Overview
|
|
Entrust GetAccess provides Identity Management and access control
services for Web resources. It centrally manages access to Web
applications, enabling users to benefit from a single sign-on capability
when accessing the applications that they are authorized to use.
The Enterprise Gateway's GetAccess filter enables integration
with Entrust GetAccess. This filter can query GetAccess for
authorization information for a particular user for a given resource.
In other words, the Enterprise Gateway asks GetAccess to make the authorization
decision. If the user has been given authorization rights to the Web
Service, the request is allowed through to the Service. Otherwise,
the request is rejected.
|
GetAccess WS-Trust STS
|
|
This section configures how the Enterprise Gateway authenticates to the
GetAccess WS-Trust Security Token Service (STS). You can configure
the Enterprise Gateway to connect to a group of GetAccess STS servers in
a round-robin fashion. This provides the necessary failover capability
when one or more STS servers are not available.
Configure the following fields:
-
URL Group:
Select an STS URL group from the drop-down list. This group consists of a
number of GetAccess STS Servers to which the Enterprise Gateway round-robins
connection attempts. You can add URL groups on the External
Connections tab in Policy Studio. Expand the URL Connection
Sets node, right-click Entrust GetAccess URL Sets,
and select Add a URL Set. For more details on adding and editing
URL groups, see the Configuring URL Groups
topic.
-
Drift Time:
Having successfully authenticated to a GetAccess STS server, the STS
server issues a SAML authentication assertion and returns it to the
Enterprise Gateway. When checking the validity period of the assertion, the
specified Drift Time is used to account for a
possible difference between the time on the STS server and the time on
the machine hosting the Enterprise Gateway.
-
WS-Trust STS Attribute Field Name:
Specify the field name for the Id field in the WS-Trust
request. The default is Id.
|
GetAccess SAML PDP
|
|
When the Enterprise Gateway has successfully authenticated to a GetAccess STS
server, it can then obtain authorization information about the end-user
from the GetAccess SAML PDP. The authorization details are returned in a
SAML authorization assertion, which is then validated by the Enterprise Gateway
to determine whether the request should be denied.
Configure the following fields:
-
URL Group:
Select a SAML PDP URL group in the URL Group field.
This group consists of a number of GetAccess SAML PDP Servers on which
the Enterprise Gateway round-robins authorization requests. You can add URL
groups on the External Connections tab in Policy Studio.
Expand the URL Connection Sets node, right-click
Entrust GetAccess URL Sets, and select Add
a URL Set. For more details on adding and editing URL groups,
see the Configuring URL Groups
topic.
-
Drift Time:
The specified Drift Time is used to account
for the possible difference between the time on the GetAccess SAML
PDP and the time on the machine hosting the Enterprise Gateway. This comes
into effect when validating the SAML authorization assertion.
-
Resource:
This is the resource for which the client is requesting access.
You can enter a property representing a message attribute, which
is looked up and expanded to a value at runtime. Properties have the
following format:
${message.attribute}
For example, to specify the original path on which the request
was received by the Enterprise Gateway as the resource, enter the following
property:
${http.request.uri}
-
Actor/Role:
To add the SAML authorization assertion to the downstream
message, select a SOAP actor/role to indicate the WS-Security
block where the assertion is added. By leaving this field
blank, the assertion is not added to the message.
|
|