Drummond Group's Knowledge Library

Because of the numerous configurations with SAML, it is important to have a products properly set up in order to achieve interoperability. For all products, proper metadata setup was needed. Basic partner configuration, such as binding to use and security settings, was determined from the test case steps and configured as expected through the product interface. However, any different, unique or unexpected configurations apart from the normal settings found in metadata, or the typical user interface, are listed below. This is information collected directly from the participants. This was the configuration for the products within this test, and it may be different for individual user deployments.

CA Inc. - CA Federation Manager version 12.0

CA SiteMinder signs the content of the assertion, but does not specifically sign the Artifact resolve message.

SiteMinder expects the other participants to access SiteMinder resources using FQDN and not IP address.

When authenticating the requester, SiteMinder supports back channel authentication instead of Artifact query signing / verification.

SiteMinder is both a Web Access management tool and a Federation gateway. When a user logs into SiteMinder for web access management, the CDC cookie is not immediately created by default. In this use case, SiteMinder must be configured to create the CDC cookie. This can be done by redirecting a user to the SiteMinder setIPDCookie service using a Siteminder redirect response. For retrieving the information from a common domain cookie, "/affwebservices/public/IdPDiscovery.jsp" was used.

When working with the NTT Software ECP, it was observed that the FQDN was added to the URI of the inbound request. This was causing some URI mapping issues within our Servlet container. To remedy this, the URI stems for the assertion consumer services were replicated to include the FQDN. The only configuration difference for communicating through an ECP instead of direct browser based federation was that a Proxy checkbox had to be enabled in the SiteMinder auth scheme and the affiliate. If this checkbox was enabled for non ECP testing, no negative results were observed.

NTT Software Corporation - TrustBind/Federation Manager version 1.1

For IDP Proxy, IDP must be configured to enable proxy.

For IDP Discovery, IDP must be configured to enable common domain cookie, and SP uses an Interface to read the cookie from common domain.

The ECP is a standalone proxy. It supports the form based (user/password) authentication and maintains the cookie based session between browser and server.

HTTP Basic Authentication was enabled for SAML URI binding requester test at both Attribute Authority and Authentication Authority.

Ping Identity - Ping Identity PingFederate® version 5.2

IdP Discovery is not enabled by default with PingFderate. Following instructions in Section Configuring IdP Discovery of the Administrator's Manual to configure IdP Discovery. The endpoint for SP using IdP Dicovery is /sp/cdcstartSSO.ping.

For working with NTT Software ECP, the related bindings (PAOS and SOAP) need to be configured.

RSA - RSA Federated Identity Manager version 4.1

Partners need to decide the AuthnContext out of the band.

For ECP connecting to the RSA SP, ECP needs to authenticate SP. This will be form based authentication. Also, ECP client has to be cookie aware because RSA authentication manager on SP would create cookie after authentication and authorization to resource is based on whether cookie is set. RSA SP must set a default IDP to send ECP request. The code to authenticate the user at RSA IDP was given to the NTT Software.

For ECP connecting to the RSA IDP, if you set a header cookie over SOAP/HTTP call, the RSA IDP will assume you are already authenticated.

Ubisecure Solutions, Inc. - Ubilogin SSO

The default settings of Ubisecure SP and IDP matched mostly the requirements for interoperability in the test cases. A test driver application was used with the IDP to configure the IDP for the different test cases, with settings such as bindings, encryption, affiliation, etc. The configuration options that the test driver used are also available in the standard IDP management application.

For signature validation, a configuration option in Ubisecure SP was used to disable signature validation of top-level Response and ArtifactResponse messages, where an embedded signed Assertion existed.

The metadata files produced by Ubisecure SP and IDP were converted to include X.509 certificates and to specify the "use" attribute for the KeyDescriptor element.

By default, the metadata only contained the RSAKeyValue element. Also if the entity supports both signing and encryption, then the use attribute of the KeyDescriptor element is not specified. In the future, the default operation is expected to change to allow producing metadata files as were used in the interop.

For ECP testing, the Ubisecure IDP uses HTTP basic authentication.

A CDC cookie reader and writer application was installed in the CDC domain ubisecure.cot.projectliberty.org. The url of the CDC application was configured to Ubilogin IDP and SP.