When you configure an authentication scheme, you define a way for the authentication scheme to look up a user in the local user store. After the correct user is located, the system generates a session for that user. Locating the user in the user store is the process of disambiguation. How the Policy Server disambiguates a user depends on the configuration of the authentication scheme.
For successful disambiguation, the authentication scheme first determines a LoginID from the assertion. The LoginID is a CA SiteMinder®-specific term that identifies the user. By default, the LoginID is extracted from the Name ID in the assertion. You can also obtain the LoginID using an Xpath query.
After the authentication scheme determines the LoginID, the Policy Server checks if a search specification is configured for the authentication scheme. If no search specification is defined for the authentication scheme, the LoginID is passed to the Policy Server. The Policy Server uses the LoginID together with the user store search specification to locate the user. For example, the LoginID value is Username and the LDAP search specification is set to the uid attribute. The Policy Server uses the uid value (Username=uid) to locate the user.
If you configure a search specification for the authentication scheme, the LoginID is not passed to the Policy Server. Instead, the search specification is used to locate a user.
You can configure user disambiguation in one of two ways:
If you choose to disambiguate locally, there are two steps in the process:
Note: The use of Xpath and a search specification are optional.
You can find the LoginID in two ways:
To use an Xpath query to determine the LoginID
Xpath queries must not contain namespace prefixes. The following example is an invalid Xpath query:
/saml:Response/saml:Assertion/saml:AuthenticationStatement/ saml:Subject/saml:NameIdentifier/text()
The valid Xpath query is:
//Response/Assertion/AuthenticationStatement/Subject/ NameIdentifier/text()
After you obtain the LoginID, you can configure a user lookup to locate the user in place of the default behavior, where the LoginID is passed to the Policy Server.
To locate a user with a search specification
For example, the LoginID has a value of user1. If you specify Username=%s in the Search Specification field, the resulting string is Username=user1. This string is verified against the user store to find the correct record for authentication.
A group of Service Providers can form an affiliation. Grouping Service Providers establishes an association across the federated network, such that a relationship with one member of an affiliation establishes a relationship with all members of the affiliation.
All Service Providers in an affiliation share the name identifier for a single principal. If one Identity Provider authenticates a user and assigns that user an ID, all members of the affiliation use that same name ID. The single name ID reduces the configuration that is required at each Service Provider. Additionally, using one name ID for a principal saves storage space at the Identity Provider.
You can use the optional Xpath query and search specification for user disambiguation. These options are defined as part of the affiliation itself and not part of the authentication scheme.
Note: Define an affiliation first before using it in an authentication scheme configuration.
To select an affiliation
Copyright © 2014 CA.
All rights reserved.
|
|