This procedure is only for single sign-on with the artifact binding.
The Assertion Consumer Service collects information from an authentication scheme to retrieve an assertion from the Identity Provider. The scheme tells the Assertion Consumer Service what type of credentials to provide to the Identity Provider to retrieve the assertion. After the assertion is retrieved, the Identity Provider sends the assertion across a secure back channel to the Service Provider. You can use client certificate authentication to secure the back-channel.
Certificate authentication for the back-channel is optional; you can use Basic authentication instead.
To use client certificate authentication for the back channel:
You can use non-FIPS 140 encrypted certificates to secure the back channel even if the Policy Server is operating in FIPS-only mode. However, for a strictly FIPS-only installation, use only certificates encrypted with FIPS 140-compatible algorithms.
Note: The administrator at the asserting-side Policy Server must have configured a policy to protect the Assertion Retrieval Service. The realm for this policy must use an X.509 client certificate authentication scheme.
You must have a private key/certificate pair from a Certificate Authority. Add a private key/certificate pair to the certificate data store using the Administrative UI. Skip this step if the key/certificate pair is already in the data store. For instructions, see the Policy Server Configuration Guide.
When you import the key/certificate pair, the alias you assign must be the same value as the Name field in the authentication scheme settings. Additionally, the CN attribute of the Subject in the certificate must also match the Name field. For example, the Name is CompanyA. Therefore, the alias must be Company A, and the CN value for the Subject must read CN=CompanyA, OU=Development, O=CA, L=Islandia, ST=NY, C=US.
Important! The Name field in the authentication scheme must match the name that is assigned to the Service Provider object at the Identity Provider. If CA SiteMinder® is the Identity Provider, the Name in the authentication scheme must match the Name field in the General settings of the object.
If you enable client certificate authentication for the back channel, the certificate serves as your credential.
To present a client certificate as a credential
The SSO page displays.
Copyright © 2013 CA.
All rights reserved.
|
|