|
|
|
The SSO tab is where you configure Single Sign-On (SSO) information.
Specifies the method by which the Service Provider redirects the user to the target resource. If you select 302 No Data or 302 Cookie Data, no other configuration is required. If you select Server Redirect or PersistAttributes, there is additional configuration required.
User is redirected via an HTTP 302 redirect with a session cookie, but no other data.
User is redirected via an HTTP 302 redirect with a session cookie and additional cookie data configured for the Service Provider at the Identity Provider.
Enables header and cookie attribute information, which is received as part of a SAML assertion, to be passed to the custom target application. The service that collects the credentials (SAML 2.0 Assertion Consumer Service or WS-Federation Security Token Consumer Service) transfers the user to the target application URL by using server-side redirect technology. Server-side redirects are part of the Java Servlet specification, and are supported by all the standard-compliant servlet containers.
To use this mode, you must follow these requirements:
All target application files need to be in the application’s root directory. This directory is either:
—Web Agent: web_agent_home\webagent\affwebservices
—SPS federation gateway: sps_home\secure-proxy\Tomcat\webapps\affwebservices
Java servlet technology allows applications to pass information between two resource requests using the setAttribute method of the ServletRequest interface.
The service that consumes assertions sends the user attribute to the target application by an attribute object in the request before redirecting the user to the target application. The service that consumes assertions sends the attributes by creating a java.util.HashMap object. The attribute that contains the HashMap of SAML attributes is “Netegrity.AttributeInfo.”
Two other Java.lang.String attributes are set by the service that consumes assertions to pass the user identity to the custom application:
—Netegrity.smSessionID attribute represents the SiteMinder session ID
—Netegrity.userDN attribute represents the SiteMinder user DN.
The custom target application at the customer site can read these objects from the HTTP request object and can make use of the data found in the hashmap objects.
User is redirected via an HTTP 302 redirect with a session cookie, but no other data. Additionally, this mode instructs the Policy Server to store attributes extracted from an assertion in the session store so they can be supplied as HTTP header variables. For additional configuration, see the instructions for using SAML attributes as HTTP headers.
Note: If you choose PersistAttributes and the assertion contains attributes that are left blank, a value of NULL is written to the session store. This value acts as a placeholder for the empty attribute and it is passed to any application using the attribute.
Specifies the URI of the Single Sign-On service at an Identity Provider. This is the location where the AuthnRequest service redirects an authnrequest message, which contains the Service Provider’s ID. The default URL is:
http://idp_host:port/affwebservices/public/saml2sso
Specifies the audience for the SAML assertion. The Audience is a URL that identifies the location of a document that describes the terms and conditions of the business agreement between the Identity Provider and the Service Provider. The audience is determined by the administrator at the Identity Provider site. It also must match the audience specified for the Service Provider at the Identity Provider site.
The audience value should not exceed 1K and is case-sensitive. For example:
http://www.ca.com/SampleAudience
Specifies the target resource URI at the destination Service Provider site.
(Optional) Replaces the value specified in the Target field with the value of the Relay State query parameter for SP-initiated or IdP-initiated single sign-on. This check box gives you more control over the target because using the Relay State query parameter lets you dynamically define the target.
Bindings Group Box
Enables the artifact binding (when enabled, the following associated controls are activated).
Allows you to specify an IdP Source ID in the associated field. The default is an SHA-1 hash of the IdP ID. Values must be a 40-digit hexadecimal number.
Specifies the URL of the Identity Provider’s Artifact Resolution Service. The default URL is:
http://host:port/affwebservices/saml2artifactresolution
Indicates that the artifact resolve message, the request sent by the Service Provider to retrieve the original SAML message, must be signed. If you check this box, the artifact resolve message must be signed or the Identity Provider will not accept it.
If you select this check box, the Identity Provider must be configured to require a signed artifact resolve message.
Note: Digital signature processing must be enabled to sign the artifact resolve message.
Specifies that the Service Provider will only accept the artifact response, which contains the original SAML message, if the response is signed.
If you select this check box, the Identity Provider must be configured to sign the artifact response.
Note: Digital signature processing must be enabled to process the signed response.
Specifies the type of authentication that protects the realm that contains the Artifact Resolution Service. The authentication scheme determines the type of credentials the Service Provider must present to access the Artifact Resolution Service to retrieve the assertion.
Choose one:
(Default) Uses the SP ID and the password specified in the SSO tab of the authentication scheme properties for credentials. No additional configuration is required, unless the connection to the Artifact Resolution Service is an SSL connection. Then, the certificate of the Certificate Authority who enabled the SSL connection must be in the Service Provider’s AM.keystore.
Uses the SP ID and password specified in the SSO tab of the authentication scheme properties for credentials to look up the certificate in the key store. If you select this option, you have to configure access to the Artifact Resolution Service using a client certificate.
Indicates that no authentication is required.
Enabled upon selecting HTTP-Artifact check box, this field assigns an AssertionConsumerServiceIndex parameter for the artifact binding. If you have multiple endpoints in a federated network, you can assign an index for the Assertion Consumer Service so the Identity Provider knows where to send the response. Enter an integer in the range of 0-65535.
Indicates that the POST binding is enabled for the Identity Provider.
Enforces the single use policy is enforced, preventing SAML 2.0 assertions that arrive via POST binding from being re-used at a Service Provider to establish a second session.
Enabled upon selecting HTTP-Post check box, this field assigns an AssertionConsumerServiceIndex parameter for the artifact binding. If you have multiple endpoints in a federated network, you can assign an index for the Assertion Consumer Service so the Identity Provider knows where to send the response. Enter an integer in the range of 0-65535.
Other Controls
Enables processing of requests using the SAML 2.0 Enhanced Client and Proxy (ECP) Profile.
Enables the signature of AuthnRequest messages (which request authentication from an Identity Provider).
If the Service Provider sends an AuthnRequest message to the Identity Provider to get an assertion, checking this box sets the AllowCreate attribute in the AuthnRequest message to true. The AllowCreate attribute instructs the Identity Provider to generate a new value for the NameID, provided that the AllowCreate feature is enabled at the Identity Provider. This new value for the NameID is included in the assertion sent back to the Service Provider.
| Copyright © 2011 CA. All rights reserved. | Email CA Technologies about this topic |