This section describes how the Enterprise Gateway should package the SAMLP
request before sending it to the SAML PDP.
You can configure a group of SAML PDPs to which the Enterprise Gateway connects in
a round-robin fashion if one or more of the PDPs are unavailable. This is known
as a SAML PDP URL Set. You can configure a SAML PDP URL Set on the External
Connections tab in the Policy Studio. Expand the URL Connection
Sets node, right-click SAML PDP URL Set, and select
Add a URL Set. For more details, see the
Configuring URL Groups topic.
When you have configured a group of SAML PDPs to connect to, you can configure
the following general fields:
-
SAML PDP URL Set:
Select a previously configured SAML PDP URL Set from the drop-down list.
You can configure a SAML PDP URL Set on the External Connections
tab.
-
SAML Version:
Select the SAML version to use in the SAMLP request.
-
Signing Key:
If the SAMLP request is to be signed, click the Signing Key
button, and select the appropriate signing key from the Certificate Store.
SAML Subject tab
The details specified on the SAML Subject tab describe the
subject of the SAML assertion. Complete the following
fields:
-
Subject Attribute:
Select the message attribute that contains the name of an
authenticated username. By default, the
authentication.subject.id message attribute
is selected, which contains the username of the authenticated user.
-
Subject Format:
Select the format of the message attribute selected in the
Subject Attribute field above. You do not need
to select a format if the Subject Attribute
field is set to authentication.subject.id .
Subject Confirmation tab
The settings on the Subject Confirmation tab determine
how the <SubjectConfirmation> block of the
SAML assertion is generated. When the assertion is consumed by a
downstream Web Service, the information contained in the
<SubjectConfirmation> block can be used
to authenticate the end-user that authenticated to the Enterprise Gateway,
or the issuer of the assertion, depending on what is configured.
The following is a typical <SubjectConfirmation> block:
| | |
|
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>
urn:oasis:names:tc:SAML:1.0:cm:holder-of-key
</saml:ConfirmationMethod>
<dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:X509Data>
<dsig:X509SubjectName>CN=oracle</dsig:X509SubjectName>
<dsig:X509Certificate>
MIICmzCCAY ...... mB9CJEw4Q=
</dsig:X509Certificate>
</dsig:X509Data>
</dsig:KeyInfo>
</saml:SubjectConfirmation>
</saml:SubjectConfirmation>
| |
| | |
|
You must configure the following fields on the Subject
Confirmation tab:
Method:
The selected value determines the value of the
<ConfirmationMethod> element. The following
table shows the available methods, their meanings, and their respective
values in the <ConfirmationMethod> element:
Method |
Meaning |
Value |
Holder Of Key |
Inserts a <SubjectConfirmation>
into the SAMLP request. The
<SubjectConfirmation> contains
a <dsig:KeyInfo> section with the
certificate of the user selected to sign the SAMLP request.
The user selected to sign the SAMLP request must be the
authenticated subject (authentication.subject.id ).
Select the Include Certificate option if the
signer's certificate is to be included in the
SubjectConfimration block. Alternatively,
select the Include Key Name option if
only the key name is to be included.
|
urn:oasis:names:tc:SAML:1.0:cm:holder-of-key |
Bearer |
Inserts a <SubjectConfirmation>
into the SAMLP request.
|
urn:oasis:names:tc:SAML:1.0:cm:bearer |
SAML Artifact |
Inserts a <SubjectConfirmation>
into the SAMLP request.
|
urn:oasis:names:tc:SAML:1.0:cm:artifact |
Sender Vouches |
Inserts a <SubjectConfirmation>
into the SAMLP request. The SAMLP request must be signed by a
user.
|
urn:oasis:names:tc:SAML:1.0:cm:bearer |
If the Method field is left blank, no
<ConfirmationMethod> block is inserted into
the assertion.
Include Certificate:
Select this option if you wish to include the SAML subject's certificate
in the <KeyInfo> section of the <SubjectConfirmation>
block.
Include Key Name:
Alternatively, if you do not want to include the certificate, you can
select this option to only include the key name in the <KeyInfo>
section.
Resource:
Enter the resource for which you want to obtain the authorization
assertion. You should specify the resource as a URI (for example,
http://www.oracle.com/TestService ). The name
of the resource is then included in the assertion.
Evidence:
The SAML Protocol stipulates that proof of identity in the form of a SAML
authentication assertion must be presented to the SAML PDP as part of the
SAMLP request. The Enterprise Gateway can either use an existing SAML
authentication assertion that is already present in the message, or it
can generated one based on the user that authenticated to it.
Select the Use SAML Assertion in message option to
include an existing assertion in the SAMLP request. Specify the
actor/role of the WS-Security block where the assertion can be found in
the SOAP Actor/Role field.
Alternatively, select the Create SAML Assertion from authenticated
client radio button to generate a new authentication assertion for
inclusion in the SAMLP request. You can sign the newly generated assertion by
selecting a key from the drop-down list, which shows all the keys from the
Certificate Store.
The specified Drift Time is subtracted from the time at
which the Enterprise Gateway generates the authentication assertion. This is to
account for any possible difference in the times of the machines hosting
the SAML PDP and the Enterprise Gateway.
|