FederationFederation Security Services GuideSAML 1.x Authentication Scheme Properties › Authentication Scheme Dialog--SAML 1.x Auth Scheme Properties (Artifact, POST)

Previous Topic: Authentication Scheme Dialog--SAML POST Template--Advanced Tab

Next Topic: SAML 2.0 Service Provider Reference

Authentication Scheme Dialog--SAML 1.x Auth Scheme Properties (Artifact, POST)

The SAML 1.x Auth Scheme Properties dialog lets you configure additional features, such as the Message Extension Consumer API and optional redirect URLs for assertion processing errors during authentication. This dialog is also where you specify the target resource at the consumer site.

The dialog contains the following fields and controls:

Message Consumer Plugin Group Box

Full Java Class Name

(Optional) Specifies the fully qualified Java class name of a class which implements a Message Consumer Plug-in interface for the authentication scheme.

Parameter

If a value is entered in the Full Java Class Name field, this field specifies a string of parameters the API passes to the specified plug-in.

Status Redirect URLs and Modes Group Box

Assertion-based authentication can fail at the site that consumes assertions for various reasons. If authentication does fail, Federation Security Services provides functionality to redirect the user to different applications (URLs) for further processing. For example, when user disambiguation fails, SiteMinder can be configured to redirect the user to a provisioning system, which could create a user account based on the information found in SAML assertion.

The following options redirect the user to a configured URL based on the condition that caused the failure.

Redirect URL for the User Not Found Status

(Optional) Identifies the URL where SiteMinder redirects the user when the user is not found. The user not found status applies when the single sign-on message has no LoginID or the user directory does not contain the LoginID.

Redirect URL for the Invalid SSO Message Status

(Optional) Identifies the URL where SiteMinder redirects the user if one of the following conditions occur:

Redirect URL for the Unaccepted User Credential (SSO Message) Status

(Optional) Identifies the URL where SiteMinder redirects the user for all other error conditions other than when a user is not found or the single sign-on message is invalid. The assertion is valid, but SiteMinder does not accept the message for certain reasons, such as:

  • XML digital signature validation fails
  • XML decryption operation fails
  • XML validation of conditions fails, such as an expired message or an audience mismatch
  • None of the assertions in SSO message contain an authentication statement.
Mode

Specifies the method by which SiteMinder redirects the user to the redirect URL. The options are:

302 No Data (default)

Redirects user with an HTTP 302 redirect with a session cookie, but no other data.

Http Post

Redirects user using HTTP Post protocol.

Target Page Configuration

This section of the dialog lets you specify the URL of the target resource at the consumer site. If the query parameter is present, you can determine whether FSS replaces the value of the URL with the value of the TARGET query parameter in the authentication response URL.

Default Target URL

Specifies the URL of the target resource that resides at the consumer. This target is a protected federated resource that users can request.

Query Parameter TARGET overrides Default Target URL

(Optional) Replaces the value specified in the Default Target URL field with the value of the TARGET query parameter in the response. Using the TARGET query parameter, you can define the target dynamically and change the target with each authentication response. The flexibility of the TARGET query parameter offers more control over the target. In comparison, the Default Target URL value is a static value.

This check box is selected by default.