Before you can assign a SAML artifact authentication scheme to a realm, configure the scheme.
Follow these steps:
The Authentication Scheme page opens.
The contents of the Authentication Scheme dialog change to support the SAML artifact scheme.
Click Help for descriptions of settings.
Important! The Affiliate Name, Password, and Verify Password fields must match other values in your federation network. For details, go to Configuration Settings that Must Use the Same Values.
The consumer does not have to use the default target. The link that initiates single sign-on contains a query parameter that specifies the target.
Alternatively, specify the target resource using the value of the TARGET query parameter in the authentication response URL. To enable this option, select the checkbox Query Parameter TARGET Overrides Default Target URL.
The SAML 1.x Artifact authentication scheme is now configured.
For the SAML artifact profile, the asserting party sends the assertion to the consumer over a back channel. Protect the back channel with an authentication scheme. You can use a basic or client certificate authentication scheme to secure the back channel.
If you use basic authentication and CA SiteMinder® is at both partners, the Affiliate Name at each site is the name of the consumer. If the asserting party is not CA SiteMinder®, the asserting party administrator must provide you with the name they are using to identify your site. Specify the supplied name as the Affiliate Name in your authentication scheme configuration.
If you use client certificate authentication for the back channel, the affiliate name in the Administrative UI must be the alias of the client certificate. Additionally, the CN of the certificate subject must also match the affiliate name. Matching the affiliate name, alias and CN is required.
The Policy Server supports client certificate authentication over the backchannel using non-FIPS 140 encrypted certificates, even when the Policy Server is operating in FIPS-only mode. However, for a strictly FIPS-only installation, use certificates only encrypted with FIPS 140-compatible algorithms.
The client certificate is stored in the certificate data store.
Copyright © 2014 CA.
All rights reserved.
|
|