Overview
|
Entrust's GetAccess provides Identity Management and access control
services for Web resources. It centrally manages access to Web
applications, enabling users to benefit from a single sign-on capability
when accessing the applications that they are authorized to use.
The Enterprise Gateway's GetAccess filter enables integration
with Entrust GetAccess. This filter can query GetAccess for
authorization information for a particular user for a given resource.
In other words, the Enterprise Gateway asks GetAccess to make the authorization
decision. If the user has been given authorization rights to the Web
Service, the request is allowed through to the Service. Otherwise,
the request is rejected.
|
GetAccess WS-Trust STS
|
This section configures how the Enterprise Gateway authenticates to the
GetAccess WS-Trust STS (Security Token Service). You can configure
the Enterprise Gateway to connect to a group of GetAccess STS servers in
a round-robin fashion. This provides the necessary fail-over capability
in cases where one or more STS servers are not available.
Select an STS URL group in the URL Group field. This
group consists of a number of GetAccess STS Servers to which the Enterprise Gateway
round-robins connection attempts.
For details on adding and editing URL groups, see the
Configuring
URL Groups section.
Having successfully authenticated to a GetAccess STS server, the STS
server issues a SAML authentication assertion and returns it to the
Enterprise Gateway. When checking the validity period of the assertion, the
specified Drift Time is used to account for a
possible difference between the time on the STS server and the time on
the machine hosting the Enterprise Gateway.
Specify the field name for the id field in the WS-Trust request in the
WS-Trust STS Attribute Field Name field. The default
entry is, Id .
|
GetAccess SAML PDP
|
When the Enterprise Gateway has successfully authenticated to a GetAccess STS
server, it can then obtain authorization information about the end-user
from the GetAccess SAML PDP. The authorization details are returned in a
SAML authorization assertion, which is then validated by the Enterprise Gateway
to determine whether or not the request should be denied.
The following fields should be configured:
-
URL Group:
Select a SAML PDP URL group in the URL Group field.
This group consists of a number of GetAccess SAML PDP Servers on
which the Enterprise Gateway round-robins authorization requests.
You can add, edit, and remove groups by clicking the
Add, Edit, and
Remove buttons respectively.
For more information on adding and editing URL groups, see the
Configuring URL Groups section.
-
Drift Time:
The specified Drift Time is used to account
for the possible difference between the time on the GetAccess SAML
PDP and the time on the machine hosting the Enterprise Gateway. This comes
into effect when validating the SAML authorization assertion.
-
Resource:
This is the resource for which the client is requesting access.
You can enter a property representing a message attribute, which
is looked up and expanded to a value at runtime. Properties have the
following format:
${message.attribute}
For example, to specify the original path on which the request
was received by the Enterprise Gateway as the resource, enter the following
property:
${http.request.uri}
-
Actor/Role:
To add the SAML authorization assertion to the downstream
message, select a SOAP actor/role to indicate the WS-Security
block where the assertion is added. By leaving this field
blank, the assertion is not added to the message.
|
Configuring URL Groups
|
The Enterprise Gateway can make connections on a round-robin basis to the URLs
listed in a URL group, thus enabling a high degree of failover to
GetAccess servers. You can configure URL groups by selecting the
Add and/or Edit buttons.
GetAccess servers are used according to the priorities assigned to
them. For example, assume there are two High priority URLs,
one Medium URL, and a single Low URL configured. Assuming the Enterprise Gateway
can successfully connect to the two High priority URLs, it alternates
requests between these two URLs only. The other group URLs
are not used. However if both of the High priority URLs
become unavailable, the Enterprise Gateway then tries to use the Medium
priority URL, and only if this fails, the Low priority URL is used.
In general, the Enterprise Gateway attempts to round-robin requests over
URLs of the same priority, but uses higher priority URLs before lower
priority ones. When a new URL is added to the group, it is automatically
given the highest priority. You can then change priorities by selecting
the URL and clicking the Up and Down
buttons.
You can add and edit GetAccess URLs by selecting the URL from the table
and clicking the Add and Edit buttons
respectively.
The following fields should be completed:
-
URL:
Enter the full URL of the GetAccess server.
-
Timeout:
Specify the timeout in seconds for connections to the GetAccess
server.
-
Retry After:
Whenever a GetAccess server becomes unavailable for any reason
(for example, maintenance), no attempt is made to connect to that
server until the specified time is elapsed.
In other words, when a connection failure is detected, the
next connection to that URL is made after this amount of time.
-
Username:
If the specified GetAccess server requires clients to authenticate
to it over two-way SSL, you must select a user for authentication.
This user must have been assigned the Use for client
authentication privilege.
It is important to note that when configuring a GetAccess STS URL,
you only need to specify an SSL username and password if the
loginDnUser method is protected in GetAccess.
This method is protected by default.
-
Host/IP:
If the GetAccess server sits behind a proxy server, you must enter
details of the proxy. Enter the host name or IP address of
the proxy server.
-
Port:
Enter the port on which the proxy server is listening.
|
|