The Service Provider and the Identity Provider exchange user information, session information and Identity Provider information in an assertion document. When you configure single sign-on at the SAML 2.0 Identity Provider, you determine how the Identity Provider delivers an assertion to a Service Provider.
The sections that follow and the Help in the FSS Administrative UI provide guidance for configuring various settings.
To configure single sign-on at the Identity Provider
Refer to the SAML 2.0 Service Provider reference for field descriptions.
You have now defined the single sign-on settings at the Identity Provider that it will use use to communicate with the Service Provider.
For single sign-on, the values of the Skew Time and the Validity Duration determine how SiteMinder calculates the total time that an assertion is valid. SiteMinder applies the skew time to the generation and consumption of assertions.
Note: In this description, the asserting party is the SAML 1.x Producer, SAML 2.0 Identity Provider, or WS-Federation Account Partner. The relying party is the SAML 1.x Consumer, the SAML 2.0 Service Provider, or the WS-Federation Resource Partner.
In the assertion document, the NotBefore and NotOnOrAfter values represent the beginning and end of the validity interval.
At the asserting party, SiteMinder sets the assertion validity. The validity interval is the system time when the assertion is generated. SiteMinder sets the IssueInstant value in the assertion using this time then subtracts the skew time value from the IssueInstant value. The resulting time is the NotBefore value.
NotBefore=IssueInstant - Skew Time
To determine the end of the validity interval, SiteMinder adds the Validity Duration value and the skew time to the IssueInstant value. The resulting time becomes the NotOnOrAfter value.
NotOnOrAfter=Validity Duration + Skew Time + IssueInstant
Times are relative to GMT.
For example, an assertion is generated at the asserting party at 1:00 GMT. The skew time is 30 seconds and the validity duration is 60 seconds, making the assertion validity interval between 12:59:30 GMT and 1:01:30 GMT. This interval begins 30 seconds before the time the assertion was generated and ends 90 seconds afterward.
At the relying party, SiteMinder performs the same calculations as it does at the asserting party to determine if the assertion it receives is valid.
Calculating Assertion Validity with SiteMinder at Both Sides of the Partnership
If SiteMinder is at both sides of a partnership, the assertion validity is the sum of the validity duration plus two times the skew time. The equation is:
Assertion Validity = 2 x Skew Time (asserting party) + Validity Duration+ 2 x Skew Time (relying party)
The initial part of the equation (2 x Skew Time + Validity Duration) represents the beginning and end of the validity window at the asserting party. The second part of the equation (2 x Skew Time) represents the skew time of the system clock at the relying party. You multiply by 2 because you are accounting for the NotBefore and the NotOnOrAfter ends of the validity window.
Note: For Federation Security Services, the Validity Duration is only set at the asserting party.
Example
Asserting Party
The values at the asserting party are as follows:
IssueInstant=5:00PM
Validity Duration=60 seconds
Skew Time = 60 seconds
NotBefore = 4:59PM
NotOnOrAfter=5:02PM
Relying Party
The relying party uses the NotBefore and NotOnOrAfter values from the assertion and applies its skew time to those values. This formula is how the relying party calculates new NotBefore and NotOnOrAfter values.
Skew Time = 180 seconds (3 minutes)
NotBefore = 4:56PM
NotOnOrAfter=5:05PM
Based on these values, the calculation for the total assertion validity window is:
120 seconds (2x60) + 60 seconds + 360 seconds (2x180) = 540 seconds (9 minutes).
Copyright © 2012 CA.
All rights reserved.
|
|