Novell iChain provides identity-based Web security services that control access to application and network resources. The SAML extension for Novell iChain adds SAML Web-based single sign-on and SAML attribute sharing to iChain's list of features. The SAML extension for Novell iChain gives iChain users the ability to generate SAML single sign-on assertions for outbound users, accept incoming SAML single sign-on assertions for incoming users, and respond to SAML attribute queries. The SAML extension for Novell iChain supports both the SAML Browser/POST and SAML Browser/Artifact Web single sign-on (SSO) profiles.
The SAML extension server runs as an HTTP server fronted by iChain. This means that the SAML service does not run on the iChain box itself, but runs on a separate Web server. This provides an additional level of security because the SAML service can be protected by a firewall and does not need to be accessible from the external network. The general topology of the SAML extension for Novell iChain is shown in Figure 15:Figure 15
All of the SAML processing occurs at the SAML extension server. This means that iChain-protected Web services can be enabled for SAML without deploying any additional software on the Web servers themselves. iChain communications with the SAML extension server by using a reserved URL prefix. The following two URLs are used by iChain to communication with the SAML extension server:
The following sections will give a brief overview of how the interactions between iChain and the SAML extension for iChain server occur:
When users want to access a SAML partner, a SAML assertion must be generated for them. They are generally first sent to an Intersite Transfer URL resource. The SAML extension server provides two different types of Intersite Transfer URLs which are responsible for generating appropriate SAML assertions for users and forwarding those users to the proper resource at the partner site. The two URLs provided are:
When iChain sees the /cmd/ext prefixes on the above URLs, it knows to forward the request to the SAML extension server. The SAML extension receives the request, generates the appropriate SAML assertions, and forwards the user to the partner site. More information on the use of the Intersite Transfer URLs can be found in Enabling Web Sites With SAML Single Sign-On Functionality.
Users can access an iChain-controlled resource using a SAML single sign-on assertion. This is done by accessing the iChain system using a specified SAML receiver URL. The SAML extension for iChain defines two SAML receiver URLs:
When iChain sees the /cmd/ext prefixes on the above URLs, it knows to forward the request to the SAML extension server. The SAML extension receives the request, then obtains and validates the incoming user's SAML assertions. If the SAML extension server is able to validate the SAML assertions provided for the user, the user is authenticated to iChain and provided with the requested resource.
The SAML specification requires that in some cases, SAML servers must communicate directly. This is the case in the SAML Browser/Artifact profile. The receiving SAML server must request the SAML single sign-on assertion directly from the issuing site. This direct server-to-server communication is sometimes called the SAML back-channel. The SAML extension server listens for incoming SAML requests on the following URLs:
When iChain sees the /cmd/ext or /cmd/mutExt prefixes on the above URLs, it knows to forward the request to the SAML extension server. The SAML extension server receives the SAML request, parses it, then returns the appropriate SAML response. The two types of SAML requests that are currently supported are SAML artifact queries and SAML attribute queries. SAML artifact queries are used to perform the SAML Browser/Artifact Web single sign-on profile. SAML attribute queries are used to provide user attribute sharing with SAML partner sites.