|
|
|
The Scheme Setup tab for SAML 1.x POST is where you specify how the consumer communicates with the producer to retrieve the assertion, authenticate a user based on that assertion, then direct the user to the target resource.
The fields on the Scheme Setup tab of the SAML POST Template are as follows:
Names the consumer. Enter an alphabetic string, for example, CompanyA.
The name you enter here must match a name for a consumer in the Affiliate domain at the producer site.
Specifies the SAML version (inactive; the value defaults to 1.1, indicating that POST profile assertions are compliant with SAML version 1.1).
The SAML producer and consumer must be generating and consuming assertions and responses that are the same version.
Defines the audience for the SAML assertion.
The Audience identifies the location of a document that describes the terms and conditions of the business agreement between the producer and the consumer. The administrator determines the audience at the producer site. It also must match the audience specified for the consumer at the producer site.
The audience value must not exceed 1 K.
To specify the audience, enter a URL. This element is case sensitive. For example:
http://www.ca.com/SampleAudience
Specifies the method by which the SAML credential collector servlet redirects the user to the target resource. If you select 302 No Data or 302 Cookie Data, no other configuration is required. If you select Server Redirect or PersistAttributes, there is additional configuration required.
(Default). Redirects user through an HTTP 302 redirect with a session cookie, but no other data.
Redirects user through an HTTP 302 redirect with a session cookie and additional cookie data configured at the site that produced the assertion.
Enables header and cookie attribute information, which is received as part of a SAML assertion, to be passed to the custom target application. The SAML Credential Collector transfers the user to the target application URL by using server-side redirect technology. Server-side redirects are part of the Java Servlet specification, and are supported by all the standard-compliant servlet containers.
To use this mode, you must follow these requirements:
All target application files need to be in the application’s root directory. This directory is either:
—Web Agent: web_agent_home\webagent\affwebservices
—SPS federation gateway: sps_home\secure-proxy\Tomcat\webapps\affwebservices
Java servlet technology allows applications to pass information between two resource requests using the setAttribute method of the ServletRequest interface.
The service that consumes assertions sends the user attribute to the target application by setting different attribute objects in the request object before redirecting the user to the target application.
The service creates two java.util.HashMap objects--one to store all header attributes and one to store all cookie attributes. It uses distinguished attribute names to represent each hashmap object:
—Netegrity.HeaderAttributeInfo attribute represents the hashmap that contains header attributes.
—Netegrity.CookieAttributeInfo attribute represents the hashmap that contains cookie attributes.
Two other Java.lang.String attributes are set by the assertion consuming service to pass the user identity to the custom application:
—Netegrity.smSessionID attribute represents the SiteMinder session ID
—Netegrity.userDN attribute represents the SiteMinder user DN.
The custom target application at the customer site can read these objects from the HTTP request object and can make use of the data found in the hashmap objects.
User is redirected through an HTTP 302 redirect with a session cookie, but no other data. Additionally, this mode instructs the Policy Server to store attributes extracted from an assertion in the session store so they can be supplied as HTTP header variables. For additional configuration, see the instructions for using SAML attributes as HTTP headers.
Note: If you choose PersistAttributes and the assertion contains attributes that are left blank, a value of NULL is written to the session store. This value acts as a placeholder for the empty attribute and it is passed to any application using the attribute.
Specifies the URL of the assertion consumer (synonymous with the SAML credential collector). This URL is where the user’s browser must POST the generated assertion.
The default URL is:
http://consumer_server:port/affwebservices/public/samlcc
Identifies the web server and port hosting the Web Agent Option Pack or SPS federation gateway.For example:
http://www.discounts.com:85/affwebservices/public/samlcc
Identifies the producer that issues assertions for the consumer. This element is case sensitive.
For example, producerA.ca.com
The consumer accepts assertions from only this issuer. The administrator determines the issuer at the producer.
Note: The value that you enter for the issuer must match the value of the AssertionIssuerID at the producer site. This value is specified in the AMAssertionGenerator.properties file located in: policy_server_home/Config/properties/AMAssertionGenerator.properties
Specifies the distinguished name of the certificate issuer that signs the SAML POST response. The SAML POST response must be digitally signed by the producer. When the consumer receives the response, it must verify the signature using the data in this parameter and the Serial Number parameter. These two parameters list the issuer of the certificate who signed the response.
The public key used to verify the signature must be in the smkeydatabase. More information about the smkeydatabase can be found in Using Key Databases for Federation Security Services.
Specifies the serial number (a hexadecimal string) of the certificate of the consumer in the smkeydatabase key store. This value is used with the Dsig Issuer DN to locate the certificate for digitally signing the SAML POST response.
Defines an XPATH query that the authentication scheme applies to the SAML assertion. The query tells the authentication scheme where to look in the assertion document. The data obtained by the query is used to look up a user in the user directory.
Xpath queries should not contain namespace prefixes. The following is an invalid Xpath query:
/saml:Response/saml:Assertion/saml:AuthenticationStatement/ saml:Subject/saml:NameIdentifier/text()
The valid Xpath query is:
//Response/Assertion/AuthenticationStatement/Subject/
NameIdentifier/text()
Example
The following query extracts the text of the Username attribute from the assertion:
"/Assertion/AttributeStatement/Attribute/AttributeValue/SMContent/SMlogin/Username/text()"
"//Username/text()" extracts the text of first Username element in the SAML assertion using abbreviated syntax.
Other examples:
"substring-after(/Assertion/AttributeStatement/Attribute/AttributeValue/SMContent /SMprofile/NVpair[1]/text(),"header:uid=")"
This query extracts the text of the header attribute named "uid" configured as the first attribute in the Affiliate dialog at the producer site. The string "substring-after(//SMprofile/NVpair[1]/text(),"header:uid=")" extracts the text of the header attribute named "uid" configured as the first attribute in the Affiliate dialog at the producer site using abbreviated syntax.
Selectable List of namespace types and defined search specifications from which you can select namespace (user directory) type and then define a search specification for user disambiguation.
Opens the Authentication Scheme Namespace Mapping dialog where you can enter a Search Specification, which maps data from a SAML assertion to a user store entry, which enables the SAML authentication scheme to locate the correct user record for authentication.
Use %s in the entry as a variable representing the assertion data collected by the Search Data XPATH query.
For example, the XPATH query retrieves the value of user1 for the Username attribute in the SAML assertion. If you specify Username=%s in the Search Specification field, the resulting string is Username=user1. This string is checked against the user directory to find the correct record for authentication.
Selecting this button displays the SAML 1.x Auth Scheme Properties dialog for the authentication scheme. From this dialog, you define the message consumer plug-in, redirect URLs for failed authentication, and the target federation resource.
| Copyright © 2011 CA. All rights reserved. | Email CA Technologies about this topic |