Previous Topic: Basic Authentication to Protect the Service that Retrieves AssertionsNext Topic: Create the Policy to Protect the Retrieval Service


Basic over SSL to Protect the Assertion Retrieval Service

You can protect the assertion retrieval service (SAML 1.x) or the artifact resolution service (SAML 2.0) with a Basic over SSL authentication scheme. At the asserting party, a set of default policies to protect the service is already configured when you install the Policy Server.

The only configuration that is required is to enable SSL at each partner. No other configuration is required at the asserting or relying party. At the relying party, you can use one of the default root Certificate Authorities (CAs) in the smkeydatabase to establish an SSL connection. To use your own root CA instead of a default CA, import the CA certificate into the smkeydatabase.

If you use Basic over SSL authentication scheme, all endpoint URLs have to use SSL communication. This means that the URLs must begin with https://. Endpoint URLs locate the various SAML services on a server, such as single sign-on, single logout, the Assertion Consumer Service, Artifact Resolution Service (SAML 2.0), and the Assertion Retrieval Service (SAML 1.x).

Client Certificate Auth to Protect the Service that Retrieves Assertion

You can protect the Assertion Retrieval Service (SAML 1.x) and the Artifact Resolution Service (SAML 2.0) with a client certificate authentication scheme. If the asserting party is configured to require client certificate authentication, the relying party makes a connection back to the asserting party and attempts to present a client certificate.

To use a client certificate authentication scheme:

  1. Create a policy at the asserting party to protect the relevant service. This policy uses the client certificate authentication scheme.
  2. Enable client certificate authentication for the back channel configuration at the relying party.
  3. Enable SSL at each side of the partnership.

If you use Client Cert authentication, all endpoint URLs have to use SSL communication. Therefore, URLs must begin with https://. Endpoint URLs locate the various SAML services on a server, such as single sign-on, single logout, the Assertion Consumer Service, Artifact Resolution Service (SAML 2.0), and the Assertion Retrieval Service (SAML 1.x).

You cannot use client certificate authentication with the following web servers running ServletExec:

More Information:

Configure the Client Certificate Authentication at the Relying Party