Technical Documentation

Configuring a SAML Access Control Resource Policy (NSM Procedure)

When enabling access control transactions to a trusted access management system, the Secure Access device and trusted access management system exchanges information.

To configure a SAML access control resource policy:

  1. In the navigation tree, select Device Manager > Devices. Click the Device Tree tab, and then double-click the Secure Access device for which you want to configure a SAML access control resource policy.
  2. Click the Configuration tab. Select Users > Resource Policies > Web > SAML ACL.
  3. Add or modify settings as specified in Table 1.
  4. Click one:
    • OK—Saves the changes.
    • Cancel—Cancels the modifications.

Table 1: Configuring SAML Access Control Resource Policy Details

SAML ACL > General tab or Detailed Rule tab

Name

Specifies the name of the policy.

Enter the name.

Description

Describes the policy.

Enter the policy.

New Resources

Specifies the resources to which this policy applies.

Enter the resources.

Role application

Specifies the roles to which this policy applies.

Select one of the following options from the drop-down list:

  • Policy applies to ALL roles—Applies this policy to all users.
  • Policy applies to SELECTED roles—Applies this policy only to users who are mapped to roles in the selected roles list.
  • Policy applies to all roles OTHER THAN those selected below—Applies this policy to all users except for those who map to the roles in the selected roles list.

Action

Allows or denies the Secure Access device to perform an access control check.

Select one of the following options from the drop-down list:

  • Use SAML—Secure Access device performs an access control check to the specified URL.
  • Do not use SAML—Secure Access device does not perform an access control check.
  • Use Detailed Rules—Specifies one or more detailed rules for this policy.

SAML Web Service URL

Specifies the URL of the access management system’s SAML server.

Enter the URL, using the format:https://hostname/ws.

SAML Web Service Issuer

Specifies the hostname of the issuer, which in most cases is the hostname of the access management system.

Enter a unique string.

Authentication Type

Specifies the authentication method that the SAML Web service should use to authenticate the Secure Access device.

Select one of the following options from the drop-down list:

  • None—Does not authenticate the Secure Access device.
  • Username/Password—Authenticates the Secure Access device using a username and password.
  • Certificate—Authenticates the Secure Access device using a certificate signed by a trusted certificate authority.

Username

Specifies the username that the Secure Access device must send the Web service.

Note: The username and password fields are displayed only when you select the Username/Password option from the Authentication Type drop-down list.

Enter the username.

Password

Specifies the password that the Secure Access device must send the Web service.

Enter the password

Certificate

Specifies the certificate installed on the Secure Access device to send to the Web service.

Note: This box is displayed only when you select Certificate option from the Authentication Type drop-down list.

Select the certificate installed on the Secure Access device from the drop-down list.

Subject Name Type

Specifies which method the Secure Access device and SAML Web service should use to identify the user.

Select one of the following options from the drop-down list:

  • Other—Sends the username in another format agreed upon by the Secure Access device and the SAML Web service.
  • DN—Sends the username in the format of a DN (distinguished name) attribute.
  • Email Address—Sends the username in the format of an e-mail address.
  • Windows—Sends the username in the format of a Windows domain qualified username.

Subject Name

Specifies the username that the Secure Access device should pass to the SAML Web service.

Enter the username.

Device Issuer

Specifies the hostname of the issuer, which in most cases is the hostname of the access management system.

Enter the hostname.

Maximum Cache Time (seconds)

Specifies the amount of time the Secure Access device should cache the responses (in seconds).

Enter the time.

Ignore Query data

Specifies that the Secure Access device should remove the query string from the URL before requesting authorization or caching the authorization response.

Select the Ignore Query data check box to enable this feature.

SAML ACL > Role

Role

Maps roles to access control policy resources.

Note: The Role tab is enabled only when you select Policy applies to SELECTED roles or Policy applies to all roles OTHER THAN those selected below from the Action drop-down list.

    Select a role and click Add to add roles from the Non-members to the Members list.

    SAML ACL > Detailed Rules tab

    Conditions

    Specifies one or more expressions to evaluate to perform the action.

    Specify one of the following options:

    • Boolean expressions: Using system variables, write one or more Boolean expressions using the NOT, OR, or AND operators.
    • Custom expressions: Using the custom expression syntax, write one or more custom expressions.

    Published: 2009-08-20