ForceAuthn and IsPassive Processing at the IdP

CA SiteMinder® Federation Standalone Guide › URLs to Initiate Single Sign-on › SAML 2.0 HTTP-POST Binding Configuration › ForceAuthn and IsPassive Processing at the IdP

ForceAuthn and IsPassive Processing at the IdP

If single sign-on is initiated by a Service Provider, that Service Provider can include a ForceAuthn or IsPassive query parameter in an AuthnRequest message.

Note: CA SiteMinder® Federation Standalone Identity Providers do not support the IsPassive query parameter; however, the IsPassive parameter may be included in an AuthnRequest message sent by a third-party Service Provider.

When a Service Provider includes ForceAuthn or IsPassive in the AuthnRequest, a CA SiteMinder® Federation Standalone Identity Provider handles these query parameters as follows:

ForceAuthn Handling

When a Service Provider includes ForceAuthn=True in the AuthnRequest message, a CA SiteMinder® Federation Standalone Identity Provider challenges the user for their credentials, even when a session exists.

IsPassive Handling

When a Service Provider includes IsPassive in the AuthnRequest and it cannot be honored by the Identity Provider, one of the following SAML responses is sent back to the Service Provider:

If IsPassive=True in the AuthnRequest message and there is no CA SiteMinder® Federation Standalone session, a CA SiteMinder® Federation Standalone Identity Provider returns a SAML response that includes an error message because CA SiteMinder® Federation Standalone requires a session.
If IsPassive=True in the AuthnRequest message and there is a CA SiteMinder® Federation Standalone session, the CA SiteMinder® Federation Standalone Identity Provider returns the assertion.
If IsPassive and ForceAuthn are in the AuthnRequest message and both are set to True, the CA SiteMinder® Federation Standalone Identity Provider returns an error because this is an invalid request. IsPassive and ForceAuthn are mutually exclusive.

SP-initiated SSO (SAML 2.0)

SP-initiated SSO requires that you have an HTML page at the Service Provider containing hard-coded links to the AuthnRequest service at the Service Provider. The links redirect the user to the Identity Provider to be authenticated and determining what is included in the AuthnRequest itself.

This information applies to Artifact or POST bindings.

The hard-coded link that the user selects must contain specific query parameters, which are used in an HTTP GET request to the AuthnRequest service.

Note: The page with these hard-coded links has to reside in an unprotected realm.

To specify the use of artifact or profile binding for the transaction, the syntax for the link is:

http://sp_server:port/affwebservices/public/saml2authnrequest?
ProviderID=IdP_ID&ProtocolBinding=URI_of_binding&
RelayState=target_URL

sp_server:port

Specifies the server and port number at the Service Provider that is hosting CA SiteMinder® Federation Standalone.

IdP_ID

Specifies the identity that is assigned to the Identity Provider. The entity ID is case-sensitive. Enter it exactly as it appears in the Administrative UI.

URI_of_binding

Identifies the URI of the POST or Artifact binding for the ProtocolBinding element. The SAML 2.0 specification defines this URI.

The URI for the artifact binding is:
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact
The URI for the POST binding is:
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

You do not need to set this parameter for HTTP-POST single sign-on.

Also, enable a binding for the partnership for the request to work.

target_URL

Specifies the URL of the federation target at the Service Provider.

Note the following information:

If you do not include the ProtocolBinding query parameter in the AuthnRequest link, the default binding is the one defined for the partnership. If you have both bindings defined in the partnership, then no binding is passed in the AuthnRequest. As a result, the default binding at the Identity Provider is used.
If the artifact and POST bindings are enabled for the partnership but you only want to use artifact binding, include the ProtocolBinding query parameter in the link.

AuthnRequest Query Parameters Used by an SP

The query parameters a CA SiteMinder® Federation Standalone SP can use in the links to the AuthnRequest Service are as follows:

ProviderID (required)

Entity ID of the Identity Provider where thethe AuthnRequest Service.sends AuthnRequest message.

ProtocolBinding

Specifies the ProtocolBinding element in the AuthnRequest message. This element specifies the protocol used to return the SAML response from the Identity Provider. If the specified Identity Provider is not configured to support the specified protocol binding, the request fails.

If you use this parameter in the AuthnRequest, you cannot include the AssertionConsumerServiceIndex parameter also. They are mutually exclusive.

