|
|
|
Artifact single sign-on requires the relying party to send an artifact to the asserting party to retrieve the assertion. The asserting party uses the artifact to retrieve the correct assertion and returns the assertion to the relying party over a back channel.
You can require an entity to authenticate to access the back channel. The back channel can also be secured using SSL, though SSL is not required.
Securing the back channel using SSL involves:
SSL is not required for Basic authentication but you can use Basic over SSL. SSL is required for Client Cert authentication.
Configuring separate channels is supported only for SAML 2.0. The back channel configuration for SAML 1.1 artifact single sign-on uses a single configuration for each partnership. Federation Manager uses the correct direction automatically (incoming for a local producer and outgoing for a local consumer).
Select which direction to configure for SAML 2.0 single sign-on based on the entity you are configuring.
Note: You can configure an incoming and outgoing back channel; however, a channel can have only one configuration. If two services use the same channel, these two services use the same back channel configuration. For example, if the incoming channel for a local asserting party supports HTTP-Artifact SSO and SLO over SOAP, these two services must use the same back channel configuration.
The options for back channel authentication are:
Indicates that a Basic authentication scheme is protecting the back channel.
Note: Basic authentication can be selected if SSL is enabled for the back channel; however, you can use Basic authentication without SSL.
Indicates that SSL with an X.509 client certificate protects the asserting party back channel. For more information, see Certificates to Secure the Artifact Back Channel.
If you select Client Cert as the authentication method, all endpoint URLs have to use SSL communication. This means that the URLs must begin with https://. Endpoint URLs locate the various SAML services on a server.
Indicates that the relying party is not required to supply credentials. The back channel and Artifact Resolution Service are not secured. You can still enable SSL with this option. The back channel traffic is encrypted but no credentials are exchanged between parties.
Use the NoAuth option for testing purposes but not for production, unless Federation Manager is configured for SSL-enabled failover and sits behind a proxy server. When client certificate authentication protects the back channel, the proxy server handles the authentication because it has the server certificate. In this case, all IdP->SP partnerships use NoAuth as the authentication type.
Important! The authentication method for the incoming back channel must match the authentication method for the outgoing back channel. on the other side of the partnership. Agreeing on the choice of authentication method is handled out of band.
To configure back channel authentication
The Authentication Method field becomes active.
Note: Click Help for a description of fields, controls, and their respective requirements.
If you select No Auth as the authentication method, no additional steps are required.
Note: Click Help for a description of fields, controls, and their respective requirements.
The client certificate authentication method requires an X.509 client certificate to establish a connection. The relying party must have the key/certificate pair or client certificate authentication fails. Verify that the client certificate exists in the certificate data store at the asserting party. When the relying party sends the request for the assertion, the client certificate serves as the relying party credentials to access the retrieval service.
After entering values for all the necessary fields, the back channel configuration is complete. Enable SSL on each side of the connection for added security.
| Copyright © 2012 CA. All rights reserved. |
|