As you explore the features of the Access Connector Toolkit, refer to the definitions in this section to understand the type of information you will need to collect from the destination web service or application.
A SAML 2.0 assertion is a package of identity attributes for an authenticated user that is sent from the trusted identity provider to the service provider.
The properties of the assertion include the following information:
The recipient of the assertion.
The LDAP identity attribute to use when federating users with the destination application service provider. Does the NameID require an email address format, or does it require unspecified format?
The URL where CloudAccess should redirect the end user’s session after the user logs in successfully with the URL provided on the connector configuration page.
The binding method to use for identity information sent to the destination provider. For SAML 2.0, the only supported binding method is POST.
The provider should provide a technical document that describes the attributes that are required for an assertion, such as the user’s name or email address. It can include the attributes that are required to assign roles. The SAML assertion typically requires the nameID attribute. You must map the SAML assertion attributes to the matching attributes in your identity source.
The entityID is a field from the metadata that uniquely identifies that particular service provider, such as sp_domain_name.
For example:
google.com
The entity ID might use information from the federation instructions, or from a setting completed on the Configuration page when you deploy the connector.
The federation instructions provide the information that you will use to configure federation for CloudAccess on the service provider site. The information identifies where on the service provider’s site to find the federation configuration capability as well as the field values and other guidance that you need to complete the required information.
When you configure the connector, the federation instructions will automatically provide the following information about your appliance as the identity provider:
The URL for single sign-on
https://appliance_dns_name/osp/a/t1/auth/saml2/sso
The URL for single logout
https://appliance_dns_name/osp/a/t1/auth/app/logout
The URL for the identity provider’s entityID
https://appliance_dns_name/osp/a/t1/auth/saml2/metadata
The X.509 signing certificate for the appliance
The web service or application uses the certificate to set the trust relationship with CloudAccess.
NOTE:When you copy the appliance’s signing certificate, ensure that you include all leading and trailing hyphens in the certificate’s Begin and End tags.
It provides the following information about your appliance if the login is initiated by the service-provider, such for connectors that use the WS-Federation protocol:
The WS-Federation Passive URL
The X.509 signing certificate for the appliance
The metadata is the configuration information that the application service provider uses to establish communications with the identity provider in an federation trust relationship. This usually includes a login URL or a customer-specific domain name, which is called the Assertion Consumer Service URL. Service providers allow you to export the required metadata to an XML file, or they provide the metadata in a public URL. The auto-generated metadata file from the service provider will not work as is. You must manually change the values to match your actual deployment environment.
The metadata usually includes the following information:
The entityID for the service provider.
The URL that receives the user identity information.
For SAML 2.0, the Assertion Consumer Service URL is where the assertion is posted by the browser. For example:
https://www.google.com/a/${customer-domain}/acs
For WS-Federation, the Login URL is where the security token is posted by the browser. It corresponds to the PassiveRequestorEndpoint field from the metadata.
For SAML2 In, the Single Sign-on Service URL is where the AuthnRequest will be posted. It corresponds to the SingleSignOnService field with a Post binding from the metadata.
https://accessmanager.base.url/nidp/saml2/sso
The logout URL corresponds to the SingleLogoutService field from the metadata.
The logout URL Binding (HTTP Post or Redirect)
The logout response URL
The X.509 signing certificate
The protocol binding is the method used for transmitting assertions between the authenticating identity provider and the service provider. CloudAccess supports the Redirect and Post bindings for service-provider-initiated SSO, and the Post binding for identity-provider-initiated SSO.
The nameID is the attribute in the identity source that uniquely identifies the user. You must know whether this attribute requires the email address format or an unspecified format.
The new settings are appliance-specific settings that you want to allow the administrators to set when they configure the connector for an appliance.
For example:
Customer-specific sections of the Assertion Consumer Service URL
Connector-specific setting, such as a customer domain
A WS-Federation security token is a package of identity attributes for an authenticated user that is sent from the trusted identity provider to the service provider. The provider should provide a technical document that describes the attributes that are required for the token, such as the user’s name or email address. It can include the attributes that are required to assign roles.
The signing certificate is the X.509 certificate that identifies CloudAccess to the service provider. If you specify that the certificate is required by the service provider, the template automatically retrieves the appliance’s certificate and inserts it in the Federation Instructions when you deploy the connector. You use the certificate when you set up the federated single sign-on for the application.
The template properties define the following information for the connector:
Type of connector and type name (based on the template wizard)
The unique name for the template file (target name)
A brief description used as the connector name
A 3-digit version number (ex: 1.0.0)
A custom graphic to use for the icon that represents the connector on the Admin page.