Previous Topic: Select Users for Which Assertions are GeneratedNext Topic: Grant Access to the Service for Assertion Retrieval (Artifact SSO)


Configure a SAML 1.x Assertion

At the producer site, determine how to deliver SAML assertions to a consumer. The assertion identifies the user to the consumer.

An assertion is an XML document that contains the following information:

For complete information about SAML assertions, refer to the SAML specification at the OASIS website.

To configure a SAML 1.x assertion

  1. Navigate to the Assertions settings.
  2. Complete the fields in the Assertion page.

    Note: Click Help for a description of fields, controls, and their respective requirements.

    Note:

  3. Click Finish to save your selections.

The Assertions page also contains the following optional sections:

Attributes

Lets you include attributes in the assertion.

More Information:

A Security Issue Regarding SAML 1.x Assertions

A Security Issue Regarding SAML 1.x Assertions

The SAML Assertion Generator creates an assertion that is based on a session for a user that has been authenticated at any authentication scheme protection level. You can control which users a producer generates assertions. You cannot control the protection level at which they are authenticated.

You can have resources that require a particular protection level. Your resources can be secured at different protection levels. Verify that when users authenticate they do so with the desired protection level.

Assertion Validity for Single Sign-on

For single sign-on, the values of the Skew Time and the Validity Duration determine how CA SiteMinder® calculates the total time that an assertion is valid. CA SiteMinder® applies the skew time to the generation and consumption of assertions.

Note: In this description, the asserting party is the SAML 1.x Producer, SAML 2.0 Identity Provider, or WS-Federation Account Partner. The relying party is the SAML 1.x Consumer, the SAML 2.0 Service Provider, or the WS-Federation Resource Partner.

In the assertion document, the NotBefore and NotOnOrAfter values represent the beginning and end of the validity interval.

At the asserting party, CA SiteMinder® sets the assertion validity. The validity interval is the system time when the assertion is generated. CA SiteMinder® sets the IssueInstant value in the assertion using this time then subtracts the skew time value from the IssueInstant value. The resulting time is the NotBefore value.

NotBefore=IssueInstant - Skew Time

To determine the end of the validity interval, CA SiteMinder® adds the Validity Duration value and the skew time to the IssueInstant value. The resulting time becomes the NotOnOrAfter value.

NotOnOrAfter=Validity Duration + Skew Time + IssueInstant

Times are relative to GMT.

For example, an assertion is generated at the asserting party at 1:00 GMT. The skew time is 30 seconds and the validity duration is 60 seconds, making the assertion validity interval between 12:59:30 GMT and 1:01:30 GMT. This interval begins 30 seconds before the time the assertion was generated and ends 90 seconds afterward.

At the relying party, CA SiteMinder® performs the same calculations as it does at the asserting party to determine if the assertion it receives is valid.

Calculating Assertion Validity with CA SiteMinder® at Both Sides of the Partnership

If CA SiteMinder® is at both sides of a partnership, the assertion validity is the sum of the validity duration plus two times the skew time. The equation is:

Assertion Validity = 2 x Skew Time (asserting party) + Validity Duration+ 2 x Skew Time (relying party)

The initial part of the equation (2 x Skew Time + Validity Duration) represents the beginning and end of the validity window at the asserting party. The second part of the equation (2 x Skew Time) represents the skew time of the system clock at the relying party. You multiply by 2 because you are accounting for the NotBefore and the NotOnOrAfter ends of the validity window.

Note: For legacy federation, the Validity Duration is only set at the asserting party.

Example

Asserting Party

The values at the asserting party are as follows:

IssueInstant=5:00PM

Validity Duration=60 seconds

Skew Time = 60 seconds

NotBefore = 4:59PM

NotOnOrAfter=5:02PM

Relying Party

The relying party uses the NotBefore and NotOnOrAfter values from the assertion and applies its skew time to those values. This formula is how the relying party calculates new NotBefore and NotOnOrAfter values.

Skew Time = 180 seconds (3 minutes)

NotBefore = 4:56PM

NotOnOrAfter=5:05PM

Based on these values, the calculation for the total assertion validity window is:

120 seconds (2x60) + 60 seconds + 360 seconds (2x180) = 540 seconds (9 minutes).

Configure an Assertion for One-time Use

In compliance with the SAML 1.x specification, CA SiteMinder® can enforce the one time use of an assertion. By generating an assertion for one-time use, the relying party knows not to retain the assertion for future transactions. Reusing an assertion beyond its validity results in authentication decisions using out-of-date identity information.

To configure an assertion for one time use

  1. Navigate to the General settings for an Affiliate object.
  2. In the Advanced section, select the Set DoNotCache Condition.
  3. Click Submit.