ForceAuthn

Instructs the Identity Provider that it must authenticate a user directly instead of relying on an existing security context. Use this query parameter when the Identity Provider is using CA SiteMinder® Federation Standalone, not if it is using third-party federation software.

If the SP sets ForceAuthn=True in the AuthnRequest message, and a session exists for a particular user, the Identity Provider challenges the user for credentials. If the user successfully authenticates, the IdP sends the identity information from the existing session in the assertion and discards the session generated for the authentication.
If the SP sets ForceAuthn=True in the AuthnRequest message and there is no session, the IdP challenges the user for credentials. If the user successfully authenticates, a session is established.

Example

http://sp1.demo.com:81/affwebservices/public/saml2authnrequest?
ProviderID=idp1.example.com&ForceAuthn=yes

IsPassive

Instructs the Identity Provider to log in the user without challenging the user for credentials or interacting with the user in any way. A CA SiteMinder® Identity Provider does not honor this query parameter unless the user has a session. If the user does not have a session, the Identity Provider returns an error.

AssertionConsumerServiceIndex

Specifies the index of the endpoint acting as the Assertion Consumer Service. It tells the Identity Provider where to send the assertion response.

If you use this parameter in the AuthnRequest, do not include the ProtocolBinding parameter also because they are mutually exclusive. The Assertion Consumer Service has its own protocol binding, which could conflict with the ProtocolBinding parameter.

RelayState

Indicates the URL of the target resource at the Service Provider. By including this query parameter, it tells the Service Provider where to send the user. Otherwise, the default target defined for the partnership is used.

Required Use of the ProtocolBinding Query Parameter

The ProtocolBinding parameter is required if artifact and POST binding are enabled for the partnership, and if the user wants to use only the artifact binding.

The URI for the artifact binding, as specified by the SAML 2.0 specification is:
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact
The URI for the POST binding as specified by the SAML 2.0 specification is:
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

You do not need to set this parameter for HTTP-POST single sign-on.

Optional Use of ProtocolBinding

When you do not use the ProtocolBinding query parameter, the following applies:

If only one binding is enabled for the partnership and the ProtocolBinding query parameter is not specified, the enabled binding for the partnership is used.
If both bindings are enabled and the ProtocolBinding query parameter is not specified, POST binding is used as the default.

Note: You do not need to HTTP-encode the query parameters.

Example: AuthnRequest Link without the ProtocolBinding Query Parameter

This sample link goes to the AuthnRequest service. It specifies the Identity Provider in the ProviderID query parameter.

http://ca.sp.com:90/affwebservices/public/saml2authnrequest?
ProviderID=http%3A%2F%2Ffedsrv.acme.com%2Fsmidp2for90

After a user clicks the link at the Service Provider, CA SiteMinder® Federation Standalone passes a request for an AuthnRequest message.

Example: AuthnRequest Link with the ProtocolBinding Query Parameter the

http://ca.sp.com:90/affwebservices/public/saml2authnrequest?
ProviderID=http%3A%2F%2Ffedsrv.acme.com%2Fsmidp2for90&
ProtocolBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact

After a user clicks the link at the Service Provider, CA SiteMinder® Federation Standalone passes a request for an AuthnRequest message.

IP-initiated Single Sign-on (WSFED)

A user can visit the Identity Provider (IP) before going to the Resource Partner (RP). If the user visits the Identity Provider first, a link must generate an HTTP Get request. The hard-coded link points to the passive requester service at the IP. The request contains the RP Provider ID and optionally other parameters.

The syntax for the link is:

https://ip_server:port/affwebservices/public/wsfedsso?wa=wsignin1.0&wtrealm=rp_id

ip_server:port: Specifies the server and port number of the system at the Identity Partner. The system is hosting the Web Agent Option Pack or the SPS federation gateway, depending on which component is installed in your federation network.
rp_id: The ID of the RP. The entity ID is case-sensitive. Enter it exactly as it appears in the Administrative UI.

RP-initiated Single Sign-on (WSFED)

When a user starts at the RP to initiate single sign-on, typically the user selects from a list of IPs. The site selection page is in an unprotected realm.

The link on the site selection page points to the passive requester service at an IP. After the link is selected, the RP redirects the user to the IP to get the assertion.