Enable Client Certificate Authentication for the Back Channel (optional)

If you are using HTTP-Artifact single sign-on, you can select client certificate authentication to protect the Assertion Retrieval Service at the producer. This service retrieves the assertion and sends it to the consumer.

Note: Client certificate authentication is optional; you can also use Basic authentication.

The SAML credential collector invokes the SAML artifact authentication scheme. The SAML credential collector collects information from the scheme to retrieve the SAML assertion from the Producer. You are required to specify the authentication method for the realm that contains the Assertion Retrieval Service. The SAML credential collector determines what type of credentials to provide to retrieve the assertion.

If the Assertion Retrieval Service is protected with a client certificate authentication scheme, complete these configuration tasks:

  1. Add a client certificate to the certificate data store.
  2. Select the client certificate option for back channel authentication. The certificate is the required credential.

Note: The administrator at the asserting-side Policy Server must have configured a policy to protect the Assertion Retrieval Service. The realm for this policy must use an X.509 client certificate authentication scheme.

Add a Client Certificate to the Certificate Data Store

You must have a private key/certificate pair from a Certificate Authority. Add a private key/certificate pair to the certificate data store using the Administrative UI. Skip this step if the key/certificate pair is already in the data store. For instructions, see the Policy Server Configuration Guide.

When you import the key/certificate pair, the alias you assign must be the same value as the Affiliate Name field in the authentication scheme settings. Additionally, the CN attribute of the Subject in the certificate must also match the Affiliate Name field. For example, the Affiliate Name is CompanyA. Therefore, the alias must be Company A, and the CN value for the Subject must read CN=CompanyA, OU=Development, O=CA, L=Islandia, ST=NY, C=US.

Important! The Affiliate Name field in the authentication scheme must match the name that is assigned to the affiliate object at the Producer. If CA SiteMinder® is the Producer, the Affiliate Name in the authentication scheme must match the Name field in the General settings of the affiliate object.

Select the Client Cert Option for Back Channel Authentication

For the Consumer to present a certificate as credentials when trying to access the Assertion Retrieval Service at the Producer, select the client certificate option.

To select the client certificate option

  1. Go to the Scheme Setup section of the SAML Artifact Authentication scheme dialog.
  2. Select Client Cert for the Authentication field.