|
|
|
The SSO tab is where you define how the Resource Partner processes single sign-on requests.
The tab contains the following fields:
Indicates the method by which the Resource Partner redirects the user to the target resource. If you select 302 No Data or 302 Cookie Data, no other configuration is required. If you select Server Redirect or PersistAttributes, there is additional configuration required.
(Default). User is redirected via an HTTP 302 redirect with a session cookie, but no other data.
User is redirected via an HTTP 302 redirect with a session cookie and additional cookie data configured for the Resource Partner at the Account Partner.
Enables header and cookie attribute information, which is received as part of a SAML assertion, to be passed to the custom target application. The service that collects the credentials (SAML 2.0 Assertion Consumer Service or WS-Federation Security Token Consumer Service) transfers the user to the target application URL by using server-side redirect technology. Server-side redirects are part of the Java Servlet specification, and are supported by all the standard-compliant servlet containers.
To use this mode, you must follow these requirements:
All target application files need to be in the application’s root directory. This directory is either:
—Web Agent: web_agent_home\webagent\affwebservices
—SPS federation gateway: sps_home\secure-proxy\Tomcat\webapps\affwebservices
Java servlet technology allows applications to pass information between two resource requests using the setAttribute method of the ServletRequest interface.
The service that consumes assertions sends the user attribute to the target application by an attribute object in the request before redirecting the user to the target application. The service that consumes assertions sends the attributes by creating a java.util.HashMap object. The attribute that contains the HashMap of SAML attributes is “Netegrity.AttributeInfo.”
Two other Java.lang.String attributes are set by the service that consumes assertions to pass the user identity to the custom application:
—Netegrity.smSessionID attribute represents the SiteMinder session ID
—Netegrity.userDN attribute represents the SiteMinder user DN.
The custom target application at the customer site can read these objects from the HTTP request object and can make use of the data found in the hashmap objects.
User is redirected via an HTTP 302 redirect with a session cookie, but no other data. Additionally, this mode instructs the Policy Server to store attributes extracted from an assertion in the session store so they can be supplied as HTTP header variables. For additional configuration, see the instructions for using SAML attributes as HTTP headers.
Note: If you choose PersistAttributes and the assertion contains attributes that are left blank, a value of NULL is written to the session store. This value acts as a placeholder for the empty attribute and it is passed to any application using the attribute.
Specifies the target resource URI at the Service Provider destination site.
Ensures the single use policy is enforced, selecting this option prevents assertions from being re-used at a Resource Partner to establish a second session.
| Copyright © 2011 CA. All rights reserved. | Email CA Technologies about this topic |