Pinned topic SAML 2.0 post to client web application
Re: SAML 2.0 post to client web application2011-02-21T22:04:51Z in response to npwagner1Hi,
I Guess When you authenticate and Authorized the incoming request using AAA object, you can choose Process Meta Data object, after done with AAA Policy, you can enable SAML assertion ON in Post Processing Policy.
Re: SAML 2.0 post to client web application2011-02-22T16:43:06Z in response to npwagner1In the previous release prior to 3.8.1 we were able to generate the SAML within AAA policy in post processing policy but we were not able to include SAMLAttribute statement.
The SAML feature were implemented before some SAML specification is finalized, hence it is outdated. The SAML assertion that the old releases supported has only limited format of SAML Authentication Assertions, DP cannot generate other type of assertion or SAML response by default. Many SAML optional settings that defined by the standard, especially the SAML attributes for SSO are very critical for some user cases, but DataPower is lack of the support for many optional features. With the previous releases, customer has to program with XSL style sheets, it is neither easy nor efficient, it is very inflexible too as the customized SAML message could not be signed freely on DP device. When DP works as a SAML message consumer, if the token issuer’s system clock is slower than the standard, DataPower does not process the SAML 2.0 Attributes correctly; neither does it enforce the SAML 2.0 message validation completely. This presentation contains the features to correctly handle all the listed limitations.
PacoGomez 2700005E8M1 PostACCEPTED ANSWER
Re: SAML 2.0 post to client web application2012-04-05T12:44:00Z in response to npwagner1Nicholas,
Did you achieve your goaL?
We want to use our xi50 datapower to issue a sso saml 2.0 token to google apps, after validating the request with our LDAP. I think it is a situation similar to yours and I am interested in knowing if it worked to you?
Thanks a lot for any information about viability.
belenkiy 060001YXBJ6 Posts
HermannSW 2700006U544501 PostsACCEPTED ANSWER
Re: SAML 2.0 post to client web application2013-10-25T07:59:23Z in response to belenkiy
In v18.104.22.168 release notes
you will find that SAML 2.0 is supported under "Supported standards and protocols"->"Security policy enforcement".
belenkiy 060001YXBJ6 PostsACCEPTED ANSWER
Re: SAML 2.0 post to client web application2013-10-25T08:58:39Z in response to HermannSW
Thanks for you answer!
SAML 2.0 specifies a Web Browser SSO Profile involving an identity provider (IdP), a service provider (SP).
The login scenario looks like this:
- The user (browser) access customer's personal JIVE web app.
- In case authentication needed, the web app responses with HTTP redirect to the Identity Provider (idp). In our case this should be the DataPower.
- The user fills username and password in the form received from the idp and submits it.
- The idp authenticates the credentials, in case of success generates SAML v2 SSO Response and sends it back to the browser.
- The browser redirects to back to customer JIVE web app.
How can this scenario be implemented by DataPower acting as idp?
Thanks in advance,
KrithikaPrakash 270005BH247 PostsACCEPTED ANSWER
Re: SAML 2.0 post to client web application2013-10-25T17:20:59Z in response to belenkiy
It should be doable. You can configure DataPower AAA action to do "HTML-forms based authentication" in the EI step, configure AU and AZ as required for your environment, and in AAA PP, enable "Generate SAML assertion or response" and choose "SAML response with assertion" for the parameter "SAML protocol or profile". For the "Wrap up result" parameter, I believe you can configure it to "output directly".
This should generate the SAML response with an assertion.