Create the VIP Authentication Hub scheme
Complete these steps to create the VIP Authentication Hub scheme.
- In the SiteMinder Administrative UI, navigate toInfrastructure > Authentication > Authentication Schemes.
- ClickCreate Authentication Scheme, selectCreate a new object of type Authentication Scheme, and clickOK.
- Enter aNameandDescriptionfor the authentication scheme.
- SelectProtection Level, and define an additional measure of flexibility in access control (from level from 1 through 1000).
- SelectVIP Authentication Hub Templatefrom theAuthentication Scheme Typedrop-down list.
- Select the VIP Authentication Hub Provider that you created earlier from theProviderdrop-down list. See Configure the VIP Authentication Hub Provider.
- The Authentication Hub provider configuration retrieves all the applications that are configured for SiteMinder in VIP Manager and displays them in the Applications drop-down list. Select the application that was created for SiteMinder in VIP.
- SelectUse Relative Targetto specify whether a relative path name must be used for the Target or resource that the VIP authentication scheme protects. Select this option if multiple hosts with different domains are protecting the same resource. During runtime, Access Gateway determines theAccess Gateway Redirect URLandAccess Gateway State Redirect URLfor each host using the relative hostname in an authentication request. If SSL offloading is used before Access Gateway, use theHttpsPortsACO parameter to ensure that Access Gateway redirects using HTTPS URLs.To define your HTTPS ports, set the value of theHttpsPortsACO parameter to the port numbers that use SSL. Use commas to separate multiple port numbers. For example,80,7002.If a server is behind an HTTPS accelerator (that converts HTTPS to HTTP), the requests are treated as SSL connections by your browser but Access Gateway still serves them on HTTP and add appropriate port for theHttpsPortsACO parameter.This feature works only for resources that reside on Access Gateway
- Select the redirect URL that VIP uses to send authorization code to SiteMinder from theAccess Gateway Redirect URLdrop-down list. This drop-down lists all the redirect URLs that are configured with the selected application.TheAccess Gateway State Redirect URLvalue is displayed based on the selected redirect URL.
- Select the alias of the public certificate obtained from VIP in theVerification Certificate Aliasdrop-down list. This list displays all the public certificates that are available in SiteMinder. Select the certificate added in Import certificates into SiteMinder.
- (Optional) If you uploaded an ID Token Encryption Key Pair in Import certificates into SiteMinder, select the alias of the ID Token Encryption private key in theDecryption Private Key Aliasdrop-down list. Select the ID Token Encryption Key Pair added in Import certificates into SiteMinder.
- (Optional) Define a user attribute lookup in JWT claims that must be used for validating the received ID Token inID Token Claim Lookup. You can specify either user_loginid or any other claim that contains information on the authenticated user. If this parameter is not specified, user_loginid claim that is present in the received ID Token is used for validation.
- (Optional) InSkew Time, define the number of seconds subtracted from the current time to account for the difference between the SiteMinder host machine and the VIP Service system times.
- Select the ACR value for the authentication flows inACR. Only one value is displayed or supported.
- ClickSelectto view the ACR value and its corresponding obligations that are configured in the authentication policy rules of the selected application.
- Select the ACR value and clickOK.
TheACRtable displays the selected ACR. The ACR is sent in the ID Token Hint.As password-based authentication schemes such as HTML Forms are already supported, SiteMinder does not support password-based authentication factors in Authentication Hub. - (Optional) To save the authentication context data that is retrieved in ID Token in the session store for later use in authentication decisions, select thePersist Authentication Session Variablesoption.
- (Optional) To ignore SSL certificate validation during backchannel communication, select theDisable SSL Certificate Validation in Authorization Code Flowoption.
- To ignore the signature validation of the ID Token that is generated by Authentication Hub, selectDisable Identity Token Signature Validation.
- ClickSave.
Next: