box before activating the federated partnership.
    CA Single Sign-On
    cannot work with a legacy and partnership configuration that use the same identity values or a name collision occurs.
  •  
    Enabled
    Enables the Policy Server and Federation Web Services to support authentication of Service Provider resources.
  •  
    Skew Time
    Specifies the number of seconds (as a positive integer) added and subtracted from the current clock time. This adjustment is to account for Service Providers with clocks that are not synchronized with the Identity Provider. The skew time and the Validity Duration determine how  the Policy Server calculates the total time that an assertion is valid.
    To determine the assertion validity, the skew time is subtracted from the assertion generation time (IssueInstant) to get the NotBefore time. The skew time is then added to the validity duration and the IssueInstant to get the NotOnOrAfter time. The following equations illustrate how the skew time is used:
    •  
      NotBefore=IssueInstant - Skew Time
       
    •  
      NotOnOrAfter=Validity Duration + Skew Time + IssueInstant
       
    Times are relative to GMT.
  •  
    SAML Version
    Specifies the SAML version (disabled; the value defaults to 2.0, indicating that assertions sent to this SP ID must be compliant with SAML version 2.0).
  • Description
    Optionally, a brief description of the Service Provider.
  •  
    IdP ID
    Specifies a URI that uniquely identifies the Identity Provider, such as idp.ca.com. This URI value becomes the value of the Issuer field in the assertion.
  •  
    Application URL
    (Optional) Identifies the protected URL for a custom web application that is used to supply user attributes to the Single Sign-on service. The application can be on any host in your network.
    Attributes from the web application specified in this field are made available to the Assertion Generator and then placed in the SAML assertion by an Assertion Generator plug-in. You create the plug-in and integrate it with 
    CA Single Sign-On
    .
    The Federation Web Services application supplies sample web applications that you can use as a basis for your web application. They are:
    http://
    idp_server:port
    /affwebservices/public/sample_application.jsp
    http://
    idp_server:port
    /affwebservices/public/unsolicited_application.jsp
    idp_server:port
    Identifies the web server and port hosting the Web Agent Option Pack or SPS federation gateway.
  •  
    Use Secure URL
    This setting instructs the single sign-on service to encrypt only the SMPORTALURL query parameter. An encrypted SMPORTALURL prevents a malicious user from modifying the value and redirecting authenticated users to a malicious website. The SMPORTALURL is appended to the Authentication URL before the browser redirects the user to establish a session. After the user is authenticated, the browser directs the user back to the destination specified in the SMPORTALURL query parameter.
    If you select the User Secure URL check box, complete the following steps:
    1. Set the Authentication URL field to the following URL: http(s)://
    idp_server:port
    /affwebservices/secure/secureredirect
    2. Protect the secureredirect web service with a policy.
    If the asserting party serves more than one relying partner, the asserting party probably authenticates different users for these different partners. As a result, for each Authentication URL that uses the secureredirect service, include this web service in a different realm for each partner.
    To associate the secureredirect service with different realms, modify the web.xml file and create different resource mappings. Do not copy the secureredirect web service to different locations on your server. Locate the web.xml file in the directory 
    web_agent_home
    /affwebservices/WEB-INF, where 
    web_agent_home
     is the installed location of the web agent.
  •  
    Authentication URL
    Specifies a protected URL that federation uses to authenticate users and create a session when a protected resource is requested. If the authentication mode is set to local and a user has not logged in at the asserting party, users are sent to this URL. This URL must point to the redirect.jsp file, unless you select the Use Secure URL check box.
    Example: http:///siteminderagent/redirectjsp/redirect.jsp
    myserver 
    identifies the web server with the Web Agent Option Pack or the SPS federation gateway. The redirect.jsp file is included with the Web Agent Option Pack or SPS federation gateway that is installed at the asserting party.
      Protect the Authentication URL with an access control policy. For the policy, configure an authentication scheme, realm, and rule. To add session store attributes to the assertion, enable the Persist Authentication Session Variables check box, which is a setting in the authentication scheme.
     
     
The General settings also include the following sections:
  •  
    Restrictions
    Lets you configure IP address and time restrictions on the assertion generation policy for the Service Provider.
    •  
      Time
       
    • Set
      Opens the Time dialog so you can configure the availability of the Resource Partner. When you add a time restriction, the Service Provider functions only during the period specified.
    • Clear
    •  
      IP Addresses 
       
    Lists restricted IP addresses that are configured for the policy for the Service Provider resources. You can specify an IP address, range of IP addresses, or a subnet mask of the web server. A browser is running on that web server for the user to access a Service Provider.
    • Add
      Opens an empty Add IP Address dialog from where you can create an IP address restriction.
  •  
    The Advanced section lets you configure the following features:
    •  
      Assertion Generator Plugin
      Identifies a custom-developed Assertion Generator plug-in that is developed using the Assertion Generator Plugin API. The Assertion Generator Plugin is an optional feature.
    •  
      Proxy
      Identifies the proxy server between the client and the system where Federation Web Services is running, if applicable.
    •  
      Specifies custom redirect URLs for HTTP status errors. 
      CA Single Sign-On
       can redirect the user to a custom error page for further action. Custom URLs are optional.
SAML Service Provider–Advanced Settings
 
