Just wondering if anyone has used SAML 2.0 authentication scheme?
In my scenario, SM is the SP and I have legacy application that now needs to authenticate against a cloud IDP.
so I have say /context/app1.jsp protected using a form auth scheme now.
I wanted to ask if I can switch this from form auth scheme to SAML 2.0 auth scheme? will this initiate a SAMLRequest and after IDP SAMLResponse processing, will it redirect to /context/app1.jsp ?
Yes, You can switch from form auth to SAML auth scheme. Once you initiate SP Side transaction, SP will send SAML request to IDP and get the SAML Response back. Once it consumes the SAML then it creates SMSESSION for sp domain and redirects to the target which you mention in the SAML Auth scheme.
Please make sure to mention where you want to redirect under saml auth scheme ( /context/app1.jsp ).
Also please refer this link for more details.
Configure a SAML 2.0 Service Provider - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation
I've already done configuring it as a SP and the partnership via the CA Access gateway.
So when I go to set up the SAML 2.0 authentication scheme, is there a way to just point to the existing partnership?
Or do I need to set up the whole partnership again in the authentication scheme? The documentation on how to set up a SAML 2.0 authentication scheme doesn't seem to exist!
I believe you are using Legacy Federation (Not Partnership Model). You would need to create an Authentication scheme and select SAML template and after that you need to complete the saml configuration.
Please refer below link for creating SAML Auth scheme.
Oh. Actually I have partnership federation established. I don't have legacy federation
So the SAML 2.0 auth scheme can be used only in legacy federation scenarios?
My requirement is that I have several realms that I need to authenticate by sending the user to an IDP. How would I do that using partnership federation?
I don't want to create a new partnership for each realm obviously because that'd become impossible to maintain.
Ideal scenario is this.
1. User accesses resource in realm
2. User is redirected to IDP with relay state as the resource in realm
3. User is authenticated by IDP
4. SM reads the saml response and disambiguates the user
5. Creates a SMSESSION for the user and redirects the user to the RelayState URL (assuming I have relaystate overrides target set in the partnership)
In this case,
How would I protect the realm so that if the user goes to that realm, SP initiated federation is initiated?
Sharan --> Yes, SAML Auth is only for Legacy Federation.
You dont have to protect your realm here. You would need to initiate SP Initiate journey with the below URL.
So when you hit the above URL, It will create a SAML Request and send it to IDP. Once IDP authenticate the user and post the saml response back to SP, SP will consume (validate) and creates the SMSESSION for sp domain and finally redirects to the target which is mentioned in relay state (please make sure to select override target with relaystate option in partnership).
And if you still want to protect the realm then you would need to protect with some other auth scheme. So when the final redirection happens from federation, again it will validate the SMSESSION with the protected agent and Authorize the user. This is an optional step for you and provides more security.
The concept of Partnership Model is disconnect and project Federation as a standalone SAML endpoint. Once SAML based SSO is complete, the end result is a SMSESSION i.e.
Hope this layman explanation helps!
I guess I was trying to see if I can switch from a login.fcc to a remote IDP easily.
If my users have bookmarked the resource URL, then if they go there, they'll get the login.fcc even after I set up the federation partnership
Ony if they go to the SP initiated request URL, will they be taken to the federated flow. Correct?
I guess I'll have to write a simple page (which a authentication schme will redirect to instead of fcc) that identifies the target URL and does a redirection to the Federation Flow. Or Maybe from apache rewrite rules. Any other suggestions?
Here's a trick for you.
Create a new HTML forms Authentication Scheme and put the URL as http://www.spdemo.com:port/affwebservices/public/saml2authnrequest?ProviderID=IDP_ID&RelayState=http://www.spdemo.com/apps/index.jsp
Then associate the Auth Scheme with your Realm. See how this trick works for you
Thank you. I'll probably go with a custom server side JSP I guess for this.
The reason is that the realm value may be dynamic... say I protect /application*. So if the user clicks on something from an email I need to be able to redirect him back to the link he clicked.
So the auth scheme will redirect to a JSP, which will de-construct the TARGET and set it as the RelayState and do a redirect to the SP-Initiated URL.
Do let me know if you see problems with this approach
Sounds good to me. Thank You!