SAML Trust Relationships

To illustrate how the SAML extension relationship works, consider the following example: There are two sites that want to create a SAML relationship: Novell and PartnerCorp. Both Novell and PartnerCorp need to have some sort of SAML configuration. For the purposes of this example, it is assumed that both entities are using the SAML extension for Novell iChain. The following configurations are needed:

1. Novell SAML configuration
   1. Create a samlSiteConfig to represent MYSELF

      i. Create a Site ID: www.novell.com

      ii. Create a Source ID = XYZ

   2. Create a samlTrustedAffiliate to represent my relationship with PartnerCorp

      i. Use the Site ID provided from PartnerCorp: www.partnercorp.com

      ii. Use the Source ID provided from PartnerCorp: PDQ

2. Partner SAML configuration
   1. Create a samlSiteConfig to represent MYSELF

      i. Create a Site ID: www.partnercorp.com

      ii. Create a Source ID: PDQ

   2. Create a samlTrustedAffiliate to represent my relationship with Novell

      i. Use the Site ID provided from PartnerCorp: www.novell.com

      ii. Use the Source ID provided from Novell: XYZ

Figure 33 shows the directory object layout of each of these configurations. The left side of this window shows the configuration for Novell and right side shows the configuration for PartnerCorp.

Figure 33
Directory Object Layout

With this configuration, when PartnerCorp receives a SAML assertion issued by Novell, PartnerCorp can identify the assertion with its samlTrustedAffiliate entry for Novell because of the matching Site ID to Issuer value. Also, when PartnerCorp receives a SAML Artifact from Novell (XYZ), it can associate that artifact with Novell because of the matching Source ID value.Much more than the Site ID and Source ID must be shared in order to create a SAML trust relationship. At the current time there is no standard way of sharing this configuration information. There is work going on in the SAML standards body to create a common metadata format that SAML partner sites could exchange to automatically create these trust relationships. However, until that work is complete, the process must be done by hand in an out-of-band communication between SAML system administrators. Typically, the necessary information to create a SAML trust relationship includes the following:

• Site ID: The SAML Site ID for the partner.

• Source ID: The SAML Source ID for the partner.

• SOAP Endpoint URL: Where the partner receives SAML SOAP messages.

• Artifact Receiver URL: Where the partner receives incoming SAML Artifacts.

• POST Receiver URL: Where the partner receives incoming SAML POST data.

• Signing Public Key Certificate: The public key certificate used to sign SAML data.

• SSL Server Certificate: Allows us to trust their SAML server to make client requests.

• SSL Client Certificate: Allows us to trust their SAML client to make server requests.

• Requested User Attributes: What does the other site need to know about my users?

• Audiences: What audience restriction conditions will be in placed on SAML assertions?

These settings could be shared between the sites using e-mail, and some could even be negotiated in telephone conversations.

The following sections deal with the objects in the directory that are used to configure the SAML system and to define these SAML trust relationships.