Adjusting the Login Module Stacks for Using
SAML
Use
When a user is authenticated on the AS Java, the server processes the stack of login modules that apply to the application that the user accesses. The SAML login module is not automatically included with the default login stacks that are delivered with the AS Java. Therefore, when using SAML for Single Sign-On, you must adjust the login module stacks for those applications that will accept SAML assertions to authenticate a user.
You can either adjust individual login module stacks, or you can adjust any of the corresponding policy configuration templates (basic, form, client_cert, digest). If you change any of these templates, then any applications that use these templates for their login modules are also automatically configured for using SAML assertions. For more information, see Managing Authentication Modules.
Prerequisites
The login module SAMLLoginModuleexists in the active user store.
Procedure
Using the Security Provider service,
...
1. Choose the Authentication tab page.
2. For each template or application that is to support SAML assertions, for example, the basic template:
a. Add the login module SAMLLoginModule to the login module stack. Position the module so that it is processed before the login module(s) that perform the authentication, for example, the BasicPasswordLoginModule. (Choose Modify and adjust the module’s position.)
If you also use a mapping module or a fallback authentication mechanism, then assign the SAML login module the flag OPTIONAL. Position the fallback or mapping module so that it is processed after the SAML login module and assign it the flag SUFFICIENT.
Otherwise assign the flag SUFFICIENT to the SAML login module.
b. Set the options for the SAML login module as indicated in the table below.
Options for the SAML Login Module
Name |
Value |
Comment |
Mode |
<Standalone, AuthenticationStatement> |
Default=Standalone. Use AuthenticationStatement if you use a user mapping module. Otherwise, use Standalone. |
AcceptedAuthentication Methods |
<auth1, auth2, ...> |
Standalone mode only: In this option, specify a list of the authentication methods to accept. Entering an asterisk (*) indicates that all methods are to be accepted.
The name of the authentication method used must correspond to the method provided by the source site in the attribute AuthenticationMethod. |
The available authentication methods are specified in the SAML specification. The most common methods used include:
· Password: “urn:oasis:names:tc:SAML:1.0:am:password”
· Client certificate: “urn:ietf:rfc:2246”
When using a mapping module, the mapping module must verify the suitable authentication methods accordingly.
Examples
Sample Login Module Stack for Using SAML Assertions (no User Mapping)
When processing the following login module stack, the server will accept SAML assertions using any authentication mechanism. Basic Authentication is used as a fallback authentication mechanism.
Login Modules |
Flag |
Options |
SAMLLoginModule |
SUFFICIENT |
{AcceptedAuthentication |
BasicPasswordLoginModule |
SUFFICIENT |
{} |
Sample Login Module Stack for Using SAML Assertions (with User Mapping)
When processing the following login module stack, the server will accept SAML assertions using any authentication mechanism. The user mapping module (SAMLMappingModule) is executed after the SAML login module to determine the user’s ID on the AS Java. Basic Authentication is used as a fallback authentication mechanism.
Login Modules |
Flag |
Options |
SAMLLoginModule |
OPTIONAL |
{AcceptedAuthentication |
SAMLMappingModule |
SUFFICIENT |
{Mapping=SAMLUser:J2EEUser} |
BasicPasswordLoginModule |
SUFFICIENT |
{} |
The SAMLMappingModule is a module that we provide with the SAML test application. It maps the user’s SAML user ID to his or her ID on the AS Java using a list specified in the options. To use more appropriate techniques for numerous users, for example, a database table or entries in a directory, you need to provide your own mapping module. For more information, see The SAML Test Application.
Sample Login Module Stack for Using SAML Assertions and Logon Tickets
Some application types do not support SAML assertions and still rely on logon tickets for Single Sign-On. In this case, include the logon ticket in the login module stack as shown in the example below.
Login Modules |
Flag |
Options |
EvaluateTicketLoginModule |
SUFFICIENT |
|
SAMLLoginModule |
OPTIONAL |
{AcceptedAuthentication Methods=*, Mode=AuthenticationStatement} |
SAMLMappingModule |
OPTIONAL |
{Mapping=SAMLUser:J2EEUser} |
CreateTicketLoginModule |
SUFFICIENT |
|
BasicPasswordLoginModule |
REQUISITE |
|
CreateTicketLoginModule |
OPTIONAL |
|