Configuring Principal Propagation (SAML) 

Use

You can configure principal propagation based on Security Assertion Markup Language (SAML).

If you configure principal propagation based on SAML (version SAML 1.1), the user is authenticated based on a trust relationship. A password is required because the receiver system trusts the sender system using certificates and names.

Principal propagation based on the SAML 1.1 standard is supported for Web service runtime.

Prerequisites

For inbound and outbound processing on the Integration Server, use a communication channel to connect to the Web service runtime (default: Web Services Reliable Messaging; communication channel: adapter type WS).

Procedure

...

...

1. Configuring Back-End Systems Involved

Define trust relationships between the back-end systems involved and execute the further configuration steps that are required in those back-end systems.

More information: Configuring SSO with SAML Token Profiles

2. Configuring in the Integration Directory

In the Integration Directory use the following steps to specify between which entities principal propagation is to take place.

If you would like principal propagation to occur between a sender system and a receiver system using the Integration Server, perform the following steps:

...

       1.      Configure a business system each for the sender and receiver.

More information: Configuring Business Systems

       2.      Implement principal propagation from the sender to the Integration Server.

Note that you must use a communication channel with adapter type WS for inbound message processing with the Integration Server.

Follow these steps.

                            a.      Configure the sender channel.

Choose adapter type WS and the Sender radio button.

Implement the following authentication method to configure the channel (under Security Settings):

SAML 1.1 Sender Vouches Assertion (Message Authentication)

Implement further channel attributes.

More information: Configuring the Communication Channel with Adapter Type WS.

                            b.      Create a sender agreement for the sender system and the outbound interface and assign the communication channel that you defined in the previous step to the sender agreement.

More information: Defining Sender Agreements

                            c.      Activate the configuration objects.

       3.      Implement principal propagation from the Integration Server to the receiver.

Note that you must use a communication channel with adapter type WS for outbound message processing with the Integration Server.

Follow these steps.

                            a.      Choose adapter type WS and the Receiver radio button.

Implement the following authentication method to configure the channel (under Security Settings):

SAML 1.1 Sender Vouches Assertion (Message Authentication)

Implement further channel attributes.

More information: Configuring the Communication Channel with Adapter Type WS.

                            b.      Create a receiver agreement for the receiver system and the inbound interface and assign the communication channel that you defined in the previous step to the receiver agreement.

More information: Defining Receiver Agreements

                            c.      Activate the configuration objects.

The procedure described assumes that you want to configure principal propagation for inbound and outbound channels of the Integration Server based on SAML. You can also configure a scenario in which principal propagation is based on SAML for the inbound channel of the Integration Server and on authentication assertion tickets for the outbound channel. In this case you must configure the outbound processing as described in Principal Propagation (Authentication Assertion Tickets) .

Further information on configuring principal propagation in the Business Process Engine: Activating Principal Propagation in the BPE.