Federation › Federation Security Services Guide › SAML 2.0 Authentication Scheme Properties Reference › SAML 2.0 Auth Scheme Properties Dialog--Backchannel Tab

SAML 2.0 Auth Scheme Properties Dialog--Backchannel Tab

The Backchannel tab defines the configuration of the secure back channel for two functions:

• Single Sign-on between a Service Provider and Identity Provider
• Attribute Queries and Responses between a SAML Requester and an Attribute Authority

The following required fields serve the same function for both purposes, as follows:

Authentication

Specifies the authentication method used across the back channel. Options are:

Basic (over SSL)

Indicates that the Single Sign-on or Attribute Service is part of a realm protected by a Basic over SSL authentication scheme.

If you select this option, no additional configuration other than the remaining required fields in this dialog, is required unless you want to use Basic over SSL. If you select Basic over SSL, you must ensure that the certificate of the Certificate Authority that enabled the SSL connection is in the smkeydatabase. If it is not, import the certificate into the smkeydatabase.

Client Cert

Indicates that the Single Sign-on or Attribute Service is part of a realm protected by an X.509 client certificate authentication scheme.

For single sign-on, if you select this option, you must also configure access to the Assertion Retrieval Service with a client certificate.

You can use non-FIPS 140 encrypted certificates to secure the backchannel even if the Policy Server is operating in FIPS-only mode. However, for FIPS-only installations use certificates only encrypted with FIPS 140-compatible algorithms.

NoAuth

Indicates that the Single Sign-on or Attribute Service is not protected. If you select this option, no authentication is required.

SP Name

Identifies the Service Provider object. This name must match a Service Provider or SAML Requester name specified at the Identity Provider or Attribute Authority.

If you are using basic authentication as the authentication scheme for the backchannel, the value of this field is the name of the Service Provider. If you are using client certificate authentication for the backchannel, the value of this field should be the alias of the client certificate stored in the smkeydatabase.

Password

Specifies the password used by the Identity Provider or Attribute Authority to access the Service Provider or SAML Requester through the back-channel. Enter a valid string between 3 and 255 characters.

Confirm Password

Confirms the entry in the Password field.