This section contains the following topics:
Federation Web Services Overview
SAML 1.x Artifact and POST Profiles
SAML 2.0 Artifact and POST Profiles
WS-Federation Passive Requestor Profile
The Federation Web Services (FWS) application is installed with the Web Agent Option Pack on a server that has a connection to a Policy Server. The Federation Web Services and the Web Agent support the following web browser single sign-on profiles. These profiles convey information from one site to another through a standard browser.
The supported profiles are:
For the SAML 1.x artifact and POST profiles, the Federation Web Services application uses the following services:
A producer-side component. This service handles a SAML request for the assertion that corresponds to a SAML artifact by retrieving the assertion from the CA SiteMinder® session store. The SAML specification defines the assertion retrieval request and response behavior.
Note: Only the SAML artifact profile uses the assertion retrieval service..
A consumer-side component that receives a SAML artifact or an HTTP form with an embedded SAML response and obtains the corresponding SAML assertion. The credential collector issues CA SiteMinder® cookies to a browser of the user.
A producer-side component for the SAML POST profile. The intersite transfer service transfers a user from the producer site to a consumer site. For the SAML artifact profile, the Web Agent performs the same function as the intersite transfer service.
For SAML 2.0 artifact and POST profiles, the Federation Web Services application uses the following services:
An Identity Provider-side service that corresponds to the SAML 2.0 authentication using the HTTP-artifact binding. This service retrieves the assertion stored in the CA SiteMinder® session store at the Identity Provider.
Note: Only the HTTP-artifact binding uses the artifact resolution service.
A Service Provider component that receives a SAML artifact or an HTTP form with an embedded SAML response and obtains the corresponding SAML assertion. The Assertion Consumer Service issues CA SiteMinder® cookies to a browser.
Note: The Assertion Consumer Service accepts an AuthnRequest with an AssertionConsumerServiceIndex value of 0. All other values for this setting are denied.
This service is deployed for use by SAML 2.0. A Service Provider can generate an <AuthnRequest> message to authenticate a user for cross-domain single sign-on. This message contains information that enables the Federation Web Services application to redirect the browser to the single sign-on service at the Identity Provider. The AuthnRequest service is used for POST and Artifact single sign-on.
The single sign-on service enables an Identity Provider to process AuthnRequest messages. The service also invokes the assertion generator to create an assertion that is sent to the Service Provider.
This service implements processing of single logout functionality, which an Identity Provider or a Service Provider can initiate.
Implements SAML 2.0 Identity Provider Discovery Profile and sets and retrieves the common domain cookie. An IdP requests to set the common domain cookie after authenticating a principal. An SP requests to obtain the common domain cookie to discover which Identity Provider a principal is using.
For the WS-Federation Passive Requestor profile, the Federation Web Services application uses the following services:
A Resource Partner component that receives a security token and extracts the corresponding SAML assertion. The Security Token Consumer Service issues cookies to a browser.
Enables an Identity Provider to process a sign-on message and gather the necessary Resource Partner information to authenticate the user. This service also invokes the assertion generator to create an assertion that is sent to the Resource Partner.
Implements processing of a single sign-out transaction by way of a sign-out servlet. An Identity Provider or a Resource Partner can initiate sign-out.
|
Copyright © 2013 CA.
All rights reserved.
|
|