Previous Topic: Session Validity at a Service ProviderNext Topic: How to Enable SAML 2.0 Attribute Query Support


Back Channel Authentication for Artifact SSO

Artifact single sign-on requires the relying party to send an artifact to the asserting party to retrieve the assertion. The asserting party uses the artifact to retrieve the correct assertion and returns the assertion to the relying party over a back channel.

You can require an entity to authenticate to access the back channel. The back channel can also be secured using SSL, though SSL is not required.

Securing the back channel using SSL involves:

  1. Enabling SSL.

    SSL is not required for Basic authentication but you can use Basic over SSL. SSL is required for Client Cert authentication.

  2. Configuring an incoming or outgoing back channel for the SAML 2.0 communication exchange. The direction you configure depends on the role of the local entity.

    Configuring separate channels is supported only for SAML 2.0. The back channel configuration for SAML 1.1 artifact single sign-on uses a single configuration for each partnership. CA SiteMinder® uses the correct direction automatically (incoming for a local producer and outgoing for a local consumer).

    Select which direction to configure for SAML 2.0 single sign-on based on the entity you are configuring.

    Note: You can configure an incoming and outgoing back channel; however, a channel can have only one configuration. If two services use the same channel, these two services use the same back channel configuration. For example, if the incoming channel for a local asserting party supports HTTP-Artifact SSO and SLO over SOAP, these two services must use the same back channel configuration.

  3. Choosing the type of authentication for the relying party to gain access across the protected back channel. The authentication method applies per channel (incoming or outgoing).

    The options for back channel authentication are:

    The Administrative UI help describes these options in detail.

    Important! The authentication method for the incoming back channel must match the authentication method for the outgoing back channel on the other side of the partnership. Agreeing on the choice of authentication method is handled in an out of band communication.

Configure the HTTP-Artifact Back Channel

Protect the HTTP-artifact back channel across which the asserting party sends the assertion to the relying party.

Consider the following limitation:

You cannot use client certificate authentication with the following web servers running ServletExec:

Follow these steps:

  1. Begin at the Back Channel section in the Single Sign-on or the SSO and SLO step of the partnership wizard.
  2. Select HTTP-Artifact in the SSO section.

    The Authentication Method field becomes active.

  3. Select the type of authentication method for the incoming or outgoing back channel, or both.

    Note: Click Help for a description of fields, controls, and their respective requirements.

  4. Depending on the authentication method you select, several additional fields are displayed for you to configure.

After entering values for all the necessary fields, the back channel configuration is complete. You can enable SSL on each side of the connection for added security.