Overview
|
Entrust GetAccess provides Identity Management and access control
services for Web resources. It centrally manages access to Web
applications, enabling users to benefit from a single sign-on capability
when accessing the applications that they are authorized to use.
The Enterprise Gateway's GetAccess filter enables integration
with Entrust GetAccess. This filter can query GetAccess for
authorization information for a particular user for a given resource.
In other words, the Enterprise Gateway asks GetAccess to make the authorization
decision. If the user has been given authorization rights to the Web
Service, the request is allowed through to the Service. Otherwise,
the request is rejected.
|
GetAccess WS-Trust STS
|
This section configures how the Enterprise Gateway authenticates to the
GetAccess WS-Trust Security Token Service (STS). You can configure
the Enterprise Gateway to connect to a group of GetAccess STS servers in
a round-robin fashion. This provides the necessary failover capability
when one or more STS servers are not available.
Configure the following fields:
-
URL Group:
Click the button on the right, and select an STS URL group in the tree.
This group consists of a number of GetAccess STS Servers to which the
Enterprise Gateway round-robins connection attempts. To add a URL group,
right-click the Entrust GetAccess URL Sets node,
and select Add a URL Set. Alternatively, you can
configure a URL Connection Set under the External Connections
node in the Policy Studio tree. For more details, see the topic on
Configuring URL Groups.
-
Drift Time:
Having successfully authenticated to a GetAccess STS server, the STS
server issues a SAML authentication assertion and returns it to the
Enterprise Gateway. When checking the validity period of the assertion, the
specified Drift Time is used to account for a
possible difference between the time on the STS server and the time on
the machine hosting the Enterprise Gateway.
-
WS-Trust STS Attribute Field Name:
Specify the field name for the Id field in the WS-Trust
request. The default is Id .
|
GetAccess SAML PDP
|
When the Enterprise Gateway has successfully authenticated to a GetAccess STS
server, it can then obtain authorization information about the end-user
from the GetAccess SAML PDP. The authorization details are returned in a
SAML authorization assertion, which is then validated by the Enterprise Gateway
to determine whether the request should be denied.
Configure the following fields:
-
URL Group:
Click the button on the right, and select an SAML PDP URL group in the
tree. This group consists of a number of GetAccess SAML PDP Servers to
which the Enterprise Gateway round-robins connection attempts. To add a URL
group, right-click the Entrust GetAccess URL Sets node,
and select Add a URL Set. Alternatively, you can
configure a URL Connection Set under the External Connections
node in the Policy Studio tree. For more details, see the topic on
Configuring URL Groups.
-
Drift Time:
The specified Drift Time is used to account
for the possible difference between the time on the GetAccess SAML
PDP and the time on the machine hosting the Enterprise Gateway. This comes
into effect when validating the SAML authorization assertion.
-
Resource:
This is the resource for which the client is requesting access.
You can enter a property representing a message attribute, which
is looked up and expanded to a value at runtime. Properties have the
following format:
${message.attribute}
For example, to specify the original path on which the request
was received by the Enterprise Gateway as the resource, enter the following
property:
${http.request.uri}
-
Actor/Role:
To add the SAML authorization assertion to the downstream
message, select a SOAP actor/role to indicate the WS-Security
block where the assertion is added. By leaving this field
blank, the assertion is not added to the message.
|
|