|
|
|
The SSO tab is where you configure Single Sign-On (SSO) information for the SAML Service Provider. The fields on this tab are as follows:
Specifies the URI of the audience the IdP sends in the assertion (to be compared with the audience specified in the authentication scheme on the Service Provider). For example, sp.ca.com.
Specifies the URL of the service that receives assertions at the Service Provider. The default for SiteMinder is:
http://<sp_server:port>/affwebservices/public/saml2assertionconsumer
Identifies the web server and port hosting the Web Agent Option Pack or SPS federation gateway.
Note: This field is disabled if indexed endpoints have been defined. In that case, you can only edit this URL by modifying an indexed entry in the Assertion Consumer Service dialog, accessed by selecting the ellipsis button.
Opens the Assertion Consumer Services dialog. From this dialog, you can do the following:
Bindings Group Box
Indicates the artifact binding is supported at the Service Provider for single sign-on.
Specifies the encoding used for the artifact binding: Form or URL. If you select URL, the artifact is added to a URL-encoded query string. If you select Form, the artifact is added to a hidden form control in a form.
Allows you to specify an IdP Source ID in the associated field. The default is an SHA-1 hash of the IdP ID. Values must be a 40-digit hexadecimal number. To override this generated value, select this checkbox and enter a 40 character hexadecimal value for the IdP Source ID.
Note: If you select HTTP-Artifact, configure the backchannel settings on the General tab.
Indicates that the POST binding is supported at Service Provider for single sign-on.
Other Controls
Activates support for the SAML 2.0 Enhanced Client and Proxy (ECP) Profile. This profile is used if the SP and IdP are not communicating directly.
Indicates that AuthnRequest messages sent by the Service Provider must be signed to be accepted. If you select this check box, the Identity Provider cannot send unsolicited responses, securing a trust between the Identity Provider and the Service Provider.
Important! If you enable this feature, you also have to complete the Issuer DN and Serial Number parameters on the General tab for validating the signature of the AuthnRequest.
Displays the Signing Options dialog. From this dialog you can configure the settings for digital signing, such as the signing alias and the signature algorithm.
Specifies the minimum level at which the user must have authenticated to gain access to a SiteMinder realm. If the user has authenticated at this level or higher, the Identity Provider generates an assertion for the user. If the user is not authenticated at this level or higher, they are redirected to the Authentication URL to authenticate at this level.
Specifies a number of seconds (a positive integer) for which a generated assertion is valid.
In a test environment, you might want to increase the Validity Duration value above 60, the default, if you see the following message in the Policy Server trace log:
Assertion rejected (_b6717b8c00a5c32838208078738c05ce6237) – current time (Fri Sep 09 17:28:33 EDT 2005) is after SessionNotOnOrAfter time (Fri Sep 09 17:28:20 EDT 2005)
Note: This property applies only to SSO messages -- it is not the same as setting specified in the Validity Duration field on the SLO tab.
Defines the URI provided in the AuthnContextClassRef element to describe how the requesting user authenticated. Be sure that you specify a value that is legal based on the SAML specifications and is appropriate for the Authentication Level specified for the Service Provider. We recommend that you accept the default value, which is urn:oasis:names:tc:SAML:2.0:ac:classes:Password
You can specify another value, however, you then must configure a custom SAML response element on the Advanced tab.
Permits the Identity Provider to create a value for the NameID in an assertion if the AuthnRequest message received from the Service Provider does not include a NameID but the AllowCreate attribute in the AuthnRequest message is set to true. The newly generated attribute for the NameID is included in the assertion.
Opens the Restrictions dialog from where you can configure IP address and time restrictions on the assertion generation policy.
| Copyright © 2011 CA. All rights reserved. | Email CA Technologies about this topic |