Previous Topic: Grant Access to the Service for Assertion Retrieval (Artifact SSO)Next Topic: Configure Attributes to Include in SAML 1.x Assertions (Optional)


Configure the Authentication Scheme that Protects the Artifact Service

For the HTTP-Artifact profile, the assertion retrieval service (SAML 1.x) and the artifact resolution service (SAML 2.0) retrieve the assertion at the asserting party. When these services send an assertion response to the relying party, they do so over a secure back channel. We strongly recommend that you protect these services and the communication across the back channel against unauthorized access.

Note: WS-Federation does not support the HTTP-Artifact profile.

To protect these services, specify an authentication scheme for the realm that contains the service at the asserting party. The authentication scheme dictates the type of credentials that the consuming service at the relying party must provide to access the relevant service across the back channel.

You can select one of the following authentication schemes:

Basic Authentication to Protect the Service that Retrieves Assertions

For HTTP-Artifact single sign-on, the asserting party sends the assertion across a secure back channel to the relying party. For basic authentication, configure a password to access to the service that resolves the artifact and retrieves the assertion. The service then sends the assertion across the back channel to the relying party.

You can use Basic authentication with SSL is enabled; however, SSL is not required.

Note: The password is only relevant if you use Basic or Basic over SSL as the authentication method across the back channel.

Follow these steps: for the SAML 1.x Assertion Retrieval Service

  1. Log in to the Administrative UI.
  2. Navigate to the General settings for the producer.
  3. Enter a value for the following fields:
  4. Click Submit to save the changes.

Follow these steps: for the SAML 2.0 Artifact Resolution Service

  1. Log in to the Administrative UI.
  2. Navigate to the Attribute settings for the Identity Provider.
  3. In the Backchannel section, enter a value for the following fields:
  4. Click Submit to save the changes.
Basic over SSL to Protect the Service that Retrieves Assertions

You can protect the assertion retrieval service (SAML 1.x) or the artifact resolution service (SAML 2.0) with a Basic over SSL authentication scheme. At the asserting party, a set of default policies to protect the service is already configured when you install the Policy Server.

The only configuration that is required is to enable SSL at each partner. No other configuration is required at the asserting or relying party. At the relying party, you can use one of the default root Certificate Authorities (CAs) in the certificate data store to establish an SSL connection. To use your own root CA instead of a default CA, import the CA certificate into the data store.

If you use Basic over SSL authentication scheme, all endpoint URLs have to use SSL communication. This means that the URLs must begin with https://. Endpoint URLs locate the various SAML services on a server, such as single sign-on, single logout, the Assertion Consumer Service, Artifact Resolution Service (SAML 2.0), and the Assertion Retrieval Service (SAML 1.x).

Client Certificate Auth to Protect the Service that Retrieves Assertion

You can protect the Assertion Retrieval Service (SAML 1.x) and the Artifact Resolution Service (SAML 2.0) with a client certificate authentication scheme. If the asserting party is configured to require client certificate authentication, the relying party makes a connection back to the asserting party and attempts to present a client certificate.

To use a client certificate authentication scheme:

  1. Create a policy at the asserting party to protect the relevant service. This policy uses the client certificate authentication scheme.
  2. Enable client certificate authentication for the back channel configuration at the relying party.
  3. Enable SSL at each side of the partnership.

If you use Client Cert authentication, all endpoint URLs have to use SSL communication. Therefore, URLs must begin with https://. Endpoint URLs locate the various SAML services on a server, such as single sign-on, single logout, the Assertion Consumer Service, Artifact Resolution Service (SAML 2.0), and the Assertion Retrieval Service (SAML 1.x).

You cannot use client certificate authentication with the following web servers running ServletExec:

Create the Policy to Protect the Retrieval Service

Create the policy at the asserting party to protect the service from which the asserting party retrieves the assertion.

Follow these steps:

  1. For each affiliate requesting assertions, add a separate entry to a user directory. Create a user directory or use an existing directory.

    In the user record, enter the same value that is specified in the Name field of the affiliate general settings in the Administrative UI. For example, if Company A is the value of the Name field for the affiliate, the user directory entry is:

    uid=CompanyA, ou=Development,o=CA

    The Policy Server maps the subject DN value of the affiliate client certificate to this directory entry.

  2. Add the configured user directory to the FederationWebServicesDomain.
  3. Create a certificate mapping entry.

    Map the Attribute Name to the user directory entry for the affiliate. The attribute represents the subject DN entry in the certificate for the affiliate. For example, you select CN as the Attribute Name, and this value represents the affiliate named cn=CompanyA,ou=Development,o=partner.

    Navigate to Infrastructure, Directory, Certificate Mappings for the mapping settings.

  4. Configure an X509 Client Certificate authentication scheme.
  5. Create a realm under the FederationWebServicesDomain containing the following entries:
    Name

    any_name

    Example: cert assertion retrieval

    Agent

    FederationWebServicesAgentGroup

    Resource Filter

    /affwebservices/certassertionretriever (SAML 1.x)

    /affwebservices/saml2certartifactresolution (SAML 2.0)

    Authentication Scheme

    Client certificate authentication scheme created in the previous step.

  6. Create a rule under the cert assertion retriever realm containing the following information:
    Name

    any_name

    Example: cert assertion retrieval rule

    Resource

    *

    Web Agent Actions

    GET, POST, PUT

  7. Create a Web Agent response header under the FederationWebServicesDomain.

    The assertion retrieval service uses this HTTP header to verify that the affiliate is the site retrieving the assertion.

    Create a response with the following values:

    Name

    any_name

    Attribute

    WebAgent-HTTP-Header-Variable

    Attribute Kind

    User Attribute

    Variable Name

    consumer_name

    Attribute Name

    Enter the use directory attribute that contains the affiliate name value.

    Example: uid=CompanyA.

    Based on the following entries, the Web Agent returns a response named HTTP_CONSUMER_NAME.

  8. Create a policy under the FederationWebServicesDomain containing the following values:
    Name

    any_name

    User

    Add the users from the user directory created in previously in this procedure.

    Rule

    rule_created_earlier_in_this_procedure

    Response

    response_created_earlier_in_this_procedure

The policy to protect the artifact resolution service is complete.

At the relying party, the administrator has to enable client certificate authentication across the back channel that connects to the relevant assertion service:

SAML 1.x: Enable client certificate authentication for the Assertion Retrieval Service

SAML 2.0: Enable client certificate authentication for the Artifact Resolution Service