Federation Security Services Guide › Authenticate SAML 2.0 Users at the Service Provider › Configure the SAML 2.0 Authentication Scheme

Configure the SAML 2.0 Authentication Scheme

Before you can assign a SAML 2.0 authentication scheme to a realm, you must configure the scheme.

To configure the SAML 2.0 authentication scheme common setup

1. Check the SAML 2.0 Authentication Scheme Prerequisites.
2. Log into the Policy Server User Interface.
3. From the menu bar, select Edit, System Configuration, Create Authentication Scheme.

   The Authentication Scheme Properties dialog box opens.

4. In the Authentication Scheme Type drop-down list, select SAML 2.0 Template.

   The contents of the SiteMinder Authentication Scheme dialog box change to support the SAML 2.0 scheme.

   In this dialog you find the following:

   • Scheme Common Setup group box--identifies the scheme type and the protection level.
   • Scheme Setup tab--identifies the Identity Provider that is generating assertions for this scheme and to specify other parameters that determine how information from the assertion is processed.
   • Advanced tab (optional)--for configuring a custom SAML 2.0 authentication scheme

   Note: For HTTP-Artifact single sign-on, you may secure the artifact backchannel using client certificate authentication.You can use non-FIPS 140 encrypted certificates to secure the backchannel even if the Policy Server is operating in FIPS-only mode. However, for a strictly FIPS-only installation, use certificates only encrypted with FIPS 140-compatible algorithms.

5. Complete the fields.

   Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

6. In the Scheme Setup tab:
   1. Accept the value for the SAML Version field, which must be 2.0.
   2. Configure at least one of the following bindings for signature processing. By default, digital signature processing is enabled.
      • HTTP-Post (Additional Configuration, SSO tab)

        For this binding, enter information about the certificate used to validate the signature of the posted assertion. The Issuer DN and the Serial Number are of the entity who issued and signed the certificate.

      • HTTP Redirect (Additional Configuration, SLO tab)

        For this binding, enter information about the certificate used to validate the signature of the SLO request.

   3. Configure validation of the digital signature.

      By default, signature processing is enabled; it is required by the SAML 2.0 specification; therefore, it must be enabled in a production environment. However, for debugging your initial federation setup only, you can temporarily disable all signature processing for the Service Provider (both signing and verification of signatures) by checking the Disable Signature Processing option.

      The value you enter for the Issuer DN field should match the issuer DN of the certificate in the smkeydatabase. We recommend you open a command window and enter the command smkeytool -lc to list the certificates and view the DN to ensure that you enter a matching value.

      Important! If you disable signature processing, you are disabling a mandatory security function.