|
|
|
To implement single sign-on using the artifact binding, the relying party sends a request for an assertion to Federation Manager at the asserting party. The assertion request goes to the Assertion Retrieval Service (SAML 1.1) or the Artifact Resolution Service (SAML 2.0). The retrieval service takes the artifact supplied by the relying party and uses it to retrieve the assertion. Federation Manager sends the response back to the relying party over a back channel, which is a secured connection between the asserting and relying party. In contrast, web browser communication occurs over the front channel.
You can secure the back channel and the retrieval service from unauthorized access using one of the following authentication methods:
For any of these authentication methods, the relying party back channel must be configured so it can communicate with the Assertion Retrieval Service (SAML 1.1) or the Artifact Resolution Service (SAML 2.0) in a secure manner.
The following considerations might be useful when choosing an authentication method for the artifact back channel:
A set of common root and intermediate CA certificates are shipped with the default key database. To use a server certificate signed by a CA that is not already in the key store, you must import the CA certificate into the database as a trusted CA certificate.
| Copyright © 2010 CA. All rights reserved. | Email CA about this topic |