Show TOC

Configuring Back-Channel CommunicationLocate this document in the navigation structure

Use

Back-channel communication uses HTTP artifact bindings or SOAP bindings to communicate between the service provider and the identity provider. Use back-channel communication to ensure that SAML messages are not exposed to the client and any malicious third-parties eavesdropping on the client. Back-channel communication requires a direct connection between a service provider and an identity provider. If there is a firewall between the providers, direct communication may not be possible. Front-channel communication can improve the response time for Single Sign-On (SSO), since it requires fewer roundtrips to authenticate a user.

Prerequisites
  • You have determined which back-channel bindings you want to support.

    Binding

    Advantages

    Disadvantages

    HTTP artifact

    HTTP artifact binding sends a reference to a SAML message through the client. The identity provider and the service provider then use SOAP to exchange the SAML message to which the artifact refers.

    This is the only back-channel binding supported by SAML SSO.

    Increases the number of roundtrips required to pass a SAML message, increasing response time.

    SOAP

    SOAP binding sends messages directly between the identity provider and the service provider without involving the client.

    Providers exchange SAML messages directly.

    Firewalls can block SOAP. Domain name services (DNS) may not be able to resolve the destination of the message.

    Using a SOAP binding slows down system performance because of the additional work of the system with the database.

  • SAML 2.0 has been enabled on your SAP NetWeaver Application Server (AS) Java.

    For more information, see Enabling the SAML Service Provider .

Procedure

Disabling Back-Channel Communication

Use this procedure to restrict authentication to front-channel communication.

  1. Start SAP NetWeaver Administrator with the quick link /nwa/auth .

  2. Choose Start of the navigation path SAML 2.0 Next navigation step Local Provider End of the navigation path.

  3. Choose the Service Provider Settings tab.

  4. Choose the Edit button.

  5. Disable the following bindings:

    • For the assertion consumer service (ACS), deselect the HTTP artifact checkbox.

    • For the Single Log-Out (SLO) service, deselect the HTTP artifact and SOAP checkboxes.

      Note

      The SOAP binding is disabled by default.

  6. On the General Settings tab, under Artifact Resolution Service in the Mode field, select Disabled .

  7. Disable HTTP artifact and SOAP bindings from trusted identity providers.

    For more information, see the product documentation for your identity provider.

Enabling Back-Channel Communication with HTTP Artifact

Use this procedure to accept artifacts and configure the other back-channel parameters.

1. Enabling and Configuring the Artifact Resolution Service

  1. Start SAP NetWeaver Administrator with the quick link /nwa/auth .

  2. Choose Start of the navigation path SAML 2.0 Next navigation step Local Provider End of the navigation path.

  3. Choose the General Settings tab.

  4. Under Artifact Resolution Service in the Mode field, select Enabled .

  5. Enter data as required.

    • To ensure that synchronization problems between systems do not interfere with the SAML artifact connections, increase the validity period for artifacts accepted.

    • Enter the interval for deleting expired artifacts.

      This property determines how often expired, unresolved artifacts are deleted from the database. You can estimate how quickly artifacts are added to the system based on the number of users you expect to log on to your system at the same time. If you expect heavy usage and space is an issue for your database, set a lower value.

      Caution

      If you set a value that is too high, you expose your system to denial of service attacks.

2. Determining Which Services Accept Artifacts

  1. On the Service Provider Settings tab, determine for which services you want to accept artifacts from identity providers.

    • To accept artifacts for Single Sign-On (SSO), select the HTTP Artifact checkbox under Assertion Consumer Service .

    • To accept artifacts for Single Log-Out (SLO), select the HTTP Artifact checkbox under Single Log-Out .

  2. Enter the interval for deleting expired assertions.

    This property determines how often assertions are deleted from the database. You can estimate how quickly assertions are added to the system based on the number of users you expect to log to your system on at the same time. If you expect heavy usage and space is an issue for your database, set a lower value.

    Caution

    If you set a value that is too high, you expose your system to denial of service attacks.

