CA API Gateway 9.1

9.4 9.1

Use WS-Federation Credential Assertion

The Use WS-Federation Credential assertion submits credentials from the current request to the local ADFS Server. This assertion has two modes of operation:
gateway90
The
Use WS-Federation Credential
assertion submits credentials from the current request to the local ADFS Server. This assertion has two modes of operation:
  • Token Request:
     A login and password authenticated token request is submitted to the local ADFS Server. On success a SAML token is added to the current request's SOAP security header.
In "Token Request" mode, the Use WS-Federation Credential assertion takes credentials gathered by a preceding credential source assertion, such as the transport-level Require HTTP Basic Credentials assertion or message-level Require WS-Security UsernameToken Profile Credentials assertion, and requests a token from the local ADFS Server. In "Token Exchange" mode, the WS-Federation Passive Credential assertion uses a SAML token from the request.
  • Token Exchange:
     A SAML token authenticated token request is submitted to the local ADFS Server. On success, a SAML token is added to the current request's SOAP security header.
In "Token Exchange" mode, the WS-Federation Passive Credential assertion uses a SAML token from the request. If the token request/exchange is successful, a SAML token will replace the current request's credentials. If the message's original credentials are XML-based, then the XML element containing those credentials will be removed from the message.
For more information on configuring the Gateway to use WS-Federation credentials, see
Configuring WS-Federation Credential Exchange
 in the CA API Gateway - XML VPN Client documentation.
Using the Assertion
  1. Do one of the following:
    • To add the assertion to the Policy Development window, see Adding an Assertion.
    • To change the configuration of an existing assertion, proceed to step 2 below.
  2. When adding the assertion, the
    WS-Federation Request Properties
    automatically appear; when modifying the assertion, right-click
    [Obtain|Exchange|Authenticate] Credentials using WS-Federation Request to...
    in the policy window and select
    WS-Federation Request Properties
     or double-click the assertion in the policy window. The assertion properties are displayed. 
  3. Configure the properties as follows:
    Setting
    Description
    Action
    From the drop-down list, select whether to perform a
    Token Request
     or
    Token Exchange
    . Refer to the introduction to this topic for the differences.
    Token Service URL
    Enter the complete URL of the WS-Federation server.
    The server must be running and configured to accept requests containing the values configured below.
    Reply URL
    Optionally enter the address of the federated service.
    Realm
    Enter the SOAP payload namespace URI of the requesting realm. This should match the Realm entered for the Gateway account.
    The Realm is only for token request actions.
    Authenticate with service
    If the protected service requires authentication, select this check box to have the Gateway authenticate with the protected service.
    Context
    The context information that should be passed in with the request.
    Include freshness timestamp
    Select this check box to include a timestamp. The timestamp is available only for token request actions.
  4. Click [
    OK
    ]
     
    when done.

Content feedback and comments