Symantec Access Management

Expand all | Collapse all

Anyone used SAML 2.0 Authentication Scheme?

Jump to Best Answer
  • 1.  Anyone used SAML 2.0 Authentication Scheme?

    Posted 10-27-2017 10:34 PM

    Hi,

    Just wondering if anyone has used SAML 2.0 authentication scheme?

     

    In my scenario, SM is the SP and I have legacy application that now needs to authenticate against a cloud IDP.

     

    so I have say /context/app1.jsp protected using a form auth scheme now.

     

    I wanted to ask if I can switch this from form auth scheme to SAML 2.0 auth scheme? will this initiate a SAMLRequest and after IDP SAMLResponse processing, will it redirect to /context/app1.jsp ?

     

    Regards,

    Anand.



  • 2.  Re: Anyone used SAML 2.0 Authentication Scheme?

    Posted 10-30-2017 05:07 AM

    Hi Anand,

     

    Yes, You can switch from form auth to SAML auth scheme. Once you initiate SP Side transaction, SP will send SAML request to IDP and get the SAML Response back. Once it consumes the SAML then it creates SMSESSION for sp domain and redirects to the target which you mention in the SAML Auth scheme.

     

    Please make sure to mention where you want to redirect under saml auth scheme ( /context/app1.jsp ).

    Also please refer this link for more details.

    Configure a SAML 2.0 Service Provider - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation 

     

    Thanks,
    Sharan



  • 3.  Re: Anyone used SAML 2.0 Authentication Scheme?

    Posted 10-30-2017 09:38 AM

    Thanks Sharana

     

    I've already done configuring it as a SP and the partnership via the CA Access gateway.

     

    So when I go to set up the SAML 2.0 authentication scheme, is there a way to just point to the existing partnership?

     

    Or do I need to set up the whole partnership again in the authentication scheme? The documentation on how to set up a SAML 2.0 authentication scheme doesn't seem to exist!


    Regards,

    Anand.



  • 4.  Re: Anyone used SAML 2.0 Authentication Scheme?

    Posted 10-30-2017 09:43 AM

    Hi Anand,

     

    I believe you are using Legacy Federation (Not Partnership Model). You would need to create an Authentication scheme and select SAML template and after that you need to complete the saml configuration.

     

    Please refer below link for creating SAML Auth scheme.

    Configure a SAML 2.0 Service Provider - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation 

     

    Thanks,
    Sharan



  • 5.  Re: Anyone used SAML 2.0 Authentication Scheme?

    Posted 10-30-2017 09:50 AM

    Oh. Actually I have partnership federation established. I don't have legacy federation

     

    So the SAML 2.0 auth scheme can be used only in legacy federation scenarios?

     

    My requirement is that I have several realms that I need to authenticate by sending the user to an IDP. How would I do that using partnership federation?

     

    I don't want to create a new partnership for each realm obviously because that'd become impossible to maintain. 

     

    Ideal scenario is this.

     

    1. User accesses resource in realm

    2. User is redirected to IDP with relay state as the resource in realm

    3. User is authenticated by IDP

    4. SM reads the saml response and disambiguates the user

    5. Creates a SMSESSION for the user and redirects the user to the RelayState URL (assuming I have relaystate overrides target set in the partnership)

     

    In this case,

     

    How would I protect the realm so that if the user goes to that realm, SP initiated federation is initiated?

     

    Regards,

    Anand.



  • 6.  Re: Anyone used SAML 2.0 Authentication Scheme?

    Posted 10-30-2017 10:23 AM

    Hi Anand,

     

    So the SAML 2.0 auth scheme can be used only in legacy federation scenarios?

    Sharan --> Yes, SAML Auth is only for Legacy Federation.

     

    You dont have to protect your realm here. You would need to initiate SP Initiate journey with the below URL.

    http://www.spdemo.com:port/affwebservices/public/saml2authnrequest?ProviderID=IDP_ID&RelayState=http://www.spdemo.com/apps/index.jsp

     

    So when you hit the above URL, It will create a SAML Request and send it to IDP. Once IDP authenticate the user and post the saml response back to SP, SP will consume (validate) and creates the SMSESSION for sp domain and finally redirects to the target which is mentioned in relay state (please make sure to select override  target with relaystate option in partnership).

     

    And if you still want to protect the realm then you would need to protect with some other auth scheme. So when the final redirection happens from federation, again it will validate the SMSESSION with the protected agent and Authorize the user. This is an optional step for you and provides more security.

