Federation Security Services Guide › Authenticate SAML 2.0 Users at the Service Provider › Configure Single Sign-on at the SP

Configure Single Sign-on at the SP

To establish single sign-on between the Identity Provider and the Service Provider, you need to specify the SSO bindings supported by the Service Provider.

The SSO tab configures single sign-on using the artifact or POST binding. This tab also enforces single use assertion policy for POST binding to prevent the replaying of a valid assertion.

Part of the single sign-on configuration is defining the Redirect Mode setting. The Redirect Mode specifies how Federation Security Services sends assertion attributes, if available, to the target application. You can send assertion attributes as HTTP Headers or HTTP cookies.

The HTTP headers and HTTP cookies have size restrictions that assertion attributes cannot exceed. The size restrictions are as follows:

• For HTTP headers, Federation Security Services can send an attribute in a header up to the web server size limit for a header. Only one assertion attribute per header is allowed. See the documentation for your web server to determine the header size limit.
• For HTTP cookies, Federation Security Services can send a cookie up to the size limit for a cookie. Each assertion attribute is sent as its own cookie. The cookie size limit is browser-specific, and that limit is for all attributes being passed to the application, not for each attribute. See the documentation for your web browser to determine the cookie size limit.

To configure single sign-on

1. From the Authentication Scheme Properties dialog box, click Additional Configuration.

   The SAML 2.0 Auth Scheme Properties dialog box opens.

2. Select the SSO tab.
3. Complete entries for the fields on the SSO tab.

   The following are required fields:

   • Redirect Mode
   • SSO Service
   • Audience
   • HTTP-Artifact or HTTP-Post

     If you choose HTTP-Artifact as the binding, you must fill in the Resolution Service, Authentication, SP Name, and Password fields.

4. Specify a target resource for single sign-on to work. The target specifies the requested resource at the destination Service Provider site and it is required.
5. In the Bindings group box, you can select both HTTP-Artifact and HTTP-Post.

   If HTTP-POST is selected and artifact is not selected, only the POST binding will be accepted from the Identity Provider. If no binding is specified, the default is HTTP-artifact.

   If you select HTTP-Artifact binding, you have to:

   • Enable the session server to store the assertion before it is retrieved. Instructions are located in Storing User Session, Assertion, and Expiry Data.
   • Configure the backchannel to select the type of authentication scheme protecting the Artifact Resolution Service, which retrieves the assertion at the Identity Provider. Instructions are located in Configure the Backchannel for HTTP_Artifact SSO.
   • Optionally, add an entry for the Index field for each binding.

     If you have multiple endpoints, you can configure indexed endpoints. The entry you include here will be included by the Service Provider as a query parameter in the AuthnRequest that gets sent to the single sign-on service at the Identity Provider.

6. The following are other optional features you can select:
   • Enhanced Client and Proxy Profile
   • Sign AuthnRequests checkbox--tells the Policy Server at the Service Provider to sign the AuthnRequest after it is generated. This check box is required if the Identity Provider requires signed AuthnRequests. The AuthnRequest Service redirects the signed AuthnRequest to the Single Sign-on Service URL.
   • Allow IdP to Create New User Identifier