For the HTTP-Artifact profile, the assertion retrieval service (SAML 1.x) and the artifact resolution service (SAML 2.0) retrieve the assertion at the asserting party. When these services send an assertion response to the relying party, they do so over a secure back channel. We strongly recommend that you protect these services and the communication across the back channel against unauthorized access.
Note: WS-Federation does not support the HTTP-Artifact profile.
To protect these services, specify an authentication scheme for the realm that contains the service at the asserting party. The authentication scheme dictates the type of credentials that the consuming service at the relying party must provide to access the relevant service across the back channel.
You can select one of the following authentication schemes:
For HTTP-Artifact single sign-on, the asserting party sends the assertion across a secure back channel to the relying party. For basic authentication, configure a password to access to the service that resolves the artifact and retrieves the assertion. The service then sends the assertion across the back channel to the relying party.
You can use Basic authentication with SSL is enabled; however, SSL is not required.
Note: The password is only relevant if you use Basic or Basic over SSL as the authentication method across the back channel.
Follow these steps: for the SAML 1.x Assertion Retrieval Service
Follow these steps: for the SAML 2.0 Artifact Resolution Service
You can protect the assertion retrieval service (SAML 1.x) or the artifact resolution service (SAML 2.0) with a Basic over SSL authentication scheme. At the asserting party, a set of default policies to protect the service is already configured when you install the Policy Server.
The only configuration that is required is to enable SSL at each partner. No other configuration is required at the asserting or relying party. At the relying party, you can use one of the default root Certificate Authorities (CAs) in the certificate data store to establish an SSL connection. To use your own root CA instead of a default CA, import the CA certificate into the data store.
If you use Basic over SSL authentication scheme, all endpoint URLs have to use SSL communication. This means that the URLs must begin with https://. Endpoint URLs locate the various SAML services on a server, such as single sign-on, single logout, the Assertion Consumer Service, Artifact Resolution Service (SAML 2.0), and the Assertion Retrieval Service (SAML 1.x).
You can protect the Assertion Retrieval Service (SAML 1.x) and the Artifact Resolution Service (SAML 2.0) with a client certificate authentication scheme. If the asserting party is configured to require client certificate authentication, the relying party makes a connection back to the asserting party and attempts to present a client certificate.
To use a client certificate authentication scheme:
If you use Client Cert authentication, all endpoint URLs have to use SSL communication. Therefore, URLs must begin with https://. Endpoint URLs locate the various SAML services on a server, such as single sign-on, single logout, the Assertion Consumer Service, Artifact Resolution Service (SAML 2.0), and the Assertion Retrieval Service (SAML 1.x).
You cannot use client certificate authentication with the following web servers running ServletExec:
Create the policy at the asserting party to protect the service from which the asserting party retrieves the assertion.
Follow these steps:
In the user record, enter the same value that is specified in the Name field of the affiliate general settings in the Administrative UI. For example, if Company A is the value of the Name field for the affiliate, the user directory entry is:
uid=CompanyA, ou=Development,o=CA
The Policy Server maps the subject DN value of the affiliate client certificate to this directory entry.
Map the Attribute Name to the user directory entry for the affiliate. The attribute represents the subject DN entry in the certificate for the affiliate. For example, you select CN as the Attribute Name, and this value represents the affiliate named cn=CompanyA,ou=Development,o=partner.
Navigate to Infrastructure, Directory, Certificate Mappings for the mapping settings.
any_name
Example: cert assertion retrieval
FederationWebServicesAgentGroup
/affwebservices/certassertionretriever (SAML 1.x)
/affwebservices/saml2certartifactresolution (SAML 2.0)
Client certificate authentication scheme created in the previous step.
any_name
Example: cert assertion retrieval rule
*
GET, POST, PUT
The assertion retrieval service uses this HTTP header to verify that the affiliate is the site retrieving the assertion.
Create a response with the following values:
any_name
WebAgent-HTTP-Header-Variable
User Attribute
consumer_name
Enter the use directory attribute that contains the affiliate name value.
Example: uid=CompanyA.
Based on the following entries, the Web Agent returns a response named HTTP_CONSUMER_NAME.
any_name
Add the users from the user directory created in previously in this procedure.
rule_created_earlier_in_this_procedure
response_created_earlier_in_this_procedure
The policy to protect the artifact resolution service is complete.
At the relying party, the administrator has to enable client certificate authentication across the back channel that connects to the relevant assertion service:
SAML 1.x: Enable client certificate authentication for the Assertion Retrieval Service
SAML 2.0: Enable client certificate authentication for the Artifact Resolution Service
At the Identity Provider, the Web Agent Option Pack can be installed on a WebLogic 9.2.x application server. For basic authentication across the back channel to work with this server, modify the WebLogic config.xml file.
In the WebLogic config.xml file for the application domain, set the <enforce-valid-basic-auth-credentials> within the <security-configuration> element as follows:
<enforce-valid-basic-auth-credentials>false</enforce-valid-basic-auth-credentials>
Copyright © 2015 CA Technologies.
All rights reserved.
|
|