You configure the WS-Federation single sign-on binding for authentication in the SSO section of the SAML Profiles page. You can also enforce single use assertion policy to prevent the replaying of a valid assertion in this section.
Part of the single sign-on configuration is defining the Redirect Mode setting. The Redirect Mode specifies how the Policy Server sends assertion attributes, if available, to the target application. You can send assertion attributes as HTTP Headers or HTTP cookies.
The HTTP headers and HTTP cookies have size restrictions that assertion attributes cannot exceed. The size restrictions are as follows:
To configure WS-Federation single sign-on
The SAML Profiles dialog opens.
Click Help for the field descriptions.
Sign-out is the simultaneous termination of all user sessions for the browser that initiated the sign-out. Closing all user sessions prevents unauthorized users from gaining access to resources at the Resource Partner.
Sign-out does not necessarily end all sessions for a user. For example, a user with two browsers open can have two independent sessions. Only the session for the browser that initiates the sign-out is terminated at all federated sites for that session. The session in the other browser is still active.
The Policy Server performs sign-out using a signoutconfirmurl.jsp. This page resides on the Identity Provider system. An Identity Provider initiates a sign-out request on behalf of a user. The JSP sends the sign-out request to each site where the user signed on during a given browser session. The user is then signed out.
A user can initiate a sign-out request only at an Identity Provider. The request is triggered by clicking a link that points to the appropriate servlet. The sign-out confirmation page must be an unprotected resource at the Identity Provider site.
Note: The Policy Server only supports the WS-Federation Passive Request profile for sign-out.
To configure WS-Federation signout
The SAML Profiles dialog opens.
Copyright © 2014 CA.
All rights reserved.
|
|