Previous Topic: Request Processing with a Proxy Server at the SPNext Topic: How To Protect Resources with a SAML 2.0 Authentication Scheme


Enable Client Certificate Authentication for the Back Channel (optional)

This procedure is only for single sign-on with the artifact binding.

The Assertion Consumer Service collects information from an authentication scheme to retrieve an assertion from the Identity Provider. The scheme tells the Assertion Consumer Service what type of credentials to provide to the Identity Provider to retrieve the assertion. After the assertion is retrieved, the Identity Provider sends the assertion across a secure back channel to the Service Provider. You can use client certificate authentication to secure the back-channel.

Certificate authentication for the back-channel is optional; you can use Basic authentication instead.

To use client certificate authentication for the back channel:

  1. Add a client certificate to the certificate data store.
  2. Select client certificate authentication for the back channel. This scheme indicates that a certificate acts as credentials for the Service Provider.

    You can use non-FIPS 140 encrypted certificates to secure the back channel even if the Policy Server is operating in FIPS-only mode. However, for a strictly FIPS-only installation, use only certificates encrypted with FIPS 140-compatible algorithms.

The administrator at the asserting-side Policy Server must have configured a policy to protect the Assertion Retrieval Service. The realm for this policy must use an X.509 client certificate authentication scheme.

More information:

Configure the Authentication Scheme that Protects the Artifact Service

Add a Client Certificate to the Certificate Data Store

You must have a private key/certificate pair from a Certificate Authority. Add a private key/certificate pair to the certificate data store using the Administrative UI. Skip this step if the key/certificate pair is already in the data store. For instructions, see the Policy Server Configuration Guide.

When you import the key/certificate pair, the alias you assign must be the same value as the Name field in the authentication scheme settings. Additionally, the CN attribute of the Subject in the certificate must also match the Name field. For example, the Name is CompanyA. Therefore, the alias must be Company A, and the CN value for the Subject must read CN=CompanyA, OU=Development, O=CA, L=Islandia, ST=NY, C=US.

Important! The Name field in the authentication scheme must match the name that is assigned to the Service Provider object at the Identity Provider. If CA SiteMinder® is the Identity Provider, the Name in the authentication scheme must match the Name field in the General settings of the object.

Configure the Client Certificate Option for the Back Channel

If you enable client certificate authentication for the back channel, the certificate serves as your credential.

To present a client certificate as a credential

  1. Navigate to the SAML 2.0 authentication scheme.
  2. Select SAML 2.0 Configuration, SSO.

    The SSO page displays.

  3. Select HTTP-Artifact in the Bindings section.
  4. Click OK.
  5. Move to the Encryption & Signing page.
  6. In the Backchannel section, select Client Cert for the Authentication field.
  7. Fill in a value for the SP Name.
  8. Click OK.