To implement single sign-on using the artifact binding, the relying party sends a request for an assertion to SiteMinder at the asserting party. The assertion request goes to the Assertion Retrieval Service (SAML 1.1) or the Artifact Resolution Service (SAML 2.0). The retrieval service takes the artifact supplied by the relying party and uses it to retrieve the assertion. SiteMinder sends the response back to the relying party over a back channel, which is a secured connection between the asserting and relying party. In contrast, web browser communication occurs over the front channel.
You can secure the back channel and the retrieval service from unauthorized access using one of the following authentication methods:
For any of these authentication methods, the relying party back channel must be configured so it can communicate with the Assertion Retrieval Service (SAML 1.1) or the Artifact Resolution Service (SAML 2.0) in a secure manner.
The following considerations might be useful when choosing an authentication method for the artifact back channel:
A set of common root and intermediate CA certificates are shipped with the default key database. To use a server certificate signed by a CA that is not already in the key store, you must import the CA certificate into the database as a trusted CA certificate.
Federation uses an SSL-client when processing back channel requests. You can configure the IdP Web server to use SSL versions TLSV1_1 and TSLV1_2 with the following ciphers:
These ciphers are supported in both FIPS and non-FIPS mode. The determination whether to use SHA256 is made on the SP server side. Federation has no configuration for selecting the alogorithm. Administrators must verify that the IdP server is configured appropriately.
|
Copyright © 2012 CA.
All rights reserved.
|
|