![]() ![]() ![]() ![]() ![]() ![]() ![]() |
The ALES provides support for the producing and consuming SAML 1.1 assertions, and for sending/receiving them using the Browser/POST Profile.
This section covers the following topics:
The use of SAML assertions allows servers in different domains to operate in a federation of trusted servers and grant access to users based on a single login to one of the servers. In a given federation, there are SAML `producers' and SAML `consumers'. The SAML providers authenticate users and generate assertions attesting to the user's identity. The SAML assertion can then be included in user requests to other servers in the federation, making additional logins unnecessary.
ALES SSMs allow a Microsoft IIS or Apache HTTP server to operate as a SAML producer or a SAML consumer (or both) and send/receive SAML assertions using the Browser POST Profile. Note that Browser Artifact Profile is not currently supported.
When set up as a SAML consumer, the SSM running on an IIS or Apache HTTP server will accept requests containing assertions and then use its SAML Identity Asserter to validate the assertions.
When serving as a SAML consumer, the SSM receives requests specifying a protected resource and SAML assertion attesting to the user's validity. The SSM's SAML Identity Asserter accepts the SAML token and returns the corresponding user. ALES will grant access to the resource based on any policies associated with the resource and/or users role.
To configure a IIS or Apache SSM as a SAML consumer:
Note: | It is assumed that the necessary Resources and Policies governing access to protected resources have been established. |
Note: | The trusted keystore configured for the SAML Identity Asserter must contain the certificate used to sign the Assertion and the certificate that signed that certificate up to the trust anchor. If the trust anchor is a well known CA such as Verisign, the keystore does not have to contain the trust anchor certificate. |
<HTML>
and <BODY>
tags. The SSM provides a template file named SAMLIn.acc
(IIS) or SAMLIn.html
(Apache) in the templates
directory.default.properties
file, enable the set saml.incoming.enable
parameter to `true'.
Example: set saml.incoming.enable=true
default.properties
file, set the saml.incoming.url
parameter
to the POST URL you established on the server (see step 4). Make sure you create a policy that allows POST to the SAML consumer URL.
When operating a SAML producer, the SSM will receive requests for a SAML assertion. The SSM's Authentication Provider authenticates the user and its SAML Credential Mapper returns a SAML assertion. The SSM then sends a response contain the SAML assertion using the Browser POST Profile.
By default, SAML assertions produced by ALES are 64-base encoded tokens identifying the principals. They include an XML Signature proving that the assertion has not been tampered with in transit from the sender to the provider, and will contain group information about the user if that information is available. Note that these assertions do not contain the certificate chain used for signing the assertion. It is up to the SAML consumer to notify the recipient of the certificate that can be used to verify the XML signature.
To configure a IIS or Apache SSM as a SAML Producer:
Notes: | The SSM's template directory contains a file named SAMLXfer.acc (IIS) or SAMLXfer.dhtml (Apache) that can be used. |
Note: | Make sure you create a policy allowing Everyone access to the script file. |
![]() ![]() ![]() |