Federation Manager Guide › Federation Partnerships › Single Sign-on Configuration (Asserting Party)

Single Sign-on Configuration (Asserting Party)

When you configure single sign-on at the asserting party, you specify how the asserting party delivers an assertion to a relying party.

Only one single sign-on session is persisted in a browser. The session information is stored in the FEDSESSION cookie. If you access another partnership in the same browser, the FEDSESSION cookie is not valid, unless the underlying user directory is the same as the previously accessed partnership during the same browser session.

The FEDSESSION cookie uses the following timeout settings:

• Idle Timeout: 600 seconds (10 minutes)
• Max Timeout: 900 seconds (15 minutes)

You cannot change these timeout settings in UI.

To configure single sign-on at the asserting party

1. Begin at the appropriate step in the Partnership wizard.

   SAML 1.1

   Single Sign-On

   SAML 2.0

   SSO and SLO

   Note: Click Help for a description of fields, controls, and their respective requirements.

2. Select an option for the Authentication Mode in the Authentication group box.

   Authentication Mode

   Select Local or Delegated

   • Click Local if Federation Manager is handling user authentication.
   • Click Delegated if a third-party web access management (WAM) system is handling user authentication.

3. Select the Authentication Type for the authentication mode you chose. The options change depending on whether you are using local or delegated authentication.

   Local Authentication Type (Local Mode only)

   Select Basic or Form based

   If you are using Federation Manager that is localized for Japanese or French users, select Forms based authentication scheme. Basic authentication is not supported for localized users.

   For forms authentication, sample log-in forms are available for Japanese and French. The forms are in the directory federation_mgr_home/secure-proxy/proxy-engine/examples in the folders formsja (Japanese) and formsfr (French).

   To use the localized forms

   1. Navigate to federation_mgr_home/secure-proxy/proxy-engine/examples.
   2. Make a backup copy of the forms folder.
   3. Rename the folder for your language (formsja for Japanese or formsfr for French) to forms.

   Delegated Authentication Type

   Select Legacy Cookie, Query String, Open-format Cookie

   Note: The open format cookie is the only FIPS-compatible option for delegated authentication.

4. For Delegated Authentication only, configure the required parameters for the type of delegated authentication you chose.

   Legacy Cookie

   If user identity information is being passed from the third-party WAM in a cookie, configure the Delegated Authentication URL. This URL redirects the request to the WAM system if the user comes to Federation Manager first. The URL does not apply when the user visits the WAM first.

   Query String

   If user identity information is being passed from the third-party WAM in a query string, configure the following settings:

   • Delegated Authentication URL

     This URL redirects the request to the WAM system when the user comes to Federation Manager first. The URL does not apply when user goes to the WAM first.

   • Hash Secret
   • Confirm Hash Secret

   Open-format Cookie

   If user identity information is being passed from the third-party WAM in a FIPS-encrypted cookie, configure the Delegated Authentication URL. The open format cookie is the only FIPS-compatible option for delegated authentication. This URL redirects the request to the WAM system if the user comes to Federation Manager first. The URL does not apply when user goes to the WAM first.

   Note: If you select Legacy Cookie or Open-format Cookie as the Delegated Authentication Type, configure the required global cookie settings. Locate the deployment settings by navigating to Infrastructure, Deployment Settings.

5. Complete the Authentication Class field by entering a URI for the user authentication method you want to use. This URI is placed in the AuthnContextClassRef element in the assertion to describe how a user is authenticated.

   Guidelines:

   • If the user is going to authenticate locally, accept the default URI for Password.
   • If the user is going to authenticate at a remote third party, edit this field to reflect the authentication method.
6. Complete the required fields in the SSO group box to configure how single sign-on operates:

   Be aware of the following guidelines:

   • If you select Artifact binding, select an artifact encoding (URL or FORM). The encoding defines how the artifact comes back to the relying party. If you select the URL option, the artifact is sent back as a query parameter in a URL. If you select FORM, the artifact is posted as form data.
   • You can select both bindings for SAML 2.0—the local entity determines the sequence in which the bindings are tried.

     Note: For artifact binding, the assertion is sent over a secure back channel. Therefore, configure the settings in the Back Channel group box.

   • When you select an SSO binding, configure at least one Assertion Consumer Service with a matching binding. If you select Enhanced Client and Proxy Profile, you need an Assertion Consumer Service service with the PAOS binding.
   • The SSO Validity Duration and the Skew Time determine when the assertion is valid. Read the information about assertion validity to understand how these settings work together.
7. Specify the URL for the Assertion Consumer Service. This service is the service at the relying party that processes received assertions.

Any values defined during the creation or import of the remote relying party are already filled in.

This procedure completes SSO configuration for the asserting party.

More information:

Back Channel Authentication for Artifact SSO

Assertion Validity for Single Sign-on

Enhanced Client or Proxy Profile (ECP)

Delegated Authentication for Federation Users