Assertion Generator Plugin Settings
 
The Assertion Generator Plugin area includes the following settings:
  •  
    Full Java Class Name
    Specifies the fully qualified Java class name of the Assertion Generator Plugin.
  •  
    Parameters
    If a value is entered in the Full Java Class Name field, specifies a string of parameters 
    CA Single Sign-On
     passes to the specified plugin.
  •  
    Proxy Server
    When your network has a proxy server between the client and the 
    eTrust SiteMinder FSS
     operating environment, specify the scheme and authority portions of the URL, such as 
    protocol
    :
    authority
    . The scheme is http: or https: and the authority is // or //. For example, http://example.ca.com.
 Federation Web Services is available on a system where the Web Agent Option Pack or the SPS federation gateway resides.
SAML Service Provider--Advanced SSO Configuration
The Advanced SSO Configuration section lets you configure the following features:
  • The requested authentication context.
  • One-time use of the assertion.
  • Redirect URLs for error handling.
  • Use of the SessionNotOnOrOAfter attribute in a SAML assertion.
This dialog includes the following settings:
  •  
    Ignore Requested AuthnContext
    Determines how a transaction proceeds if the SP includes the element <RequestedAuthnContext> in an AuthnRequest message when requesting an assertion.
    The term 
    authentication context
     describes how a user authenticates at an IdP. This element is a request from the SP stating its requirements for the AuthnContext statement that the IdP must return in the assertion response.
    If the check box is selected, it tells the IdP to disregard the <RequestedAuthnContext> element in the AuthnRequest message it receives from the SP. Legacy federation does not support the use of the <RequestedAuthnContext> element in an AuthnRequest, but selecting this check box prevents the transaction from failing.
    If this checkbox is not selected (the default) and the incoming AuthnRequest has the <RequestedAuthnContext> element in it, the transaction fails.
  •  
    Set OneTimeUse Condition
    Instructs the SP to use the assertion immediately and not retain it for future use. The assertion is intended only for one-time use. The OneTimeUse condition is useful because the information in an assertion can change or expire and the SP uses an assertion with up-to-date information. Instead of reusing the assertion, the SP must request a new assertion from the IdP.
  •  
    Enable Server Error URL
    Enables a server error redirect
    •  
      Server Error Redirect URL
       
    Specifies the URL where the user is redirected when an HTTP 500 Server error occurs. A user can encounter a 500 error because an unexpected condition prevents the web server from fulfilling the client request. If this type of error occurs, the user is sent to the specified URL for further processing.
    Example: http://www.redirectmachine.com/error_pages/server_error.html 
  •  
    Enable Invalid Request URL
    Enables an invalid request error redirect.
    •  
      Invalid Reqeust Redirect URL
       
    Specifies the URL where the user is redirected when an HTTP 400 Bad Request or a 405 Method Not Allowed error occurs. A user can encounter a 400 error because a request is malformed. The user can encounter a 405 error because the web server does not allow a particular method or action to be performed. If these types of errors occur, the user is sent to the specified URL for further processing.
    Example: http://www.redirectmachine.com/error_pages/invalidreq_error.html 
  •  
    Enable Unauthorized Access URL
    Enables an unauthorized access error redirect.
    •  
      Unauthorized Access Redirect URL
       
    Specifies the URL where the user is redirected when an HTTP 403 Forbidden error occurs. A user can encounter a 403 error because the URL in a request is pointing to the wrong target, such as a directory instead of a file. If this error occurs, the user is sent to the specified URL for further processing.
    Example: http://www.redirectmachine.com/error_pages/unauthorized_error.html 
 
Mode Fields
 
For each URL, you can select a mode by which the browser redirects the user.
302 No Data
Redirects the user using an HTTP 302 redirect. 
CA Single Sign-On
 directs the user with a session cookie. 
CA Single Sign-On
 appends no additional information to the redirect URL.
  •  
    HTTP POST
    Redirects the user using the HTTP POST protocol. When the user is redirected to the custom error page URL, the following data, if available, is appended to the redirect URL and then posted to custom error page:
    • TARGET
    • AUTHREASON
    • CONSUMERURL
    • SAMLRESPONSE
    • IDPID
    • SPID
    • PROTOCOLBINDING
 
SP Session Validity Duration
 
Determines the use of the SessionNotOnOrOAfter attribute in an assertion. Set this value to determine whether the IdP adds the SessionNotOnOrOAfter attribute to a SAML assertion.
This configuration setting is available only at the 
CA Single Sign-On
 IdP. 
CA Single Sign-On
 instructs the IdP what value it sets for the SessionNotOnOrAfter parameter in the assertion. The setting does not set any timeout value at the SP.
 If 
CA Single Sign-On
 is acting as an SP, it ignores the SessionNotOnOrAfter value. Instead, a 
CA Single Sign-On
 SP sets session timeouts that are based on the realm timeout. The realm timeout corresponds to the configured SAML authentication scheme that protects the target resource.
 
Options:
 
Use Assertion Validity
Calculates the SessionNotOnOrAfter value that is based on the assertion validity duration.
Omit
Instructs the IdP not to include the SessionNotOnOrAfter parameter in the assertion.
IDP Session
Calculates the SessionNotOnOrAfter value that is based on the IdP session timeout. The timeout is configured in the IdP realm for the authentication URL. Using this option can synchronize the IdP and SP session timeout values.
Custom
Lets you specify a custom value for the SessionNotOnOrAfter parameter in the assertion. If you select this option, enter a time in the Custom Assertion Session Duration field.
 
Custom Assertion Session Duration (Minutes)
 
Specifies the amount of time (in minutes) set for the SessionNotOnOrAfter parameter in the assertion. If the attribute is in the assertion, this setting determines the duration of the session between the user and the IdP. Designate any amount of time that suits your environment.