Federation Security Services Guide › Configure SiteMinder as a SAML 2.0 Service Provider › Configure the SAML 2.0 Authentication Scheme

Configure the SAML 2.0 Authentication Scheme

Before you can assign a SAML 2.0 authentication scheme to a realm, configure the scheme.

To configure the SAML 2.0 authentication scheme setup

1. Review the SAML 2.0 Authentication Scheme Prerequisites.
2. Log in to the FSS Administrative UI.
3. From the menu bar, select Edit, System Configuration, Create Authentication Scheme.

   The Authentication Scheme Properties dialog opens.

4. In the Authentication Scheme Type drop-down list, select SAML 2.0 Template.

   The contents of the Authentication Scheme dialog change to support the SAML 2.0 scheme.

   In this dialog, you find the following:

   • Scheme Common Setup section–identifies the scheme type and the protection level.
   • Scheme Setup tab–identifies the Identity Provider that generates assertions for this scheme and specifies other parameters that determine how information from the assertion is processed. It also holds the D-Sig Info for digital signing.
   • Advanced tab (optional)--for configuring a custom SAML 2.0 authentication scheme

   Note: For HTTP-Artifact single sign-on, you can secure the artifact back channel using client certificate authentication. You can use non-FIPS 140 encrypted certificates to secure the back channel even if the Policy Server is operating in FIPS-only mode. However, for a strictly FIPS-only installation, use only certificates encrypted with FIPS 140-compatible algorithms.

5. Complete the fields.

   Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

6. In the Scheme Setup tab:
   1. Accept the value for the SAML Version field, which must be 2.0.
   2. Configure validation of the digital signature.

      By default, signature processing is enabled; the SAML 2.0 specification requires it; therefore, it must be enabled in a production environment. However, for debugging your initial federation setup only, you can temporarily disable all signature processing for the Service Provider (both signing and verification of signatures) by selecting the Disable Signature Processing option.

      The value you enter for the Issuer DN field must match the issuer DN of the certificate in the smkeydatabase. We recommend that you open a command window and enter the command smkeytool -lc to list the certificates and view the DN to be sure that you enter a matching value.

      Important! If you disable signature processing, you are disabling a mandatory security function.

   3. Select Signing Options to display the settings for digital signing.
   4. Select the Additional Configuration button and configure at least one of the following bindings for single sign-on.
      • HTTP-Post (Additional Configuration, SSO tab)

        For this binding, enter information about the certificate used to validate the signature of the posted assertion. The Issuer DN and the Serial Number together identify the certificate corresponding to the private key the IdP used to sign the assertion.

      • HTTP Redirect (Additional Configuration, SLO tab)

        For this binding, enter information about the certificate used to validate the signature of the SLO request.