This section describes how the Enterprise Gateway should package the SAMLP request
before sending it to the SAML PDP.
SAML PDP URL Sets
You can configure a group of SAML PDPs to which the Enterprise Gateway connects in a
round-robin fashion if one or more of the PDPs are unavailable. This is known as
a SAML PDP URL Set. You can configure a SAML PDP URL Set using this screen or under
the External Connections node in the Policy Studio tree. For more
details, see the topic on Configuring URL
Groups.
You can configure the following general fields:
-
SAML PDP URL Set:
Click the button on the right, and select a previously configured SAML
PDP URL Set in the tree. To add a URL Set, right-click the SAML
PDP URL Sets tree node, and select Add a URL Set.
Alternatively, you can configure a SAML PDP URL Set under the External
Connections node in the Policy Studio tree.
-
SOAPAction:
Enter the SOAP Action required to send SAML Protocol requests to
the PDP. Click the Use Default button to use the
following default SOAP Action as specified by the SAML Protocol:
http://www.oasis-open.org/committees/security
-
SAML Version:
Select the SAML version to use in the SAMLP request.
-
Signing Key:
If the SAMLP request is to be signed, click the
Signing Key button, and select the appropriate
signing key from the Certificate Store.
SAML Subject:
The specified details describe the subject of the
SAML assertion. Complete the following fields:
-
Subject Attribute:
Select the message attribute that contains the name of an
authenticated user name. By default, the
authentication.subject.id message attribute
is selected, which contains the user name of the authenticated user.
-
Subject Format:
Select the format of the message attribute selected in the
Subject Attribute field above. You do not
need to select a format if the Subject Attribute
field is set to authentication.subject.id
Subject Confirmation:
The settings on the Confirmation Method tab determine
how the <SubjectConfirmation> block of the
SAML assertion is generated. When the assertion is consumed by a
downstream Web Service, the information contained in the
<SubjectConfirmation> block can be used
to authenticate the end-user that authenticated to the Enterprise Gateway,
or the issuer of the assertion, depending on what is configured.
The following is a typical <SubjectConfirmation> block:
| | |
|
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>
urn:oasis:names:tc:SAML:1.0:cm:holder-of-key
</saml:ConfirmationMethod>
<dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:X509Data>
<dsig:X509SubjectName>CN=oracle</dsig:X509SubjectName>
<dsig:X509Certificate>
MIICmzCCAY ...... mB9CJEw4Q=
</dsig:X509Certificate>
</dsig:X509Data>
</dsig:KeyInfo>
</saml:SubjectConfirmation>
</saml:SubjectConfirmation>
| |
| | |
|
You must configure the following fields on the Subject
Confirmation tab:
Method:
The selected value determines the value of the
<ConfirmationMethod> element. The following
table shows the available methods, their meanings, and their respective
values in the <ConfirmationMethod> element:
Method |
Meaning |
Value |
Holder Of Key |
Inserts a <SubjectConfirmation>
into the SAMLP request. The
<SubjectConfirmation> contains
a <dsig:KeyInfo> section with the
certificate of the user selected to sign the SAMLP request.
The user selected to sign the SAMLP request must be the
authenticated subject (authentication.subject.id ).
Select the Include Certificate option if the
signer's certificate is to be included in the
SubjectConfimration block. Alternatively,
select the Include Key Name option
if only the key name is to be included.
|
urn:oasis:names:tc:SAML:1.0:cm:holder-of-key |
Bearer |
Inserts a <SubjectConfirmation>
into the SAMLP request.
|
urn:oasis:names:tc:SAML:1.0:cm:bearer |
SAML Artifact |
Inserts a <SubjectConfirmation>
into the SAMLP request.
|
urn:oasis:names:tc:SAML:1.0:cm:artifact |
Sender Vouches |
Inserts a <SubjectConfirmation>
into the SAMLP request. A user must sign the SAMLP request.
|
urn:oasis:names:tc:SAML:1.0:cm:bearer |
If the Method field is left blank, no
<ConfirmationMethod> block is inserted into
the assertion.
Include Certificate:
Select this option if you wish to include the SAML subject's certificate
in the <KeyInfo> section of the
<SubjectConfirmation> block.
Include Key Name:
Alternatively, if you do not want to include the certificate, select this
option to only include the key name in the <KeyInfo> section.
|