SAML Service Provider--SSO Settings
Contents
casso1283
Contents
The SSO section is where you configure single sign-on (SSO) for the partnership. The fields are:
- AudienceSpecifies the URI of the audience element the IdP puts in the assertion. This value is compared with the audience specified for the authentication scheme at the Service Provider.Example: sp.ca.com.
- AuthnContext Class RefDefines the URI provided in the AuthnContextClassRef element in the assertion. This element describes how the Service Provider authenticates the requesting user. Specify a legitimate value that is based on the SAML specification. The value is appropriate for the authentication level that is specified on this page. We recommend that you accept the default value urn:oasis:names:tc:SAML:2.0:ac:classes:Password.You can configure a custom element in the Advanced section of the Attributes settings.
- Allow Creation of New User IdentifierPermits the Identity Provider to create NameID value and include it in the assertion. This setting is meaningful only under the following conditions:
- The AuthnRequest message from the Service Provider does not include a NameID.
- The AllowCreate attribute in the AuthnRequest message is set to true.
- Assertion Consumer ServiceSpecifies the URL of the service that receives assertions at the Service Provider. The default forSiteMinderis:http://<sp_server:port>/affwebservices/public/saml2assertionconsumer
- casso1283sp_server:portIdentifies the web server and port hosting the Web Agent Option Pack orAccess Gateway.
Opens the Assertion Consumer Services dialog. From this dialog, you can do the following tasks:This field is disabled if indexed endpoints are defined. In that case, you can only edit this URL by modifying an indexed entry in the Assertion Consumer Service dialog. Select the ellipsis button to access the Assertion Consumer Service dialog.- Add an indexed Assertion Consumer Service entry. You can add multiple entries; there is no limit.
- Edit an existing indexed Assertion Consumer Service entry.
- Remove an existing indexed Assertion Consumer Service entry.
- Authentication LevelSpecifies the minimum level at which the user must have authenticated to gain access to aSiteMinderrealm. If the user has authenticated at this level or higher, the Identity Provider generates an assertion for the user. If the user is not authenticated at this level or higher, they are redirected to the Authentication URL to authenticate at this level.
- Validity Duration Second(s)Specifies a number of seconds (a positive integer) for which a generated assertion is valid.In a test environment, increase the Validity Duration value above 60, the default, if you see the following message in the Policy Server trace log:Assertion rejected (_b6717b8c00a5c32838208078738c05ce6237) - current time (Fri Sep 09 17:28:33 EDT 2005) is after SessionNotOnOrAfter time (Fri Sep 09 17:28:20 EDT 2005)This property applies only to SSO messages. The setting is not the same as the Validity Duration field for SLO.
- Enhanced Client and Proxy ProfileActivates support for the SAML 2.0 Enhanced Client and Proxy (ECP) Profile. This profile is used if the SP and IdP are not communicating directly.
- Artifact BindingsIf you select HTTP-Artifact, configure the back channel settings in the Attributes settings.
- Post Bindings
- HTTP-PostIndicates that the POST binding is supported at the Service Provider for single sign-on.
SAML Service Provider--Assertion Consumer Services Settings
The Assertion Consumer Services page is where you configure an indexed Assertion Consumer Service entry. The table on this page lists all the configured assertion consumer services.
Click Add to configure a new service. The Add Assertion consumer service page opens.
The Add Assertion consumer service contains the following fields:
- IndexSpecifies the index number for the URL.Limits: Unique integer from 0 through 65535.
- BindingSpecifies the binding for single sign-on for this end point. Select HTTP-Artifact or HTTP-POST.An unsolicited request can initiate single sign-on at the Identity Provider. If the unsolicited request includes the ProtocolBinding query parameter, the binding in this query parameter overrides the value that you selected for this field.
- Assertion Consumer Service URLSpecifies the URL for the Assertion Consumer Service. The value begins with URI, starting with http:// or https: //.