Configuring a SAML Access Control Resource Policy (NSM Procedure)
When enabling access control transactions to a trusted access management system, the Secure Access device and trusted access management system exchanges information.
To configure a SAML access control resource policy:
- In the navigation tree, select Device Manager > Devices. Click the Device Tree tab, and then double-click the Secure Access device for which you want to configure a SAML access control resource policy.
- Click the Configuration tab. Select Users > Resource Policies > Web > SAML ACL.
- Add or modify settings as specified in Table 1.
- Click one:
- OK—Saves the changes.
- Cancel—Cancels the modifications.
Table 1: Configuring SAML Access Control Resource Policy Details
| SAML ACL > General tab or Detailed Rule tab | ||
Name | Specifies the name of the policy. | Enter the name. |
Description | Describes the policy. | Enter the policy. |
New Resources | Specifies the resources to which this policy applies. | Enter the resources. |
Role application | Specifies the roles to which this policy applies. | Select one of the following options from the drop-down list:
|
Action | Allows or denies the Secure Access device to perform an access control check. | Select one of the following options from the drop-down list:
|
SAML Web Service URL | Specifies the URL of the access management system’s SAML server. | Enter the URL, using the format: |
SAML Web Service Issuer | Specifies the hostname of the issuer, which in most cases is the hostname of the access management system. | Enter a unique string. |
Authentication Type | Specifies the authentication method that the SAML Web service should use to authenticate the Secure Access device. | Select one of the following options from the drop-down list:
|
Username | Specifies the username that the Secure Access device must send the Web service. Note: The username and password fields are displayed only when you select the Username/Password option from the Authentication Type drop-down list. | Enter the username. |
Password | Specifies the password that the Secure Access device must send the Web service. | Enter the password |
Certificate | Specifies the certificate installed on the Secure Access device to send to the Web service. Note: This box is displayed only when you select Certificate option from the Authentication Type drop-down list. | Select the certificate installed on the Secure Access device from the drop-down list. |
Subject Name Type | Specifies which method the Secure Access device and SAML Web service should use to identify the user. | Select one of the following options from the drop-down list:
|
Subject Name | Specifies the username that the Secure Access device should pass to the SAML Web service. | Enter the username. |
Device Issuer | Specifies the hostname of the issuer, which in most cases is the hostname of the access management system. | Enter the hostname. |
Maximum Cache Time (seconds) | Specifies the amount of time the Secure Access device should cache the responses (in seconds). | Enter the time. |
Ignore Query data | Specifies that the Secure Access device should remove the query string from the URL before requesting authorization or caching the authorization response. | Select the Ignore Query data check box to enable this feature. |
| SAML ACL > Role | ||
Role | Maps roles to access control policy resources. Note: The Role tab is enabled only when you select Policy applies to SELECTED roles or Policy applies to all roles OTHER THAN those selected below from the Action drop-down list. | Select a role and click Add to add roles from the Non-members to the Members list. |
| SAML ACL > Detailed Rules tab | ||
Conditions | Specifies one or more expressions to evaluate to perform the action. | Specify one of the following options:
|
