This section contains the following topics:
Relying Party Interaction with Applications
Redirecting a User to the Target Application
Using HTTP Headers to Pass Assertion Data (SAML only)
Mapping Assertion Attributes to Application Attributes (SAML only)
User Provisioning at the Relying Party
Failed Authentication Handling Using Redirect URLs (Relying Party)
The Application Integration step of the partnership wizard is applicable only at the relying party. This step lets you define various aspects of federated operation for resolving user identities and directing users to the target application.
The features that you can configure in the Application Integration step are:
The Target Application section in the Application Integration step lets you define how a user gets redirected to the target application. The redirection method that you select depends on the type of data you want to pass with the user to the target application.
Follow these steps:
If the relying party receives an assertion with multiple attribute values, the Policy Server passes all values to the target application in the cookie.
The target application must use the same language as the SDK that creates the cookie. If you are using the CA SiteMinder Federation Java SDK, the application must be in Java. If you are using the .NET SDK, the application must support .NET.
Learn more about using HTTP Headers as the redirect mode and how to protect the headers.
Click Help for a description of the fields.
If a proxy sits in front of the server with the target resource, enter the URL for the proxy host. The proxy handles all federation requests locally. The proxy host can be any system that sits in front of the target server. The proxy host can also be CA SiteMinder® itself, provided it is being accessed directly from the Internet. Ultimately, when operating with a proxy, the URL you specify as the target must go through CA SiteMinder®. For example, if the base URL is fed.demo.com and the back-end server resource is mytarget/target.jsp, the value for this field is http://fed.demo.com:5555/mytarget/target.jsp.
For SAML 2.0, you can leave this field blank if you override it with the RelayState query parameter. The RelayState query parameter can part of the URL that triggers single sign-on. To enable this override, select the Relay state overrides target check box.
Setting up redirection to the target is complete.
For a SAML entity, the Policy Server can use HTTP headers to pass identity attributes from an assertion to a back-end application. A backend application can be a target application for single sign-on or a user provisioning application. The system passes these headers in an encrypted cookie.
The headers have the same name as the assertion attributes. For example, if the assertion attribute is "address", the application looks for the HTTP header "ADDRESS".
Assertion attributes are case-sensitive, but HTTP headers are not. The Policy Server cannot pass the same attributes that differ only by case sensitivity and then map them to HTTP headers. For example, the system cannot pass "address" and "Address" as headers at the same time. In general, do not use the attributes with the same names that are only different because of case sensitivity or format.
The following additional values are passed as headers:
Protecting HTTP Headers
If an unauthorized user knows the name of an assertion attribute, that user can set this name as a header in a browser. With the header set, the malicious user can gain access to the target application. The target application sees an expected header value and grants access to the resource without CA SiteMinder® consuming an assertion.
Setting a value for the FedHeaderPrefix protects against the following scenario:
CA SiteMinder® can pass assertion data using HTTP headers.
Follow these steps:
LoadPlugin="path\SAMLDataPlugin.dll"
LoadPlugin="path/SAMLDataPlugin.so"
The fedheaderprefix setting specifies a global prefix that CA SiteMinder® adds to HTTP headers. Setting a prefix protects HTTP headers against manipulation by an unauthorized user before the CA SiteMinder® consumes an assertion. As a result, only legitimate headers get passed to the target application. Read more about protecting HTTP headers.
HTTP headers are now configured to pass attribute data.
Copyright © 2015 CA Technologies.
All rights reserved.
|
|