1.2 Understanding Federated Single Sign-On with SAML 2.0

To understand the federated single sign-on process with Access Manager Appliance, you must understand SAML 2.0. If you do not have a good understanding of SAML 2.0, proceed to Section 1.2.1, Understanding SAML 2.0. If you understand SAML 2.0, proceed to Section 1.2.2, Understanding the SAML 2.0 Federated Single Sign-On Processes with Access Manager Appliance.

1.2.1 Understanding SAML 2.0

SAML is an XML-based framework for communicating user authentication, entitlement, and attribute information. For more information see, Security Assertion Markup Language (SAML) V2.0 Technical Overview.

SAML 2.0 creates a two-way agreement between two vendors asserting that the information provided is valid. It provides a standard framework to share this information, so you do not need to recreate the configuration for every vendor you want to share information.

To use the SAML 2.0 connectors provided for Access Manager Appliance, you must understand the basic concepts and components of SAML 2.0.

SAML 2.0 defines each of the components using the XML schema. You must be able to read and format documents in XML to use SAML 2.0 connectors.

XML-based framework: You must understand the XML format, structure, elements, and how it defines rules for encoding documents. For more information, see Introduction to XML on the www.w3schools.com website.

Assertion: SAML assertions define the syntax for creating XML-encoded assertions to describe authentication, attribute, and authorization information for an entity. The SAML 2.0 connectors help create the assertions for Access Manager Appliance and the federation applications.

Attributes: LDAP attributes passed between two entities. In this case, it is LDAP attributes passed between Access Manager Appliance and connected federation applications.

Metadata: Metadata defines how SAML 2.0 shares configuration information between two communicating entities. You must be able to access and share the Access Manager Appliance metadata information with the federated application. You must also be to access and share the federated application metadata with Access Manager Appliance.

Protocols: SAML 2.0 supports HTTP, HTTPS, and SOAP protocols. The SAML 2.0 connectors use HTTPS to establish a secure connection between Access Manager Appliance and the federated applications. To establish the secure HTTPS connection, you must obtain the certificate from the metadata of Access Manager Appliance and the application. Each side then uses the other side’s certificate to create the secure connection.

1.2.2 Understanding the SAML 2.0 Federated Single Sign-On Processes with Access Manager Appliance

Federated single sign-on relies on a trust relationship between an identity provider and a service provider to give users access to web services or applications. Access Manager Appliance uses SAML 2.0 to create federated connections to web services and applications. The web services and applications are services providers and Access Manager Appliance is the identity provider.

SAML 2.0 is an open standard for federation that provides a vendor-neutral means of exchanging user identity, authentication, attribute information, and authorization information. SAML 2.0 defines the structure and content of assertions and protocol messages used to transfer this information between Access Manager Appliance and the web services or applications (service providers). For more information about SAML 2.0, see Section 1.2.1, Understanding SAML 2.0.

Using a SAML 2.0 connection, the service provider (web services and applications) trusts the identity provider (Access Manager Appliance) to validate the user’s authentication credentials and to send identity information about the authenticated user. The service provider accepts the data and uses it to give the user access to the web service or application. This data exchange is transparent for the user. It allows the user to access the web service or application without providing additional credentials.

Figure 1-2 illustrates how a SAML single sign-on authentication works with Access Manager Appliance:

Figure 1-2 Access Manager Appliance Single Sign-On with SAML 2.0

  1. The user Steve Smith authenticates to the corporate identity server (Access Manager Appliance) with his corporate user name and password.

  2. Access Manager Appliance authenticates Steve against the user name steve s. and associated password in the user store.

  3. Steve accesses the User Portal page with an appmark to the 401k application that he is entitled to use.

  4. When Steve clicks the 401k appmark, Access Manager Appliance produces an authentication assertion or token for the 401k application (service provider) that contains the identity attributes needed for authentication.

  5. The 401k application (service provider) consumes the assertion or token to establish a security context for the user with Access Manager Appliance (identity provider).

  6. The 401k application uses the assertion or token to validate that steve s. is ssmith_01 and authorizes the authentication (resource request).

  7. The 401k application (service provider) establishes a session with Steve.

    Through this process, Steve entered his user name and password once for the corporate identity server.

In the past, Access Manager Appliance allowed you to configure federated authentication using SAML 2.0 to internal and external identity providers, service providers, and embedded service providers (ESPs). Access Manager Appliance now provides a simpler means of creating the SAML 2.0 federation for single sign-on by providing connectors for specific applications. When you use the connectors, Access Manager Appliance automatically creates an appmark for the web service or application and places the appmark on the User Portal page for users to access. You can limit access to the SAML 2.0 web service or application by using role assignments configured on the Applications page. You can limit visibility of the SAML 2.0 appmarks on the User Portal page by using role assignments configured on the appmarks.

Access Manager Appliance allows you to convert the existing SAML 2.0 service providers to applications that you can manage from the Applications page. The main benefit of conversion is to add the ability to configure access control to the application using roles. For more information, see Section 4.3, Converting SAML 2.0 Service Providers in to a SAML 2.0 Application.

Access Manager Appliance provides a set of connector for SAML 2.0 applications that you can import from the Applications Connector Catalog or you can import from a file you save from the Applications Connector Catalog. Use the following chapters as appropriate to configure a SAML 2.0 connector: