Create the VIP Authentication Hub scheme

Complete these steps to create the VIP Authentication Hub scheme.
  1. In the SiteMinder Administrative UI, navigate to
    Infrastructure > Authentication > Authentication Schemes
    .
  2. Click
    Create Authentication Scheme
    , select
    Create a new object of type Authentication Scheme
    , and click
    OK
    .
  3. Enter a
    Name
    and
    Description
    for the authentication scheme.
  4. Select
    Protection Level
    , and define an additional measure of flexibility in access control (from level from 1 through 1000).
  5. Select
    VIP Authentication Hub Template
    from the
    Authentication Scheme Type
    drop-down list.
  6. Select the VIP Authentication Hub Provider that you created earlier from the
    Provider
    drop-down list. See Configure the VIP Authentication Hub Provider.
  7. The Authentication Hub provider configuration retrieves all the applications that are configured for SiteMinder in VIP Manager and displays them in the Applications drop-down list. Select the application that was created for SiteMinder in VIP.
  8. Select
    Use Relative Target
    to specify whether a relative path name must be used for the Target or resource that the VIP authentication scheme protects. Select this option if multiple hosts with different domains are protecting the same resource. During runtime, Access Gateway determines the
    Access Gateway Redirect URL
    and
    Access Gateway State Redirect URL
    for each host using the relative hostname in an authentication request. If SSL offloading is used before Access Gateway, use the
    HttpsPorts
    ACO parameter to ensure that Access Gateway redirects using HTTPS URLs.
    To define your HTTPS ports, set the value of the
    HttpsPorts
    ACO parameter to the port numbers that use SSL. Use commas to separate multiple port numbers. For example,
    80,7002
    .
    If a server is behind an HTTPS accelerator (that converts HTTPS to HTTP), the requests are treated as SSL connections by your browser but Access Gateway still serves them on HTTP and add appropriate port for the
    HttpsPorts
    ACO parameter.
    This feature works only for resources that reside on Access Gateway
  9. Select the redirect URL that VIP uses to send authorization code to SiteMinder from the
    Access Gateway Redirect URL
    drop-down list. This drop-down lists all the redirect URLs that are configured with the selected application.
    The
    Access Gateway State Redirect URL
    value is displayed based on the selected redirect URL.
  10. Select the alias of the public certificate obtained from VIP in the
    Verification Certificate Alias
    drop-down list. This list displays all the public certificates that are available in SiteMinder. Select the certificate added in Import certificates into SiteMinder.
  11. (Optional) If you uploaded an ID Token Encryption Key Pair in Import certificates into SiteMinder, select the alias of the ID Token Encryption private key in the
    Decryption Private Key Alias
    drop-down list. Select the ID Token Encryption Key Pair added in Import certificates into SiteMinder.
  12. (Optional) Define a user attribute lookup in JWT claims that must be used for validating the received ID Token in
    ID Token Claim Lookup
    . You can specify either user_loginid or any other claim that contains information on the authenticated user. If this parameter is not specified, user_loginid claim that is present in the received ID Token is used for validation.
  13. (Optional)  In
    Skew Time
    , define the number of seconds subtracted from the current time to account for the difference between the SiteMinder host machine and the VIP Service system times.
  14. Select the ACR value for the authentication flows in
    ACR
    . Only one value is displayed or supported.
    1. Click
      Select
      to view the ACR value and its corresponding obligations that are configured in the authentication policy rules of the selected application.
    2. Select the ACR value and click
      OK
      .
    The
    ACR
    table displays the selected ACR. The ACR is sent in the ID Token Hint.
    As password-based authentication schemes such as HTML Forms are already supported, SiteMinder does not support password-based authentication factors in Authentication Hub.
  15. (Optional) To save the authentication context data that is retrieved in ID Token in the session store for later use in authentication decisions, select the
    Persist Authentication Session Variables
    option.
  16. (Optional) To ignore SSL certificate validation during backchannel communication, select the
    Disable SSL Certificate Validation in Authorization Code Flow
    option.
  17. To ignore the signature validation of the ID Token that is generated by Authentication Hub, select
    Disable Identity Token Signature Validation
    .
  18. Click
    Save
    .
Next: