A CA SiteMinder® Identity Provider supports the user consent feature for SAML 2.0. User consent requires that the Identity Provider asks the user to grant permission before it sends an assertion to a partner. If you enable user consent at the Identity Provider, CA SiteMinder® prompts the user for consent. The Identity Provider passes the consent value in an assertion.
The consent validity period is 5 minutes. When the Identity Provider redirects the user to the consent page, the user has 5 minutes to grant consent and be redirected back to the Identity Provider. The Identity Provider then generates the assertion and sends it to the Service Provider. These tasks must be complete in the 5-minute time period. If the time expires before the Identity Provider generates an assertion, it does not pass on the user identity.
Consent applies only to a single assertion. After the Identity Provider generates an assertion, it deletes all record of consent being granted. The same user can return to an Identity Provider before the 5-minute validity period expires, but the Identity Provider still prompts the user for consent.
Note: The validity period is not configurable.
Example
User1 logs in and authenticates at MyWorkPlace.com at 2:00PM. MyWorkPlace is acting as an Identity Provider. At 2:03PM, the user selects a link to the partner company that runs travel specials for employees. User1 is redirected to a form that asks for consent before sending User1 to ExampleTravel.com. User1 takes a phone call before completing the consent form. The time is now 2:10PM. MyWorkPlace does not generate an assertion because the validity period has expired.
If User1 grants consent promptly and is redirected back to the Identity Provider by 2:05PM, the Identity Provider generates an assertion. Only 2 minutes pass between consent and assertion generation, so the validity period is still active.
Configuring user consent requires that you:
The Identity Provider sends the custom form to the user to get consent.
If the Identity Provider includes a user consent attribute in the assertion response, only the following URI is used:
urn:oasis:names:tc:SAML:2.0:consent:obtained
User consent is also configurable at the Service Provider. A Service Provider can require the Identity Provider to pass the user consent value in the assertion response.
CA SiteMinder® ships with a consent to federate form named ca_defaultconsentform.html. The Identity Provider sends the custom form to the user to get consent. The default consent form is in the directory %NETE_WA_ROOT%\customization. %NETE_WA_ROOT% is the location of the Web Agent Option Pack.
You can write a custom form instead of using the default consent form and specifying the form in the Administrative UI.
Follow these steps:
Represents the SP ID configured in the partnership
Represents the IDP ID configured in the partnership.
NETE_WA_ROOT is the system environment variable. %NETE_WA_ROOT% is the location of the Web Agent Option Pack. If the Web Agent and Web Agent Option Pack are installed on the same system, they are installed in the same directory, for example, webagent\customization.
Note: The User Consent Service URL is specified by default. You cannot change this value.
|
Copyright © 2013 CA.
All rights reserved.
|
|