5.11.2 Configuring a SAML 2.0 Profile

You can configure the methods of communication that are available at the server for requests and responses sent between providers. These settings affect the server metadata, so you must determine these prior to publishing to other sites.

Profiles control these methods of communication. An identity provider uses the incoming metadata to determine how to respond.

All available profile bindings are enabled by default. SOAP is used when all profile bindings are enabled (or if the service provider has not specified a preference), followed by HTTP Post, then HTTP Redirect.

  1. Click Devices > Identity Servers > Edit > SAML 2.0 > Profiles.

  2. Specify the following details for identity providers and identity consumers (service providers):

    Field

    Description

    Artifact Resolution

    Select to enable artifact resolution for the identity provider and identity consumer.

    The assertion consumer service at the service provider performs a back-channel exchange with the artifact resolution service at the identity provider. Artifacts are small data objects pointing to larger SAML protocol messages. These are embedded in URL and conveyed in HTTP messages.

    Login

    The communication channel to use when a user logs in. Select one or more of the following options:

    • Post: A browser-based method used when SAML requester and responder communicate through an HTTP user agent. This occurs when the communicating parties do not share a direct path of communication. You also use this when the responder requires user interaction to fulfill the request, such as when the user must authenticate to it.

    • Redirect: A browser-based method that uses HTTP 302 redirects or HTTP GET requests to communicate requests from this identity site to the service provider. SAML messages are transmitted within URL parameters.

    Single Logout

    The communication channel to use when a user logs out. Select one or more of the following options:

    • HTTP Post: A browser-based method used when the SAML requester and responder need to communicate by using an HTTP user agent. This occurs, for example, when the communicating parties do not share a direct path of communication. You also use this when the responder requires user interaction to fulfill the request, such as when the user must authenticate to it.

    • HTTP Redirect: A browser-based method that uses HTTP 302 redirects or HTTP GET requests to communicate requests from this identity site to the service provider. SAML messages are transmitted within URL parameters.

    • SOAP: Uses SOAP back-channel over HTTP messaging to communicate requests from this identity provider to the service provider.

      NOTE:If you enable the Show logged out providers option (Identity Servers > Edit > Identity Providers) with HTTP Post profile, Access Manager does not complete a logout request from the service provider. This occurs because of the difference in the HTTP method used in the logout request. It is recommended to use HTTP Redirect method when Show logged out providers option is enabled.

    Name Management

    Specifies the communication channel for sharing the common identifiers for a user between identity providers and service providers. When an identity provider has exchanged a persistent identifier for the user with a service provider, the providers share the common identifier for a length of time. When either the identity provider or service provider changes the format or value to identify the user, the system can ensure that the new format or value is properly transmitted. Select one or more of the following options:

    • HTTP Post: A browser-based method used when the SAML requester and responder need to communicate by using an HTTP user agent. This occurs, for example, when the communicating parties do not share a direct path of communication. You also use this when the responder requires user interaction to fulfill the request, such as when the user must authenticate to it.

    • HTTP Redirect: A browser-based method that uses HTTP 302 redirects or HTTP GET requests to communicate requests from this identity site to the service provider. SAML messages are transmitted within URL parameters.

    • SOAP: Uses SOAP back-channel over HTTP messaging to communicate requests from this identity provider to the service provider.

  3. Click OK.

  4. Update Identity Server.

  5. (Conditional) If you have set up trusted providers and modified these profiles, reimport providers’ metadata from this Identity Server.