|
|
|
To implement single sign-on using the artifact binding, the consuming authority sends a request for an assertion to SOA Security Manager at the asserting party. The assertion request goes to the Assertion Retrieval Service (SAML 1.1) or the Artifact Resolution Service (SAML 2.0). The retrieval service takes the artifact supplied by the consuming authority and uses it to retrieve the assertion. SOA Security Manager sends the response back to the consuming authority over a back channel, which is a secured connection between the asserting and consuming authority. In contrast, web browser communication occurs over the front channel.
You can secure the back channel and the retrieval service from unauthorized access using one of the following authentication methods:
For any of these authentication methods, the consuming authority back channel must be configured so it can communicate with the Assertion Retrieval Service (SAML 1.1) or the Artifact Resolution Service (SAML 2.0) in a secure manner.
The following considerations might be useful when choosing an authentication method for the artifact back channel:
A set of common root and intermediate CA certificates are shipped with the default key database. To use a server certificate signed by a CA that is not already in the key store, you must import the CA certificate into the database as a trusted CA certificate.
Federation uses an SSL-client when processing back channel requests. You can configure the IdP Web server to use SSL versions TLSV1_1 and TSLV1_2 with the following ciphers:
These ciphers are supported in both FIPS and non-FIPS mode. The determination whether to use SHA256 is made on the SP server side. Federation has no configuration for selecting the alogorithm. Administrators must verify that the IdP server is configured appropriately.
| Copyright © 2011 CA. All rights reserved. | Email CA Technologies about this topic |