There are three different types of directory objects associated with the SAML extension for Novell iChain:
SAMLExtensionServer: Contains configuration information that allows the iChain server(s) to communicate with the SAML extension server.
samlSiteConfig: Contains the top-level SAML configuration for the system, and contains attributes that define this SAML site. The samlSiteConfig object is contained by the SAMLExtensionServer object.
samlTrustedAffiliate: Contains information about this site's relationship with a SAML partner site. It contains all of the settings that allow this site to communicate and trust the partner site. The samlTrustedAffiliate object is contained by the samlSiteConfig object.
Figure 32 shows the directory layout of the SAML extension for Novell iChain directory objects:
Figure 32To illustrate how the SAML extension relationship works, consider the following example: There are two sites that want to create a SAML relationship: Novell and PartnerCorp. Both Novell and PartnerCorp need to have some sort of SAML configuration. For the purposes of this example, it is assumed that both entities are using the SAML extension for Novell iChain. The following configurations are needed:
i. Create a Site ID: www.novell.com
ii. Create a Source ID = XYZ
i. Use the Site ID provided from PartnerCorp: www.partnercorp.com
ii. Use the Source ID provided from PartnerCorp: PDQ
i. Create a Site ID: www.partnercorp.com
ii. Create a Source ID: PDQ
i. Use the Site ID provided from PartnerCorp: www.novell.com
ii. Use the Source ID provided from Novell: XYZ
Figure 33 shows the directory object layout of each of these configurations. The left side of this window shows the configuration for Novell and right side shows the configuration for PartnerCorp.
Figure 33With this configuration, when PartnerCorp receives a SAML assertion issued by Novell, PartnerCorp can identify the assertion with its samlTrustedAffiliate entry for Novell because of the matching Site ID to Issuer value. Also, when PartnerCorp receives a SAML Artifact from Novell (XYZ), it can associate that artifact with Novell because of the matching Source ID value.Much more than the Site ID and Source ID must be shared in order to create a SAML trust relationship. At the current time there is no standard way of sharing this configuration information. There is work going on in the SAML standards body to create a common metadata format that SAML partner sites could exchange to automatically create these trust relationships. However, until that work is complete, the process must be done by hand in an out-of-band communication between SAML system administrators. Typically, the necessary information to create a SAML trust relationship includes the following:
SOAP Endpoint URL: Where the partner receives SAML SOAP messages.
Artifact Receiver URL: Where the partner receives incoming SAML Artifacts.
POST Receiver URL: Where the partner receives incoming SAML POST data.
Signing Public Key Certificate: The public key certificate used to sign SAML data.
SSL Server Certificate: Allows us to trust their SAML server to make client requests.
SSL Client Certificate: Allows us to trust their SAML client to make server requests.
Requested User Attributes: What does the other site need to know about my users?
Audiences: What audience restriction conditions will be in placed on SAML assertions?
These settings could be shared between the sites using e-mail, and some could even be negotiated in telephone conversations.
The following sections deal with the objects in the directory that are used to configure the SAML system and to define these SAML trust relationships.