Configuration Guides › Policy Server Configuration Guide › Responses and Response Groups › Configure Responses to Generate SAML Session Tickets for Outgoing Messages › How the SAML Session Ticket Response is Used

How the SAML Session Ticket Response is Used

The SAML Session Ticket response provides the data that the SOA Agent uses to create an assertion. The only authentication scheme that can evaluate the assertion is the SAML Session Ticket authentication scheme.

When an XML assertion document arrives at a web service protected by the SAML Session Ticket authentication scheme, the SOA Agent does the following:

• Extracts the encrypted session ticket from the assertion
• Decrypts the session ticket using the agent key
• Signs the document using the public key from the assertion

  The binding of the session ticket and the public key ensures that the XML document is signed by a client that is authenticated by SOA Security Manager and that has a valid session.

Then, if the Agent does not have the session ticket in its cache, the Policy Server validates the client with the session ticket from the assertion. If the Agent does have the session ticket in its cache, the Policy Server is not invoked.

Note: The web service that returns the assertion is not protected by the SAML Session Ticket authentication scheme. Only subsequent services in the single sign-on environment require this authentication scheme.

The following illustration shows the response process.

1. Client sends a request.
2. SOA Agent passes credentials to Policy Server. Authentication handled by any CA SiteMinder-supported authentication scheme.
3. After the client is authenticated, the client is authorized. The policy that authorizes the client has a SAML response configured with it, which generates a session ticket and, optionally, a public key.
4. SOA Agent generates the assertion and delivers it to the web service.