> Integrating ALES with Application Environments > Enabling SAML-based Single Sign-On

Integrating ALES with Application Environments

     Previous  Next    Open TOC in new window  Open Index in new window  View as PDF - New Window  Get Adobe Reader - New Window
Content starts here

Enabling SAML-based Single Sign-On

The ALES provides support for the producing and consuming SAML 1.1 assertions, and for sending/receiving them using the Browser/POST Profile.

This section covers the following topics:

 

Overview

The use of SAML assertions allows servers in different domains to operate in a federation of trusted servers and grant access to users based on a single login to one of the servers. In a given federation, there are SAML `producers' and SAML `consumers'. The SAML providers authenticate users and generate assertions attesting to the user's identity. The SAML assertion can then be included in user requests to other servers in the federation, making additional logins unnecessary.

ALES SSMs allow a Microsoft IIS or Apache HTTP server to operate as a SAML producer or a SAML consumer (or both) and send/receive SAML assertions using the Browser POST Profile. Note that Browser Artifact Profile is not currently supported.

When set up as a SAML consumer, the SSM running on an IIS or Apache HTTP server will accept requests containing assertions and then use its SAML Identity Asserter to validate the assertions.

 

Configuring ALES as a SAML Assertion Consumer

When serving as a SAML consumer, the SSM receives requests specifying a protected resource and SAML assertion attesting to the user's validity. The SSM's SAML Identity Asserter accepts the SAML token and returns the corresponding user. ALES will grant access to the resource based on any policies associated with the resource and/or users role.

To configure a IIS or Apache SSM as a SAML consumer:

Note: It is assumed that the necessary Resources and Policies governing access to protected resources have been established.
  1. Using the Administration Console, create or use an existing SSM configuration defining a SAML Identity Asserter. The SAML Identity Asserter consumes SAML assertions and returns the corresponding authenticated subjects.
Note: The trusted keystore configured for the SAML Identity Asserter must contain the certificate used to sign the Assertion and the certificate that signed that certificate up to the trust anchor. If the trust anchor is a well known CA such as Verisign, the keystore does not have to contain the trust anchor certificate.
  1. Install the ALES SCM and SSM on the IIS or Apache web server.
  2. Create instances of the Web Service SSM and the Web Server SSM on the web server and configure the web server to call the SSM. Set the SSMs to use the certificate authority keystore. Set the password for the SSM to use when logging in to the ASI database.
  3. Set up a file to serve as the target POST URL. The file can be copied to the web server or referred to using a virtual server. It serves as a placeholder that alerts the SSM to receive a SAML assertion. It must be a valid HTML file, but requires nothing more than empty <HTML> and <BODY> tags. The SSM provides a template file named SAMLIn.acc (IIS) or SAMLIn.html (Apache) in the templates directory.
  4. In SSM's default.properties file, enable the set saml.incoming.enable parameter to `true'.

    5. Example: set saml.incoming.enable=true

  5. In SSM's default.properties file, set the saml.incoming.url parameter to the POST URL you established on the server (see step 4). Make sure you create a policy that allows POST to the SAML consumer URL.

    6. Example: saml.incoming.url=http://<server>/<dir>/SAMLIn.acc

 

Configuring ALES as a SAML Assertion Producer

When operating a SAML producer, the SSM will receive requests for a SAML assertion. The SSM's Authentication Provider authenticates the user and its SAML Credential Mapper returns a SAML assertion. The SSM then sends a response contain the SAML assertion using the Browser POST Profile.

By default, SAML assertions produced by ALES are 64-base encoded tokens identifying the principals. They include an XML Signature proving that the assertion has not been tampered with in transit from the sender to the provider, and will contain group information about the user if that information is available. Note that these assertions do not contain the certificate chain used for signing the assertion. It is up to the SAML consumer to notify the recipient of the certificate that can be used to verify the XML signature.

To configure a IIS or Apache SSM as a SAML Producer:

  1. Using the Administration Console, create a SSM configuration defining an a Authentication Provider and a SAML Credential Mapper.
  2. Install the ALES SCM and SSM on the IIS or Apache web server.
  3. Create instances of the Web Service SSM and Web Server SSM on the web server. Set the SSMs to use the certificate authority keystore. Set the password for the SSM to use when logging in to the ASI database.
  4. Configure the IIS or Apache web server to integrate with the SSM.
  5. Configure the script for handling the Browser POST to the SAML consumer.
Notes: The SSM's template directory contains a file named SAMLXfer.acc (IIS) or SAMLXfer.dhtml (Apache) that can be used.
Note: Make sure you create a policy allowing Everyone access to the script file.

  Back to Top       Previous  Next