The SAML referring site is responsible for generating a SAML single sign-on assertion for the user and sending that user to the receiving site. The goal of this action is that the user is authenticated and granted access to some resource at the receiving site. In order to do this, SAML defines a resource called an Intersite Transfer URL. This resource is provided by the SAML Extension for Novell iChain. It is accessed via the following URLs:
http(s)://host/cmd/ext/samlext/saml/gen/post: Generates SAML assertions in the Browser/POST profile.
http://host/cmd/ext/samlext/saml/gen/afct: Generates SAML assertions in the Browser/Artifact profile.
The purpose of the Intersite Transfer service is to generate SAML assertions for users and redirect them to the receiving site. In order for the Intersite Transfer service to do this, it needs two pieces of information:
AID: The Affiliate ID or Site ID of the receiving site. This value allows the SAML Intersite Transfer to create the proper type of SAML assertion for the partner site. This value must match the Site ID of the desired Trusted Affiliate configuration object in the directory.
TARGET: The resource the user wants to access at the receiving site.
These two pieces of information are provided to the Intersite Transfer service as URL parameters. Thus, a complete Intersite Transfer link would look like the following:
Http(s)://host/cmd/ext/samlext/saml/gen/post?AID=partner_site&TARGET=https://www.partner_site.com/resource.html: Generates a SAML assertion for Trusted Affiliate partner_site and request the resource https://www.partner_site.com/resource.html. The SAML Browser/POST profile is used.
http(s)://host/cmd/ext/samlext/saml/gen/afct?AID=partner_site&TARGET=https://www.partner_site.com/resource.html: Generates a SAML assertion for Trusted Affiliate partner_site and request the resource https://www.partner_site.com/resource.html. The SAML Browser/Artifact profile is used.
To further illustrate how the SAML Inter-site Transfer service works, consider the following example: You are developing a travel site (travel4cheap), and you have partnered with a car rental company named cars4rent. You have already created a Trusted Affiliate object in the directory for cars4rent, and have set the Site ID to cars4rent. The resource at your partner site that you want to give your customers access to is http://www.cars4rent.com/partners/rentacar.html. Your goal is to have the travel site provide users with a link that sends them to cars4rent and provides them with access to the target resource without needing to re-authenticate at the cars4rent site.
Suppose that in the past a direct link was in place to the cars4rent resource that, when followed, required the users to authenticate to cars4rent. The following is the original HTML:
<A href="https://www.cars4rent.com/deals.html">Access Partner Cars4Rent</A>
To use the SAML Extension for Novell iChain, replace the original link with the following:
<A href="https://www.travel4cheap.com/cmd/ext/samlext/saml/gen/post?AID=cars4rent&TARGET= https://www.cars4rent.com/deals.html">Access Partner Cars4Rent</A>
The above link will invoke the SAML Intersite Transfer server to generate a SAML single sign-on assertion for the user intended for the cars4rent partner site. The users can then access the cars4rent target resource without re-authenticating to cars4rent. The important differences between the original and SAML enabled links are:
NOTE: The order of AID and TARGET is immaterial.
In order for this scenario to work, the SAML Configuration must contain a Trusted Affiliate object with Site ID cars4rent, and the cars4rent partner site must have a SAML service running to receive the SAML assertion.No other changes are required on the back-end Web site. All that needs to be done in order to act as a SAML referring site is to create links to the SAML Intersite Transfer URL with the proper parameters. No other Web site changes are required.
In some cases, receiving sites might want to know more about incoming users than simply their username and authentication information. The SAML specification allows user attribute information to be shared between partner sites. The SAML Extension for Novell iChain allows the administrator to specify any LDAP attribute to be included in generated SAML assertions. You configure for this on the properties page for the Trusted Affiliate object in the directory. The User Attributes tab contains a list of attributes that can be made available to partner sites. For details on how to configure the system to send user attributes to Trusted Affiliates, see Configuring the SAML Extension.
Different SAML partnerships might have different security requirements. Some partnerships might have a relatively low value where the receiving site is simply offering the referring site's users a small discount or service. Other relationships could have high values where sensitive user attribute information is passed, such as a purchasing system where large purchases are made and user information such as credit card numbers are shared. The SAML configuration allows the administrator to determine what types of security constraints are applied to generated assertions The options are:
Sign Assertions in the Browser/POST Profile: This option generates a digital signature on assertions generated for the specified Trusted Affiliate using the Browser/POST profile. The inclusion of a digital signature allows the receiving site to validate the source of the provided assertions. Assertions generated under the Browser/POST profile must be signed to comply with the SAML specification version 1.0.
Sign Assertions in the Browser/Artifact profile: This option generates a digital signature on assertions generated for the specified Trusted Affiliate using the Browser/Artifact profile. According to the SAML specification, signatures for the Browser/Artifact profile are not mandatory; however, some partner sites might require them.
These settings are applied to the Trusted Affiliate object in the directory. The settings are located on the Trusted Affiliate properties page, under the Assertions tab. See Configuring the SAML Extension for more information.