General

The General page contains identification information that is used to identify your site to SAML partner sites. When generating assertions, the SAML issuer and Source ID are taken from the settings on this page. Figure 37 shows the samlSiteConfig's General page. The available settings are described below.

Enabled: Globally enables or disables the SAML service.

Identification - Site ID: Contains the SAML Site ID of this site. This value is used as the SAML Issuer ID on generated SAML assertions, and it must be shared with SAML partner sites. The Site ID can be any string value, but it is a good idea to use a value that describes the company. For example, if you were configuring the SAML system for a company named Novell, you could use Novell or www.novell.com.

Identification - Source ID: A 20-byte value that is used as part of the Browser/Artifact profile. It allows the receiving site to determine the source of received SAML Artifacts. In most cases, the Source ID can be auto-generated using a SHA-1 hash of the Site ID. A utility is provided to either import or auto-generate the Source ID. Clicking the button directly to the right of the Source ID text field invokes the Import Source ID dialog box as shown in Figure 38:

The Source ID can be imported from a Base64 or HEX-encoded string, or it can be auto-generated using the SHA-1 hash of the Site ID. Just like the Site ID, this value must be shared with your SAML partner sites. The Source ID can be sent to partner sites in encoded Base 64 or HEX format. The button directly to the right of the Import Source ID button invokes the Export Source ID dialog box, as shown in Figure 39:

You can copy the Source ID value from the text field in either Base64 or HEX format and send it to SAML partner sites.

Key Pair Information: SAML Signature Key Pair Object: Allows the association between an NDSPKI: Key Material Object and the SAML service. This Key Pair object should be used to create digital signatures on generated SAML assertions. This value is for informational and book-keeping purposes only. In order to actually use the key pair to create digital signatures, you must export it from the directory in PKCS#12 format and copy it to the SAML Extension server. See SAML Security Considerations for details on how to do this.

Key Pair Information: SSL Key Pair Object: Allows association between an NDSPKI: Key Material Object and the SAML service. This Key Pair object should be used to create mutually authenticated SSL connections between this site and partner sites. This key is used as the client key in mutually authenticated SSL connections. This value is for informational and book-keeping purposes only. In order to actually use the key pair to create mutually authenticated SSL connections, you must export it from the directory in PKCS#12 format and copy it to the SAML extension server. See SAML Security Considerations for details on how to do this.

Assertions

The Assertions page defines the default SAML assertion generation behavior for the SAML service. Figure 40 shows the samlSiteConfig's Assertions page. The available settings are described below.

Assertion Generation Will Be Valid for This Long before the Current System Time: SAML assertions contain a time stamp value that determines the time window during which they should be considered valid. SAML partner sites usually do not have system clocks that exactly match. A clock "pre-skew" is added to make up for this clock difference between partners. The default value is 5 minutes, but you can set this value depending upon how much difference you expect between your clock and your partner's system clock.

Assertion Generation Will Be Valid for This Long After the Current System Time: Determines how long after the current time the SAML assertion is considered valid. The value is generally larger than the previous value, to take into account network latency. The reason the time stamp condition is added to the SAML assertion is to prevent re-play or stolen SAML assertion attacks. In general, these validity period values should be kept as small as possible without introducing time skew errors for users.

Default User for Mapping Rules: Allows the designation of a default user to which incoming SAML users will be mapped in the event that no user mapping rules are defined, or all of the user mapping rules have failed. This value can be left blank, but users who are unable to be mapped will not be able to access the site and will receive an error message. See User Mapping for more details.

URLs

The URLs page is mainly provided as a convenience for the SAML administrator to facilitate the sharing of configuration information. Three of the four URLs listed on the page are read-only because they are defined by the SAML extension server. Figure 41 shows the samlSiteConfig's URLs page. The available settings are described below.

The first three (dimmed) URLs listed are for informational purposes only. They are provided on this page to facilitate the sharing of SAML configuration between this site and SAML partner sites. In order to create a SAML relationship with another site, three URLs must be known: the SOAP Responder URL, Artifact Receiver URL, and POST Receiver URL. For SAML implementations using the SAML extension for Novell iChain, the pattern for these three URLs will always be the same. For example, if you were SAML-enabling a site with host domain www.sample.com, the URLs would be:

SOAP: https://www.sample.com/cmd/mutExt/samlext/saml/resp

Artifact: https://www.sample.com/cmd/ext/samlext/saml/auth/afct

POST: https://www.sample.com/cmd/ext/samlext/saml/auth/post

When creating SAML relationships with other sites, you need to give them these URLs so that they know how to communicate with you. The URLs are listed here to aid the SAML administrator in getting these URLs to SAML partner sites.

General Error URL: Provides an error page URL that is displayed to the user if an error occurs while attempting to perform a SAML operation. The child samlTrustedAffiliate sites provide additional error URLs that can provide more fine-grained error handling. This general error URL is only used if the specified samlTrustedAffiliate has no error URLs defined, or the error occurred before the proper samlTrustedAffiliate configuration object could be found.