Previous Topic: Configure Single Sign-on at the SPNext Topic: Configure a Single Use Policy

Federation Security Services GuideConfigure SiteMinder as a SAML 2.0 Service ProviderConfigure Single Sign-on at the SPConfigure the Backchannel for HTTP-Artifact SSO

Configure the Backchannel for HTTP-Artifact SSO

If you select the HTTP-Artifact binding for single sign-on, configure the authentication scheme for the back channel that communicates with the Artifact Resolution Service. This service retrieves the assertion from the Identity Provider.

To configure the backchannel

  1. If necessary, log on to the FSS Administrative UI.
  2. Navigate to the Authentication Scheme Properties dialog.
  3. Click Additional Configuration.

    The SAML 2.0 Auth Scheme Properties dialog opens.

  4. Select the Backchannel tab.
  5. Complete all the fields on the dialog.

    Important! If you are using basic authentication for the backchannel authentication scheme, the value of the SP Name field is the name of the Service Provider. No additional configuration is necessary. If you are using client certificate authentication for the backchannel, the value of the SP Name field must be the alias of the client certificate stored in the smkeydatabase. The SP uses the certificate as a credential to gain access to the Artifact Resolution Service.

  6. Click OK to save your configuration.

More Information:

WebLogic Configuration Required for Back Channel Authentication

Enforcing a Single Use Policy to Enhance Security

A single use policy prevents SAML 2.0 assertions from being reused at a Service Provider to establish a second session. This feature applies to assertions that arrive by way of the POST binding.

Note: Single use policy feature is enabled by default when you select the HTTP-POST binding.

Designating an assertion for one time use is an additional security measure for authenticating across a single sign-on environment. From a browser, an attacker can acquire a SAML assertion that has been used to establish a SiteMinder session. The attacker can then POST the assertion to the Assertion Consumer Service at the Service Provider to establish a second session. However, if the assertion is designated for one-time use, this type of risk is mitigated.

SiteMinder enforces a single use policy using expiry data. Expiry data is time-based data about the assertion. The SAML 2.0 authentication scheme stores the expiry data in the session store. Expiry data verifies that a SAML 2.0 POST assertion is only used a single time.

How the Single Use Policy is Enforced

Upon successful validation of a SAML 2.0 assertion, the authentication scheme writes assertion data in the expiry data table. The data includes an assertion ID key and an expiration time. The session store management thread in the Policy Server deletes expired data from the expiry data table.

If the scheme tries to validate assertion data and an expiry data entry has the same assertion ID key, writing assertion data fails. If the scheme cannot write to the expiry table, the SAML 2.0 authentication scheme denies the authentication in the same manner as an invalid assertion.

If the database is unavailable, single use of the assertion cannot be enforced. Consequently, the authentication scheme denies the request and the assertion is not reused.