Previous Topic: Configure CA SiteMinder® as a SAML 1.x ConsumerNext Topic: Configure SAML 1.x Artifact Authentication


SAML 1.x Authentication Schemes

A consumer is a site that uses a SAML 1.x assertion to authenticate a user.

Note: A site can be a SAML producer and a SAML consumer.

Any CA SiteMinder® site with legacy federation functionality can consume SAML 1.x assertions and can use these assertions to authenticate users. When an assertion is consumed, the site has to be able to compare the information from the assertion against a user directory to complete the authentication process.

CA SiteMinder® provides the following SAML 1.x authentication methods:

The SAML-based authentication schemes let a consumer site authenticate a user. Consuming a SAML assertion and establishing a CA SiteMinder® session enables cross-domain single sign-on. After the user is identified, the consumer site can authorize the user for specific resources.

The following illustration shows the major components for authentication at the consumer site.

Graphic showing the SAML 1.x Authentication Scheme Components

Note: The SPS federation gateway can replace the Web Agent and Web Agent Option Pack to provide the Federation Web Services application functions. For information about installing and configuring the SPS federation gateway, see the Secure Proxy Server Administration Guide.

The SAML 1.x authentication scheme is configured at the consumer-side Policy Server. The SAML credential collector is a component of the Federation Web Services application. The credential collector is installed on the consumer-side Web Agent, or on an SPS federation gateway. The credential collector obtains information from the SAML authentication scheme at the Policy Server, then uses that information to access a SAML assertion.

The SAML assertion becomes the credentials that grant access to the Policy Server at the consumer site. The user is authenticated and authorized, and if authorization is successful, the user is redirected to the target resource.

SAML 1.x Artifact Authentication Scheme Overview

The following illustration shows how the SAML 1.x artifact authentication scheme processes requests.

Graphic showing how the SAML 1.x artifact authentication scheme processes requests

Note: An SPS federation gateway, or the Web Agent and Web Agent Option Pack, provide the Agent and SAML Credential Collector functionality.

Unless otherwise stated, all activity in this process occurs at the Consumer site:

  1. A user is redirected to the SAML credential collector with a SAML artifact and a target URL.

    The artifact and target URL are originally generated from the Web Agent at the producer site.

  2. The SAML credential collector calls the Policy Server to determine whether the SAML artifact authentication scheme protects the requested resource.
  3. The Policy Server passes the necessary data to the SAML artifact authentication scheme, which extracts the producer configuration information.
  4. The Policy Server returns the producer configuration information to the SAML credential collector. This information enables the credential collector servlet to call a producer site and retrieve a SAML assertion.
  5. The SAML credential collector takes the data from the Policy Server and uses it to retrieve the SAML assertion.
  6. Once an assertion is returned, the credential collector uses the assertion as credentials, and logs in to the Policy Server.
  7. The Policy Server makes the initial user disambiguation call to the SAML authentication scheme.
  8. Using the authentication scheme data and the assertion, the scheme locates the user and returns a unique identifier for the user to the credential collector.
  9. The Policy Server makes the second user authentication call to the authentication scheme.

    Note: The CA SiteMinder® Authentication AP dictate the two-step authentication process. For more information, see the CA SiteMinder® Programming Guide for C or the CA SiteMinder® Programming Guide for Java.

  10. The scheme validates the SAML assertion and returns an accept or reject message to the Policy Server.
  11. The Policy Server sends the accept or reject message to the credential collector.
  12. The SAML credential collector creates a session cookie and places it in the browser, and then redirects the user to the target resource. If the login fails, the credential collector redirects the user to a No Access URL.
SAML 1.x POST Profile Authentication Scheme Overview

The following illustration shows how the SAML 1.x POST profile authentication scheme processes requests.

Graphic showing the SAML 1.x Process Model

Note: The SPS federation gateway or the Web Agent Option Pack provide the SAML Credential Collector functionality.

Unless otherwise stated, the following process takes place at the consumer site:

  1. A browser posts an HTML form to the SAML credential collector URL. This form contains a SAML response message and the address of the target URL, originally generated at the producer.
  2. The SAML credential collector contacts the Policy Server to determine whether the target resource is protected.
  3. The Policy Server replies that the SAML POST profile authentication scheme protects the target URL. A signed response from the posted form is the expected credential for the login call.
  4. The SAML credential collector makes a login call to the Policy Server, passing the digitally signed SAML response as credentials.
  5. The SAML POST profile authentication scheme verifies the signature and other fields of the response and the assertion.
  6. If the checks succeed and the user is found in the directory, then authentication succeeds. If any of the checks fail, authentication fails.
  7. The SAML credential collector creates an SMSESSION cookie. This cookie is put in the browser and the user is redirected to the target resource. If the login fails, the credential collector redirects the user to the configured No Access URL.

SAML 1.x Authentication Scheme Prerequisites

The prerequisites for configuring a SAML authentication scheme are as follows:

Install the CA SiteMinder® Policy Server

The CA SiteMinder® Policy Server includes legacy federation functionality.

To install the Policy Server, refer to the Policy Server Installation Guide.

Install Federation Web Services at the Producer and Consumer

Federation Web Services (FWS) is a web application. FWS provides the SAML credential collector servlet, which consumes assertions and other services for federated network configurations.

To use the FWS application features, install the Web Agent and Web Agent Option Pack or the SPS federation gateway, which has FWS embedded at the producer and consumer sites.

For installation and configuration instructions, refer to the following guides:

Specify a Value for the DefaultAgentName Setting

When you install a Web Agent, define a value for the Web Agent parameter DefaultAgentName for all consumer Web Agents. This value specifies a Web Agent identity.

Include the specified Agent identifying the DefaultAgentName in the Resource Filter of the realm that protects the target resource. Configure the DefaultAgentName parameter in the Agent Configuration Object or the local Agent configuration file. Omitting the DefaultAgentName parameter or using the value specified in the AgentName parameter in the realm resource filter causes SAML 1.x authentication to fail, regardless of the single sign-on profile.

Set Up a Certificate Data Store to Sign and Verify POST Responses

To use the SAML POST profile for passing assertions, the producer must sign the SAML response that contains the assertion. The assertion consumer at the consumer site must verify that signature.

To accomplish these tasks, add a private key/certificate pair to the certificate data store for signing, verification or both. The certificate data store lets you manage and retrieve keys and certificates, which are required to sign and validate SAML responses.

For more information about the certificate data store, see the Policy Server Configuration Guide.