Federation Guides › Legacy Federation Guide › Configure as a SAML 1.x Consumer › Configure SAML 1.x Artifact Authentication

Configure SAML 1.x Artifact Authentication

Before you can assign a SAML artifact authentication scheme to a realm, configure the scheme.

Follow these steps:

1. Navigate to Infrastructure, Authentication, Authentication Schemes.
2. Click Create an authentication scheme.
3. Select Create a new object of type Authentication Scheme.

   The Authentication Scheme page opens.

4. Enter a name for the authentication scheme.
5. From the Authentication Scheme Type drop-down list, select SAML Artifact Template.

   The contents of the Authentication Scheme dialog change to support the SAML artifact scheme.

6. Configure the scheme setup.

   Click Help for descriptions of settings.

   Important! The Affiliate Name, Password, and Verify Password fields must match other values in your federation network. For details, go to Configuration Settings that Must Use the Same Values.

7. (Optional) Specify the target resource in the Default Target URL field. This field is in the Additional Configuration section of the page. The target is the protected federated resource at the consumer.

   The consumer does not have to use the default target. The link that initiates single sign-on contains a query parameter that specifies the target.

   Alternatively, specify the target resource using the value of the TARGET query parameter in the authentication response URL. To enable this option, select the checkbox Query Parameter TARGET Overrides Default Target URL.

8. (Optional) Configure features, such as the Message Consumer API and redirect URLs for authentication errors in the Additional Configuration section.
9. Click OK to save the scheme.

The SAML 1.x Artifact authentication scheme is now configured.

More information:

Back Channel Configuration for HTTP-Artifact SSO

Back Channel Configuration for HTTP-Artifact SSO

For the SAML artifact profile, the asserting party sends the assertion to the consumer over a back channel. Protect the back channel with an authentication scheme. You can use a basic or client certificate authentication scheme to secure the back channel.

• Basic authentication

  If you use basic authentication and CA SiteMinder® is at both partners, the Affiliate Name at each site is the name of the consumer. If the asserting party is not CA SiteMinder®, the asserting party administrator must provide you with the name they are using to identify your site. Specify the supplied name as the Affiliate Name in your authentication scheme configuration.

• Client certificate authentication

  If you use client certificate authentication for the back channel, the affiliate name in the Administrative UI must be the alias of the client certificate. Additionally, the CN of the certificate subject must also match the affiliate name. Matching the affiliate name, alias and CN is required.

The Policy Server supports client certificate authentication over the backchannel using non-FIPS 140 encrypted certificates, even when the Policy Server is operating in FIPS-only mode. However, for a strictly FIPS-only installation, use certificates only encrypted with FIPS 140-compatible algorithms.

The client certificate is stored in the certificate data store.