     

    Thanks,

    Sharan



  • 7.  Re: Anyone used SAML 2.0 Authentication Scheme?
    Best Answer

    Posted 10-30-2017 10:38 AM

    The concept of Partnership Model is disconnect and project Federation as a standalone SAML endpoint. Once SAML based SSO is complete, the end result is a SMSESSION i.e.

    • SAML Assertion was consumed by CA SSO acting as SP. 
    • After successful disambiguation of the User Identity within SAML Assertion, a SMSESSION is generated by the Partnership / WAOP code.
    • Thereafter the request is redirected either to the TARGET defined within the Partnership OR based on RelayState (if RelayState Overrides Target is selected).
    • How we protect the TARGET is not defined within the Partnership OR is not in scope of the Partnership.
    • The TARGET can be protected using a Standard Realm and OOB (any Auth scheme).
    • If a valid SMSESSION exists (for the Authentication Level and User Directory associated with SMSESSION i.e. aligned in Partnership / Policy Domain / Auth Scheme protecting Realm), then the SMSESSION generated from Partnership, will be used to Single Sign On into the Policy Domain.

     

    Hope this layman explanation helps! 



  • 8.  Re: Anyone used SAML 2.0 Authentication Scheme?

    Posted 10-30-2017 10:45 AM

    Thank you.

    I guess I was trying to see if I can switch from a login.fcc to a remote IDP easily.

     

    If my users have bookmarked the resource URL, then if they go there, they'll get the login.fcc even after I set up the federation partnership

     

    Ony if they go to the SP initiated request URL, will they be taken to the federated flow. Correct?

     

    I guess I'll have to write a simple page (which a authentication schme will redirect to instead of fcc) that identifies the target URL and does a redirection to the Federation Flow. Or Maybe from apache rewrite rules. Any other suggestions?

     

    Regards,

    Anand.



  • 9.  Re: Anyone used SAML 2.0 Authentication Scheme?

    Posted 10-30-2017 10:50 AM

    Here's a trick for you.

     

    Create a new HTML forms Authentication Scheme and put the URL as http://www.spdemo.com:port/affwebservices/public/saml2authnrequest?ProviderID=IDP_ID&RelayState=http://www.spdemo.com/apps/index.jsp

     

    Then associate the Auth Scheme with your Realm. See how this trick works for you



  • 10.  Re: Anyone used SAML 2.0 Authentication Scheme?

    Posted 10-30-2017 11:03 AM

    Thank you. I'll probably go with a custom server side JSP I guess for this.

     

    The reason is that the realm value may be dynamic... say I protect /application*. So if the user clicks on something from an email I need to be able to redirect him back to the link he clicked.

     

    So the auth scheme will redirect to a JSP, which will de-construct the TARGET and set it as the RelayState and do a redirect to the SP-Initiated URL.

     

    Do let me know if you see problems with this approach


    Regards,

    Anand.



  • 11.  Re: Anyone used SAML 2.0 Authentication Scheme?

    Posted 10-30-2017 11:34 AM

    Sounds good to me. Thank You!



  • 12.  RE: Re: Anyone used SAML 2.0 Authentication Scheme?

    Posted 01-06-2020 09:44 AM
    @HubertDennis When you state put the URL as the federation URL in the Auth Scheme are you speaking of when creating the new auth scheme policy object or change some code in the FCC file itself?  I am facing a similar use case where an application is protected by IWA and due to business needs we need to perform an IDP initiated URL to a 3rd party vendor.  The app URL is bookmarked and known to the user so introducing a new URL that must be typed in is not acceptable.

    Thanks​​


  • 13.  RE: Re: Anyone used SAML 2.0 Authentication Scheme?

    Posted 01-08-2020 07:39 AM
    Edited by Kaladhar Brahmanapally 01-08-2020 07:42 AM
    Jack,
    Hubert didn't mean to put the federation URL in Auth Scheme. what he meant was to create a new HTML Auth scheme  with a simply html file which has some client side javascript to grab the TARGET query param on the url generated by siteminder. you can also  create server side logic(jsp/asp etc) to do the same like Anand mentioned in his post. You will need to perform the siteminder decoding ( you can get the script for it if you search the community, few things in that script should be changed for encoding but thats a different topic ) and resubmit(POST)/redirect(GET) the request with SP initiated url with RelayState as the app url grabbed from TARGET. You can tweak the partnership config  with RelayState overrides the target option to redirect to appropriate URL.

    FYI Hubert is nolonger with Broadcom.