|
Configuration Setup
Because of the numerous configurations with SAML, it is important to have a products properly setup in order to achieve interoperability. For all products, proper metadata setup was needed. Basic partner configuration, such as binding to use and security, was determined from the test case steps and configured as expected through the product interface. However, any different, unique or unexpected configurations apart from the normal settings found in metadata or the typical user interface are listed below. This is information collected directly from the participants with minimal editing. This was the configuration for the products within this test, and it may be different for individual user deployments.
HP-Select Federation 7.0 patch1
For IdP Discovery, discovery service is enabled on the IDP and SP to support introduction. In addition the cookie reader and writer service needs to be set up for SP and IDP, respectively. A domain must be specified for the cookie to be written to.
The HP ECP client is standalone proxy that simulates a WAP gateway. It supports both WAP based and form based (user/pass) authentication contexts. The header attribute used is x-msisdn which was associated with "MobileContract" authentication context. Being a standalone client it does not support any intermediary forms or HTML pages that need to be filled in. For this test event, Symlabs supported WAP authentication context so authorization was through WAP headers. IBM, RSA and Sun had to provide a way to bypass these intermediary forms.
The HP SP and IDP must be enabled for working with ECP. In working with the Sun ECP, the HP IDP was set to bypass the HTML form and provide authentication through URL name value parameter. For Sym ECP, HP has built in support in IDP for WAP header authentication.
For IDP Proxy, IDP was configured to enable proxy. For Name ID Mapping, this also must be enabled.
For Attribute Authority, basic authentication was setup for SOAP requests. Partners must mutually agree on the set of attributes and their SAML formats that are used in the Attribute query, and then these need to be setup on the IDP. No modification of HP metadata required.
IBM-Tivoli Federated Identity Manager version 6.2
IBM SP disabled AuthnResponse signature validation for the IDPs of HP, RSA, Sun and Symlabs as they did not use a signature for this message.
IBM SP disabled ArtifacResolve Response signature validation for the IDPs of HP, Sun and Symlabs as they did not use a signature for this message.
IBM IDP disabled ArtifacResolve Response signature validation for the SPs of HP, Sun and Symlabs as they did not use a signature for this message.
For working with the HP ECP, IBM IDP enabled HTTP header session tracking and authentication using x-msisdn header.
For working with the Sun ECP, IBM IDP enabled HTTP header session tracking and authentication using x-msisdn header.
For working with the Symlabs ECP, IBM SP enabled HTTP header session tracking, and the IBM IDP enabled HTTP header session tracking and authentication using x-msisdn header.
Use of common domain cookie in IDP Discovery and the attribute query of Attribute Authority used standard setup.
RSA-RSA Federated Identity Manager 4.0
For ECP connecting to the RSA SP, ECP needs to authenticate SP. This will be form based authentication. Also, ECP client has to be cookie aware because FIM authentication manager on SP would create cookie after authentication and authorization to resource is based on if cookie is set. Also, RSA SP must set a default IDP to send ECP request. The code to authenticate the user at RSA IDP was given to the HP, Sun and Symlabs ECPs.
For ECP connecting to the RSA IDP, if you set a header cookie over SOAP/HTTP call, the RSA IDP will assume you are already authenticated.
Sun-Sun Java System Federated Access Manager 8.0
Partner needed to inform Sun out of band which AuthnContext they were expecting. If binding for Response message not specified, Sun used the first one in the metadata.
The validity period of the assertion was adjusted in the configuration setting.
For IDP Discovery, cookie domain needs to be configured at Sun product where the IDP Introduction is deployed. Partners could either federate the name ID or can go to the Sun IDP Driver page and set CDC cookie.
Sun has both an ECP Java client and ECP Java proxy, but for the certification event, only the ECP Java client was tested. Sun ECP needed its metadata loaded at the SP and IDP of their test partners.
Sun published an SP-ECP filter URL for the HP-ECP and Symlabs-SP products to use in order to initiate ECP base requests to the Sun SP.
When HP-SP and Symlabs-SP connected to the Sun-IDP Proxy, a list of preferred IDPs was displayed which the SP partners could communicate with.
For Attribute Authority, HTTP Basic Authentication with user/password was used for authentication.
Symlabs-Symlabs Federated Identity Suite version 3.3.0
The default signature settings matched the requirements, i.e. assertion signed. Encryption setting is a global setting for all partners and is toggled through the web GUI.
ECP is a stand-alone enhanced client. Symlabs-ECP uses x-msisdn trusted header.
|
