To initiate single sign-on, the user can begin at the Identity Provider or the Service Provider. Configure links at each site or as part of applications to trigger single sign-on operation.
If a user visits the Identity Provider before going to the Service Provider, the Identity Provider must generate an unsolicited response. To initiate an unsolicited response, create a hard-coded link that generates an HTTP Get request that includes a query parameter with the Service Provider ID. The Identity Provider generates an assertion response for this ID. The Federation Web Service application and the Assertion Generator must accept the GET request.
A user clicks the link you establish to initiate the unsolicited response.
To specify the use of artifact or POST profile in the unsolicited response, the syntax for the unsolicited response link is:
http://idp_server:port/affwebservices/public/saml2sso?SPID=SP_ID& ProtocolBinding=URI_for_binding
Identifies the web server and port hosting the Web Agent Option Pack or SPS federation gateway.
Service Provider ID value. The entity ID is case-sensitive. Enter it exactly as it appears in the Administrative UI.
Identifies the URI of the POST or Artifact binding for the ProtocolBinding element. The SAML 2.0 specification defines this URI.
Also specify the binding in the SAML Service Provider properties for the unsolicited response to work.
Note the following information:
An unsolicited response that initiates single sign-on from the Policy Server IdP can include the following query parameters:
(Required) Specifies the ID of the Service Provider where the Identity Provider sends the unsolicited response. The entity ID is case-sensitive. Enter it exactly as it appears in the Administrative UI.
Specifies the ProtocolBinding element in the unsolicited response. This element specifies the protocol used when sending the assertion response to the Service Provider. If the Service Provider is not configured to support the specified protocol binding, the request fails.
Using the ProtocolBinding parameter is required only if the artifact and POST bindings are enabled in the Service Provider properties. If both profiles are enabled, use the query parameter only to use artifact binding.
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
You do not need to set this parameter for HTTP-POST single sign-on.
Note: Do not HTTP-encode the query parameters.
Example: Unsolicited Response with ProtocolBinding
This link redirects the user to the Single Sign-on service. In this link is the Service Provider identity. The SPID query parameter indicates the identity. Additionally, the bindings query parameter indicates that the artifact binding is in use. After the user clicks this hard-coded link, they are redirected to the local Single Sign-on service.
http://idp-ca:82/affwebservices/public/saml2sso?SPID=http%3A%2F%2Ffedsrv.acme.com %2Fsmidp2for90&ProtocolBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact
If you do not use the ProtocolBinding query parameter, the following conditions apply:
Example: Unsolicited Response without ProtocolBinding
This link redirects the user to the Single Sign-on service. Included in this link is the Service Provider identity. The SPID query parameter indicates the identity. No ProtocolBinding query parameter exists. After the user clicks this hard-coded link, they are redirected to the local Single Sign-on service.
http://fedsrv.fedsite.com:82/affwebservices/public/saml2sso?SPID= http%3A%2F%2Ffedsrv.acme.com%2Fsmidp2for90
Specifies the target at the Service Provider. Use the RelayState query parameter to indicate the target destination; however, this method is optional. There can be a configuration mechanism at the Service Provider to indicate the target.
URL-encode the RelayState value.
Example
http://ca.sp.com:90/affwebservices/public/saml2authnrequest?ProviderID= http%3A%2F%2Ffedsrv.acme.com%2Fsmidp2for90& RelayState=http%3A%2F%2Fwww.spdemo.com%2Fapps%2Fapp.jsp
A user can visit the Service Provider first and then go to an Identity Provider. Therefore, create an HTML page at the Service Provider containing hard-coded links to its AuthnRequest service. The links in the HTML page redirect the user to the Identity Provider for authentication. The links also indicate what is in the AuthnRequest.
The hard-coded link that the user selects must contain specific query parameters. These parameters are part of the HTTP GET request to the AuthnRequest service at the Service Provider.
Note: The page with these hard-coded links has to reside in an unprotected realm.
To specify the use of artifact or profile binding for the transaction, the syntax for the link is:
http://SP_server:port/affwebservices/public/saml2authnrequest? ProviderID=IdP_ID&ProtocolBinding=URI_of_binding
sp_server:port
Specifies the server and port number at the Service Provider hosting the Web Agent Option Pack or the SPS federation gateway.
IdP_ID
Specifies the identity that is assigned to the Identity Provider. The entity ID is case-sensitive. Enter it exactly as it appears in the Administrative UI.
URI_of_binding
Identifies the URI of the POST or Artifact binding for the ProtocolBinding element. The SAML 2.0 Specification defines this URI.
For the request to work, enable a binding for the SAML authentication scheme.
