Software AG Products 10.11 | Administering Integration Server | Authenticating Clients | SAML Authentication | Requirements for SAML Authentication
 
Requirements for SAML Authentication
The following table lists the requirements that must be met so that Integration Server can process SAML tokens in policies based on WS-SecurityPolicy and accept SAML2 tokens in the HTTP header.
Requirement
Description
Security Token Service (STS) provider
Determine which STSs you want Integration Server to trust. Clients can use any STS provider that generates SAML 1.1 or 2.0 tokens. The generated SAML token must:
*Contain the client certificate if Integration Server is to process Holder-of-Key (HOK) type SAML assertions. Integration Server uses the client certificate to identify the client and map the client to an Integration Server user.
*Be signed by the STS.
Certificates for each possible issuer of SAML assertions
Create a truststore that contains the public keys of each STS. For more information about creating a truststore, see Truststore File.
Identification of trusted issuers
Identify trusted STSs to Integration Server. For instructions, see Identifying Trusted STSs to Integration Server .
Client certificate mapping
If Integration Server is to process Holder-of-Key (HOK) type SAML assertions, which contain the public key of the client, you must map the client’s public key to an Integration Server user. For more information about configuring client certificates, see Client Certificate Authentication.