3. Configuring the Endpoints for the Trusted Identity Provider

With this procedure you configure the outgoing connection to the identity provider. This procedure assumes that you have already trusted an identity provider.

For more information about trusting an identity provider, see Trusting an Identity Provider .

  1. Choose Trusted Providers .

  2. Select an identity provider and choose the Edit pushbutton.

  3. Choose the Endpoints tab.

  4. Configure the Single Sign-On Endpoints , Single Log-Out Endpoints , and Artifact Endpoints to use HTTP Artifact and SOAP bindings as required.

    1. Add HTTP artifact bindings.

    2. Enter the endpoint URLs for the services on the identity provider.

  5. Determine whether you want to configure any authentication requirements for the authentication request to the identity provider.

    The authentication requirements enable you to override the configuration settings made for the individual resources of the service provider. You can configure the following:

    • The authentication context

    • Whether the identity provider returns the assertion to the ACS or directly to the application.

    • Whether to require the identity provider to use the default binding, HTTP POST, or HTTP artifact to return the assertion.

    To force the identity provider to return the assertion over the back channel, enter HTTP artifact in the Binding field.

    Note

    If you choose to send the authentication response to the application URL and require HTTP POST binding, you expose the application URL to potential eavesdroppers of the user agent.

  6. Save your entries.

4. Configuring the Identity Provider

  1. Check that the identity provider endpoints are configured to accept HTTP artifact bindings from the service provider.

  2. Check that the identity provider is configured to use HTTP artifact bindings to connect to the endpoints of the service provider.

  3. Consider disabling front-channel communication bindings for the identity provider endpoints.

    If the identity provider only accepts back-channel communications, there is no reason to expose the endpoint to front-channel bindings.

For more information about how to configure the identity provider, see the documentation of your identity provider.

Enabling Back-Channel Communication with SOAP

Use this procedure to set the back-channel parameters for SOAP.

1. Accepting SOAP Bindings

  1. Start SAP NetWeaver Administrator with the quick link /nwa/auth .

  2. Choose Start of the navigation path SAML 2.0 Next navigation step Local Provider End of the navigation path.

  3. On the Service Provider Settings tab, under Single Log-Out , select the SOAP checkbox.

    Note

    When the SOAP binding is enabled, the user session persists in the database.

  4. Enter the interval for deleting expired assertions.

    This property determines how often assertions are deleted from the database. You can estimate how quickly assertions are added to the system based on the number of users you expect to log on to your system at the same time. If you expect heavy usage and space is an issue for your database, set a lower value.

    Caution

    If you set a value that is too high, you expose your system to denial of service attacks.

2. Configuring the Endpoints for the Trusted Identity Provider

With this procedure you configure the outgoing connection to the identity provider. This procedure assumes that you have already trusted an identity provider.

For more information about trusting an identity provider, see Trusting an Identity Provider .

  1. Choose Trusted Providers .

  2. Select an identity provider and choose the Edit pushbutton.

  3. Choose the Endpoints tab.

  4. Configure the Single Log-Out Endpoints to use SOAP binding.

    1. Add the SOAP binding.

      If the identity provider requires authentication for SOAP, configure and select a destination to use from the destination service of the AS Java.

    2. Enter the endpoint URLs for the SLO service on the identity provider.

    3. Determine whether you want the logout response sent to a different URL.

      If yes, enter the custom response location in the Response Location URL column.

  5. Save your entries.

3. Configuring the Identity Provider

  1. Check that the identity provider endpoints are configured to accept HTTP artifact and SOAP bindings from the service provider.

  2. Check that the identity provider is configured to use HTTP artifact and SOAP bindings to connect to the endpoints of the service provider.

  3. Consider disabling front-channel communication bindings for the identity provider endpoints.

    If the identity provider only accepts back-channel communications, there is no reason to expose the endpoint to front-channel bindings.

For more information about how to configure the identity provider, see the documentation of your identity provider.