|
|
|
A third-party WAM system and Federation Manager at the asserting party communicate the login ID in a query string. The WAM system must add the following two attributes to the query string in the redirect URL:
Specifies the value used to identify the user to the third-party WAM system.
A hash of the LoginID.
To generate the LoginIDHash value, the LoginID is prepended to a Hash Secret and the entire value is then run through a SHA-1 hashing algorithm. The Hash Secret is specified in the Federation Manager configuration at the asserting party.
When Federation Manager retrieves the credentials from the query string, it also combines these values and hashes them. If the hashes are equal, Federation Manager considers the login ID to be valid and continues with the federation request.
Important! The LoginID and LoginIDHash parameters are case sensitive.
The third-party WAM system must configure its federated application to construct a redirect URL that sends the user back to the Federation Manager Single Sign-on service. Therefore, the Federation Manager Administrator has to communicate the Single Sign-on service to the third party in an out-of-band communication.
Important! After the third-party WAM system receives an authentication request from Federation Manager, it must remember to capture and resend any existing query string it receives as part of the incoming authentication request. If the incoming request has Federation Manager request information within the query string it must be passed along unchanged.
The syntax of the query string is as follows:
?existing_query_string&LoginID=LoginID&LoginIDHash=hashed_LoginID
Example
https://johndoe3227.b.com/affwebservices/public/saml2sso?SPID=sp1& LoginID=user1&LoginIDHash=de164152ed6e8e9a7f760e47d135ecf0c98a 3e4e&ProtocolBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact
| Copyright © 2010 CA. All rights reserved. | Email CA about this topic |