Note the following information:
A CA SiteMinder® Service Provider can use query parameters in the links to the AuthnRequest Service. The allowable query parameters are:
ID of the Identity Provider where the AuthnRequest Service sends the AuthnRequest message. The entity ID is case-sensitive. Enter it exactly as it appears in the Administrative UI.
Specifies the ProtocolBinding element in the AuthnRequest message. This element specifies the protocol that the Identity Provider uses to return the SAML response. If the specified Identity Provider is not configured to support the specified protocol binding, the request fails.
If you use this parameter in the AuthnRequest, you cannot include the AssertionConsumerServiceIndex parameter also. They are mutually exclusive.
Required Use of the ProtocolBinding Query Parameter
The artifact and POST binding can be enabled for an authentication scheme. If you want to use only the artifact binding, the ProtocolBinding parameter is required.
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
You do not need to set this parameter for HTTP-POST single sign-on.
Example: AuthnRequest Link with ProtocolBinding
http://ca.sp.com:90/affwebservices/public/saml2authnrequest?ProviderID= http%3A%2F%2Ffedsrv.acme.com%2Fsmidp2for90&ProtocolBinding=urn:oasis: names:tc:SAML:2.0:bindings:HTTP-Artifact
A user clicks the link at the Service Provider. The Federation Web Services application requests an AuthnRequest message from the local Policy Server.
Optional Use of ProtocolBinding
When you do not use the ProtocolBinding query parameter, the following conditions apply:
Note: Do not HTTP-encode the query parameters.
Example: AuthnRequest Link without ProtocolBinding
This sample link goes to the AuthnRequest service. The link specifies the Identity Provider in the ProviderID query parameter.
http://ca.sp.com:90/affwebservices/public/saml2authnrequest?ProviderID= http%3A%2F%2Ffedsrv.acme.com%2Fsmidp2for90
A user clicks the link at the Service Provider. The Federation Web Services application requests for an AuthnRequest message from the local Policy Server.
Indicates whether the SP forces the Identity Provider to authenticate a user even if there is an existing security context for that user.
Note: A user can try to reauthenticate with different credentials than the existing session. The IdP then compares the userDN and the user directory OID for the current and existing sessions. If the sessions are not for the same user, the IdP returns a SAML 2.0 response. The response indicates that the authentication has failed.
Example
http://www.sp.demo:81/affwebservices/public/saml2authnrequest?ProviderID=idp.demo&ForceAuthn=yes
Specifies the target at the Service Provider. You can use the RelayState query parameter to indicate the target destination, but this method is optional. Instead, you can specify the target configured in the SAML 2.0 authentication scheme. The authentication scheme also has an option to override the target with the RelayState query parameter.
URL-encode the RelayState value.
Example
http://www.spdemo.com:81/affwebservices/public/saml2authnrequest? ProviderID=idp.demo&RelayState=http%3A%2F%2Fwww.spdemo.com%2Fapps%2Fapp.jsp
Determines whether the Identity Provider can interact with a user. If this query parameter is set to true, the Identity Provider must not interact with the user. Additionally, the IsPassive parameter is included with the AuthnRequest sent to the Identity Provider. If this query parameter is set to false, the Identity Provider can interact with the user.
Example
http://www.spdemo.com:81/affwebservices/public/saml2authnrequest? ProviderID=idp.demo&RelayState=http%3A%2F%2Fwww.spdemo.com% 2Fapps%2Fapp.jsp&IsPassive=true
Specifies the index of the endpoint acting as the assertion consumer. The index tells the Identity Provider where to send the assertion response.
If you use this parameter in the AuthnRequest, you cannot include the ProtocolBinding parameter also. They are mutually exclusive.
If a Service Provider initiates single sign-on, that Service Provider can include a ForceAuthn or IsPassive query parameter in the AuthnRequest message. When a Service Provider includes these two query parameters in the AuthnRequest message, a CA SiteMinder® Identity Provider handles these query parameters as follows:
ForceAuthn Handling
When a Service Provider includes ForceAuthn=True in the AuthnRequest, a CA SiteMinder® Identity Provider takes the following actions:
A user can try to reauthenticate with different credentials than the original session. The CA SiteMinder® IdP compares the userDN and the user directory OID for the current and existing sessions. If the sessions are not for the same user, it returns a SAML 2.0 response. The response indicates that the authentication has failed.
IsPassive Handling
When a Service Provider includes IsPassive in the AuthnRequest and the IdP cannot honor it, one of the following SAML responses is sent back to the Service Provider:
Copyright © 2014 CA.
All rights reserved.
|
|