This section contains the following topics:
Configure SAML 2.0 Affiliations
A SAML affiliation is a group of SAML entities that share a name identifier for a single principal.
Service Providers and Identity Providers can belong to an affiliation. However, a single entity can belong to only one affiliation. Service Providers share the Name ID definition across the affiliation. Identity Providers share the user disambiguation properties across the affiliation.
Affiliations reduce the configuration that is required at each Service Provider. Additionally, using one name ID for a principal saves storage space at the Identity Provider.
Affiliations offer the following functions:
Note: Configuring affiliations is optional.
In a single sign-on use case, the Service Provider sends a request for an assertion to an Identity Provider. The AuthnRequest contains an attribute that specifies an affiliation identifier.
When the Identity Provider receives the request, it takes the following actions:
Upon receiving the assertion, authentication takes place at the Service Provider.
When a Service Provider generates a logout request, it verifies whether the Identity Provider is a member of an affiliation. The Service Provider includes an attribute in the request, which it sets to the affiliation ID. The Identity Provider receives the request and verifies that the Service Provider belongs to the affiliation identified in the attribute.
The Identity Provider obtains the affiliation Name ID from the session store of the session store. When the Identity Provider issues logout request messages to all session participants, it includes the affiliation Name ID for the members of the affiliation.
A SAML affiliation lets you add a SAML entity to a group so it can share a name identifier for a single principal. You can configure affiliations at either partner in a federated network.
For an Identity Provider, assign a name ID associated with an affiliation. The shared Name ID properties apply to all the Service Providers that belong to the affiliation.
For the Service Provider, the affiliation provides the user disambiguation process for authentication. When the Service Provider receives an assertion, it extracts the user identity information from the assertion. Based on the user disambiguation settings, the Service Provider compares the identity information against a local user directory to find the proper user record.
Follow these steps:
The Create SAML Affiliation page appears.
A list of Service Providers that are members of the affiliation are displayed in the SAML Service Providers Associations section of the affiliate dialog. This list of Service Providers is a read-only list. To edit this list, modify the Service Provider object.
A list of SAML 2.0 authentication schemes that use an affiliation for user disambiguation is displayed in the SAML Authentication Scheme Associations section. This list of authentication schemes is a read-only list. To edit this list, modify the particular scheme.
For the Identity Provider, the affiliation provides the Name ID in an assertion. Additionally, the Identity Provider includes an affiliation ID in the assertion. Select an affiliation when you configure a Service Provider object.
At runtime, the Identity Provider uses the NameID for the affiliation and disregards the Name ID configuration that is defined for the Service Provider object.
Follow these steps:
The affiliation must already be configured to be in the list.
For the Service Provider, an affiliation determines user information. Select an affiliation when you configure an authentication scheme at the Service Provider.
At runtime, the Service Provider relies on the user configuration from the affiliation. It disregards the user configuration in the authentication scheme.
Follow these steps:
The affiliation must already be configured to be in the list.
Copyright © 2014 CA.
All rights reserved.
|
|