The SAML extension server can be accessed using the following two URL extensions:
http(s)://host/cmd/ext/samlext/saml/resp: Used for non-mutually authenticated SSL connections.
https://host/cmd/mutExt/samlext/saml/resp: Used for SSL mutual connections only.
If you want Trusted Affiliate partner sites to access your site using only SSL with mutual authentication, they must use the second URL (/cmd/mutExt).
You can require that a given Trusted Affiliate use SSL mutual by modifying the settings on the Assertions page of the specified Trusted Affiliate's Properties page, as shown in Figure 106:
Figure 106If the Require client authentication for secure SAML communication options is selected, only communication over (/cmd/mutExt) is accepted by the system.
The SOAP Responder URL now contains /cmd/mutExt, rather than /cmd/ext. You can require that affiliates communicating with you over the SAML back-channel use SSL-M. This setting is made on the Assertions page.
With the Require Client Authentication for Secure SAML Communication setting enabled, only connections with SSL-M and with a certificate matching that in the Secure SAML Communication field are accepted.