Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Configuring SAML SSO Artifact Profile Resource Policy (NSM Procedure)

    Configure SAML SSO Artifact profile resource policy to communicate using the artifact profile (also called Browser/Artifact profile) the trusted access management server “pulls” authentication information from the Secure Access device.

    To configure SAML SSO artifact profile resource policy:

    1. In the navigation tree, select Device Manager > Devices. Click the Device Tree tab, and then double-click the Secure Access device for which you want to configure a SAML Artifact Profile resource policy.
    2. Click the Configuration tab. Select Users > Resource Policies > Web > SAML SSO.
    3. Add or modify settings as specified in Table 1.
    4. Click one:
      • OK—Saves the changes.
      • Cancel—Cancels the modifications.

    Table 1: Configuring SAML SSO Artifact Profile Resource Policy Details

    OptonFunctionYour Action
    SAML SSO > General tab or Detailed Role tab

    Name

    Specifies the name of the policy.

    Enter the name.

    Description

    Describes the policy.

    Enter the description.

    New Resources

    Specifies the resources to which this policy applies.

    Enter the path

    Role application

    Specifies the roles to which this policy applies.

    Select one of the following options from the drop-down list:

    • Policy applies to ALL roles—Applies the policy to all users.
    • Policy applies to SELECTED roles—Applies the policy only to users who are mapped to roles in the Role Selection section.
    • Policy applies to all roles OTHER THAN those selected below—Applies the policy to all users except for those who mapped to the roles in the Role Selection section.

    Action

    Specifies that the Secure Access device performs a single-sign on (SSO) request to the specified URL.

    Select one of the following options from the drop-down list:

    • Use SAML SSO—Secure Access device performs a single-sign on (SSO) request to the specified URL using the data specified in the SAML SSO details section.
    • Do not use SAML SSO—Secure Access device does not perform an SSO request.
    • Use Detailed Rules—Specifies one or more detailed rules for this policy.

    SAML Assertion Consumer service URL

    Specifies the URL that the Secure Access device must contact the assertion consumer service during SSO transactions.

    Enter the URL.

    Profile

    Specifies the type of the profile.

    Select Artifact or POST from the drop-down list.

    Source ID

    Specifies the source ID for the Secure Access device.

    Enter the source ID. If you enter a:

    • Plain text string—The Secure Access device converts, pads, or truncates it to a 20-byte string.
    • Base-64 encoded string—The Secure Access device decodes it and ensures that it is 20 bytes.

    Issuer

    Specifies the string that the Secure Access device can use to identify itself when it generates assertions.

    Enter the string.

    Subject Name Type

    Specifies which method the Secure Access device and assertion consumer service should use to identify the user.

    Select one of the following options from the drop-down list:

    • Other—Sends the username in another format
    • DN—Sends the username in the format of a DN (distinguished name) attribute.
    • Emal Address—Sends the username in the format of an e-mail address.
    • Windows—Sends the username in the format of a Windows domain qualified username.

    Subject Name

    Specifies the username that the Secure Access device should pass to the assertion consumer service.

    Enter a variable. Or, enter static text.

    New Cookie Domain(s)

    Specifies the list of domains to which the SSO cookies are associated.

    Enter a comma-separated list of domains.

    Authentication Type

    Specifies the authentication method that the Secure Access device should use to authenticate the assertion consumer service.

    Select one of the following options from the drop-down list:

    • None—Does not authenticate the assertion consumer service.
    • Username/Password— Authenticates the assertion consumer service using a username and password.
    • Certificate—Authenticates the assertion consumer service using certificate attributes.

    Username

    Specifies the username that the assertion consumer service must send the Secure Access device.

    Note: The username and password boxes are displayed only when you select the Username/Password option from the Authentication Type drop-down list.

    Enter the username.

    Password

    Specifies the password that the Secure Access device must send the Secure Access device.

    Enter the password.

    Certificate

    Attribute Name

    Specifies the attributes that the assertion consumer service must send the Secure Access device. (one attribute per line).

    Note: The certificates-attributes box is displayed only when you select Certificate option from the Authentication Type drop-down list.

    Enter the attribute name. For example, enter cn=sales.

    Attribute Value

    Specifies the attribute values that match the values contained in the assertion consumer service’s certificate.

    Enter the attribute value.

    SAML SSO > Role

    Role

    Maps roles to the resource control policy.

    Note: The Role tab is enabled only when you select the Policy applies to SELECTED roles or the Policy applies to all roles OTHER THAN those selected below option from the Applies to role drop-down list.

    Select a role and click Add to add roles from the Non-members to Members list.

    SAML SSO > Detailed Role

    Conditions

    Specifies one or more expressions to evaluate to perform the action.

    Specify one of the following options:

    • Boolean expressions: Using system variables, write one or more Boolean expressions using the NOT, OR, or AND operators.
    • Custom expressions: Using the custom expression syntax, write one or more custom expressions.

    Published: 2013-01-03