Novell Documentation: SAML Extension for Novell iChain

Receiving SAML Requests

The SAML Extension for iChain must respond to SAML requests from Trusted Affiliate sites. This is commonly done when the SAML extension server has sent an outbound user to a Trusted Affiliate site using the SAML browser/Artifact profile. In this case, the Trusted Affiliate site must send a SAML Request to your site to request the SAML assertion corresponding to the provided SAML Artifact. All traffic intended for the SAML extension server must first pass through the iChain proxy. Figure 96 shows the communication details:

Figure 96
Communication Pattern

In order for trust to be established in this case, the Trusted Affiliate site must trust the iChain SSL-Server certificate and, if SSL mutual authentication is desired, the Trusted Affiliate SSL Client Certificate must be trusted by iChain. If the Trusted Affiliate site were running the SAML extension for Novell iChain, Figure 97 would apply:

Figure 97
Trusted Affiliate Running SAML Extension

Since outbound SAML requests are sent directly from the SAML extension server, this example does not differ much from the previous non-iChain scenario. The iChain platform must trust the SSL Client of the Trusted Affiliate SAML extension server, and if SSL mutual authentication is being used, iChain must trust the SSL Client certificate in use by the Trusted Affiliate SAML extension server.

SSL Trust Configuration

In order for mutually authenticated communication to occur between two SAML sites, you must have the following:

The sites must trust each other's SSL Client certificates.
The sites must trust each other's SSL Server certificates.

For the SAML extension for Novell iChain, this is done by adding trust for the Trusted Affiliate Site:

Import the Trusted Affiliate site's SSL Server Certificate into the iChain Trusted Roots container.
Import the Trusted Affiliate site's SSL Client Certificate into the iChain Trusted Roots container.
Add a reference in SAML Configuration Trusted Affiliate > General > Secure SAML Communication to the imported SSL Server Certificate.
Add a reference in the SAML Configuration Trusted Affiliate > General > Secure SAML Communication to the imported SSL Client Certificate.

To allow the Trusted Affiliate to trust you:

Export the public key certificate associated with your iChain SSL Server Certificate.
Export the public key certificate associated with our SAML extension server SSL Client Certificate.
Send the two certificates to the Trusted Affiliate.

After you understand the trust relationship that must exist between your site and your Trusted Affiliate partners, you can set up the system for SSL and SSL with mutual authentication.