Show TOC

Configuring Front-Channel CommunicationLocate this document in the navigation structure

Use

Front-channel communication uses HTTP POST or HTTP redirect bindings over the client between the service provider and the identity provider. Use front-channel bindings when response time to the client request is more important than ensuring that SAML messages are not exposed to the client or any malicious third-parties. Back-channel communication increases the number of messages the service provider and identity provider must exchange to log on.

Prerequisites

  • You have determined which front-channel bindings you want to support.

    Binding

    Advantages

    Disadvantages

    HTTP POST

    Transports SAML messages in the body of the message. There are no length limitations. See disadvantages of HTTP redirect below.

    • There may be some clients that do not support HTTP POST.

    • To avoid user interaction to send the client from one server to the next, clients employ an auto post function. The auto post function uses JavaScript. Depending on your situation, the use of JavaScript can represent a security risk.

    HTTP redirect

    Client sent from one server to the next without interaction from the user.

    Redirect transports the SAML message in the URL. If the URL is too long, the client truncates the URL. If you use long URLs or include security options such as encryption of message elements, avoid HTTP redirect.

  • SAML 2.0 has been enabled on your SAP NetWeaver Application Server (AS) Java.

    For more information, see Enabling the SAML Service Provider .

Procedure

Disabling Front-Channel Communication

Use this procedure to restrict authentication to back-channel communication.

  1. Start SAP NetWeaver Administrator with the quick link /nwa/auth .

  2. Choose Start of the navigation path SAML 2.0 Next navigation step Local Provider End of the navigation path.

  3. Choose the Service Provider Settings tab.

  4. Disable the following bindings:

    • For the assertion consumer service (ACS), deselect the HTTP POST checkbox.

      Note

      HTTP redirect is not an option for the ACS, because the assertion is too large to transport as part of the URL.

    • For the Single Log-Out (SLO) service, deselect the HTTP POST and HTTP Redirect checkbox.

  5. Disable HTTP POST and HTTP redirect bindings from trusted identity providers.

    For more information, see the product documentation for your identity provider.

Enabling Front-Channel Communication

Use this procedure to accept front-channel communication and configure the other front-channel parameters.

1. Determining Which Services Accept Front-Channel Communication

  1. Start SAP NetWeaver Administrator with the quick link /nwa/auth .

  2. Choose Start of the navigation path SAML 2.0 Next navigation step Local Provider End of the navigation path.

  3. Choose the Service Provider Settings tab

  4. Determine for which services you want to accept front-channel communication from identity providers.

    • For Single Sign-On (SSO), select the HTTP POST checkbox under Assertion Consumer Service .

    • For Single Log-Out (SLO), select the HTTP POST or HTTP Redirect checkbox under Single Log-Out .

  5. Enter the interval for deleting expired assertions.

    This property determines how often assertions are deleted from the database. Based on the number of users you expect to log on at the same time on your system, you can estimate how quickly assertions are added to the system. If you expect heavy usage and space is an issue for your database, set a lower value.

    Caution

    If you set a value that is too high, you expose your system to denial-of-service attacks.

2. Configuring the Endpoints for the Trusted Identity Provider

With this procedure you configure the outgoing connection to the identity provider. This procedure assumes that you have already trusted an identity provider.

For more information about trusting an identity provider, see Trusting an Identity Provider .

  1. Choose Trusted Providers .

  2. Select an identity provider and choose the Edit pushbutton.

  3. Choose the Endpoints tab.

  4. Configure the Single Sign-On Endpoints and Single Log-Out Endpoints to use HTTP POST and HTTP redirect bindings as required.

    1. Add any HTTP POST and HTTP redirect bindings.

    2. Enter the endpoint URLs for the services on the identity provider.

  5. Determine if you want to configure any authentication requirements for the authentication request to the identity provider.

    The authentication requirements enable you to override the configuration settings made for the individual resources of the service provider. You can configure the following:

    • The authentication context

    • Whether the identity provider returns the assertion to the ACS or directly to the application.

    • Whether to require the identity provider to use the default binding, HTTP POST, or HTTP artifact to return the assertion.

    To force the identity provider to return the assertion over the front channel, enter HTTP POST in the Binding field.

    Note

    If you choose to send the authentication response to the application URL and required HTTP POST binding, you expose the application URL to potential eavesdroppers of the user agent.

  6. Save your entries.

3. Configuring the Identity Provider

  1. Check that the identity provider endpoints are configured to accept HTTP POST or HTTP redirect from the service provider.

  2. Check that the identity provider is configured to use HTTP POST or HTTP redirect to connect to the endpoints of the service provider.

  3. Consider disabling back-channel communication bindings for the identity provider endpoints.

    If the identity provider only accepts front-channel communications, there is no reason to expose the endpoint to back-channel bindings.

For more information about how to configure the identity provider, see the documentation of your identity provider.