Resource Partner SAML Profiles

The SAML Profiles dialog is where you configure single sign-on (SSO) and signout between the Account Partner and the Resource Partner.
casso127
HID_wsfed-rp-saml-profiles
The SAML Profiles dialog is where you configure single sign-on (SSO) and signout between the Account Partner and the Resource Partner.
The single sign-on settings are:
  • Authentication Method
    Indicates how the user authenticated at the Account Partner. Select an authentication method from the drop-down list. The Account Partner includes the authentication method in the assertion in the form of a URI string.
    The value that you select for this field must correspond to the authentication scheme that protects the authentication URL. You specify the authentication URL in the General settings for this Account Partner. For example, if the authentication URL is protected by an X.509 certificate authentication scheme, select SSL/TLS Certificate for this field.
    The authentication method that you select must also be appropriate for the authentication level you configure on this page. For example, you select the X509 Client Cert and Basic template for the authentication scheme that protects the authentication URL. The default protection level for this template is 15. However, the default authentication method for the Resource Partner SSO configuration is Password. If you keep Password as the authentication method, the Account Partner adds the following URI to the assertion:
    urn:oasis:names:tc:SAML:1.0:am:classes:password
  • Security Token Consumer Service
    Specifies the URL of the service at the Resource Partner that receives security token response messages and extracts the assertion. The default location for the
    CA Single Sign-On
    service is:
    https://
    rp_server:port
    /affwebservices/public/wsfeddispatcher
    casso127
    rp_server:port
    Identifies the web server and port at the Resource Partner hosting the Web Agent Option Pack or
    CA Access Gateway
    .
    These components provide the Federation Web Services application.
    The WSFedDispatcher Service receives all incoming WS-Federation messages and forwards the request processing to the appropriate service based on the query parameter data. Although there is a wsfedsecuritytokenconsumer service, the wsfeddispatcher service is recommended for the entry in this field.
  • Validity Duration Second(s)
    Specifies a number of seconds (a positive integer) for which an assertion is valid. The default is 60 seconds.
    In a test environment, if the following message is in the Policy Server trace log, increase the validity duration above 60.
    Assertion rejected (_b6717b8c00a5c32838208078738c05ce6237)  - current time (Fri Sep 09 17:28:33
    EDT 2011) is after SessionNotOnOrAfter time (Fri Sep 09 17:28:20 EDT 2006)
  • Authentication Level [0-1000]
    Specifies the minimum level at which the user must authenticate to gain access to a
    CA Single Sign-On
    realm.
    When a user requests a federated resource, they must have a
    CA Single Sign-On
    session. If a user does not have a session,
    CA Single Sign-On
    redirects the user to the Authentication URL to establish a session. The user can possibly have a session, but the protection level is less than the authentication level specified on this dialog. In this case,
    CA Single Sign-On
    redirects the user to the Authentication URL to reestablish a session.
    The authentication scheme protecting the authentication URL is configured with a particular protection level. The protection level is required to be equal or greater than the level in the Authentication Level field on this page. If the user has authenticated at this level, the Account Partner generates an assertion for the user. If the protection level for the authentication URL is less than the level in the Authentication Level field,
    CA Single Sign-On
    does not generate an assertion.
The Signout section lets you enable the WS-Federation signout feature. Signout terminates all sessions for a particular user at each Resource Partner where the user has a session.
The signout settings are:
  • Enable Signout
    Enables the WS-Federation signout feature for the Resource Partner.
  • Signout Cleanup URL
    Specifies a URL at the Resource Partner where the browser is redirected to terminate the user session.
    After the user session is removed at the Account Partner and all Resource Partner sites, Federation Web Services redirects the user to the signout cleanup URL. If the signout is initiated at the Resource Partner, the logout confirmation page must be an unprotected resource at the Resource Partner. If signout is initiated at an Account Partner site, the logout confirmation page must be an unprotected resource at the Account Partner site.
  • Signout Confirm URL
    Specifies the URL at the Account Provider where
    CA Single Sign-On
    sends the signout message. This URL is also where Resource Provider cleanup locations are sent as post data to the SignoutConfirm JSP page. The default URL is:
    http://
    ap_server:port
    /affwebservices/public/signoutconfirmurl.jsp
    ap_server:port
    Specifies the server and port number of the system at the Account Partner. The system is hosting the Web Agent Option Pack or the SPS federation gateway, depending on which component is installed in your federation network.
    The signoutconfirmurl.jsp is included with the Web Agent Option Pack or SPS federation gateway. You can move this page from the default directory. In this case put it in a location where the servlet engine for the Federation Web Services can access the page.