For SAML 2.0, you can configure SiteMinder to encrypt an entire assertion, the NameID, or other attributes. If you enable encryption, the asserting party uses the certificate (public key) the relying party sends to encrypt data. Before any transaction, the relying party sends the certificate to the asserting party in an out-of-band exchange. The relying party uses the private key/certificate pair to decrypt the data.
Note: SAML 1.1 does not support encryption of assertion data.
The Policy Server uses SSL connections in the following ways:
You can enable SSL for the SAML HTTP-Artifact back channel or for general federated communication. Establishing the SSL connection requires the relying party to associate the CA certificate with the signed SSL server certificate.
The SSL server certificate secures the SSL connection. The CA certificate verifies that the SSL server certificate is trusted.
You enable an SSL connection to protect the forms credential collector file at the relying party. Import the SSL server certificate from the relying party website into the certificate data store. The server certificate secures the SSL connection.
You can enable SSL connections for resolving web services variables.
Note: SSL server certificates are stored on the web server where they are installed. SSL server certificates are not stored in the certificate data store.
To implement single sign-on using the artifact binding, the relying party sends a request for an assertion to SiteMinder at the asserting party. The assertion request goes to the Assertion Retrieval Service (SAML 1.1) or the Artifact Resolution Service (SAML 2.0). The retrieval service takes the artifact supplied by the relying party and uses it to retrieve the assertion. SiteMinder sends the response back to the relying party over a back channel. The back channel is a secured connection between the asserting and relying party. In contrast, web browser communication occurs over the front channel.
Secure the back channel and the retrieval service from unauthorized access using one of the following authentication methods:
If you use X.509 client certificate as the authentication method, the relying party must provide a client certificate as its credential. This credential lets the replying party gain access to the service at the asserting party that retrieves the assertion.
Consider the following items when choosing an authentication method:
A default set of common root and intermediate CA certificates are shipped with the certificate data store. To use another server certificate signed by a CA, import the CA certificate into the store as a trusted CA certificate.
Federation uses an SSL-client when processing back channel requests. You can configure the web server at the asserting party to use SSL versions TLSV1_1 and TSLV1_2 with the following ciphers:
These ciphers are supported in both FIPS and non-FIPS mode. The determination whether to use SHA256 is made on the SP server side. Federation has no configuration for selecting the algorithm. Administrators must verify that the server at the asserting party is configured appropriately.
|
Copyright © 2012 CA Technologies.
All rights reserved.
|
|