Federation Security Services Guide › Configure SiteMinder as a SAML 1.x Producer › Configure a SAML 1.x Assertion

Configure a SAML 1.x Assertion

The Assertions tab lets you define how assertions are sent to the consumer. The assertion is used to authentication the user at the consumer site.

To configure a SAML 1.x assertion

1. Log into the FSS Administrative UI.
2. Click on the Domains tab and select the affiliate domain.
3. Select Affiliates to display the list of consumers, and double-click the consumer you want to configure.

   The Affiliate Properties dialog box opens.

4. Click the Assertions tab.
5. Complete the following fields.

   Note: Click Help for a description of fields, controls, and their respective requirements.

   • SAML Profile
   • Assertion Consumer URL (required for SAML POST; optional for SAML Artifact)

     For details and required URL syntax for this field, click Help.

     Note: For the SAML 1.x artifact binding, the Assertion Consumer URL takes precedence over the SMCONSUMERURL query parameter, which is a required intersite transfer URL parameter. The user selects this URL to initiate single sign-on. Malicious users can modify the query parameter and can send the user to an unauthorized site for artifact retrieval. To prevent the user from being misdirected, specify a value for the Assertion Consumer URL.

   • Validity Duration Seconds
   • Skew Time Seconds
6. Optionally, fill in the Audience field.
7. Optionally, for artifact profile, check the Sign Assertion box.
8. Click OK to save your changes.

More Information:

Assertion Validity for Single Sign-on

A Security Issue Regarding SAML 1.x Assertions

The SAML Assertion Generator creates an assertion that is based on a session for a user that has been authenticated at any authentication scheme protection level. You can control which users a producer generates assertions. You cannot control the protection level at which they are authenticated.

You can have resources that require a particular protection level. Your resources can be secured at different protection levels. Verify that when users authenticate they do so with the desired protection level.