Authentication chains: SAML

Bravura Security Fabric supports a federated authentication model using the Security Assertions Markup Language (SAML 2.0). Depending on requirements, Bravura Security Fabric can be configured to act as either an Identity Provider (IdP), or as a Service Provider (SP).

Bravura Security Fabric as Identity Provider

As an Identity Provider, Bravura Security Fabric provides unified third-party authentication for a variety of federation-capable applications (Service Providers or SPs) using a Bravura Security Fabric login process, reducing the burden of managing multiple app-specific credentials. Once users authenticate they are redirected back to the application along with a cryptographically signed SAML assertion indicating who they are (identity), and what they may access (authorization).

The Scenario.hid_saml_idp component installs the functionality to allow Bravura Security Fabric to act as an SAML Identity Provider , enabling it to authenticate end users on behalf of a variety of web applications.

Implementing SAML federated login redirects users attempting to access supported web applications to Front-end , reducing the number of accounts a user needs to manage, while allowing you to enforce your business’ security policies through authentication chains.

For details see Authentication chains: Bravura Security Fabric as identity provider.

Bravura Security Fabric as Service Provider

Bravura Security Fabric can be configured to operate as a Service Provider, accepting third-party authentication assertions from a trusted Identity Provider. This functionality is installed via the Scenario.hid_authchain_saml_sp component, and must be configured before use.

For details see Authentication chains: Bravura Security Fabric as service provider.

Federated login configuration options

Several configuration options are shared between both SP-initiated and IDP-initiated authentications via SAML. To configure these variables:

Click Manage the system > Modules > Federation / Web Single Sign-on.
Configure the options in the table Table 1, “Federation / Web Single Sign-on options” as required.
If required, configure event options, listed in the table Table 2, “Federation / Web Single Sign-On events” , that trigger external programs.
Click Update to submit the changes.

Table 1. Federation / Web Single Sign-on options

Option	Description
FEDIDP CERT FILE	The name of the PFX certificate used to sign assertions.
FEDIDP CERT PASS	The password for the signing certificate.
FEDIDP CERT STORE	The certificate store which contains the SAML signing certificate. PFX file store (Default): The default signing certificate repository. Computer account store: The local machine store for validation certificates. My user account store: The administrator account’s store for validation certificates.
FEDIDP CERT SUBJECT	The subject value for the signing certificate.
FEDIDP SAML PLUGIN	The plugin used to generate SAML assertions.
FEDIDP SESSION MINUTES	Configures the maximum duration of a single sign-on session, in minutes (Default 8640). Expired sessions are automatically removed by `psupdate` nightly clean up tasks.
FEDSP CERT FILE	The name of the PFX certificate used to sign SAML SP assertions.
FEDSP CERT PASS	The password for the signing certificate.
FEDSP CERT STORE	The certificate store which contains the SAML SP signing certificate. PFX file store (Default): The default signing certificate repository. This is located in <instancedir>\sp. Computer account store: The local machine store for validation certificates. My user account store: The administrator account’s store for validation certificates.
FEDSP CERT SUBJECT	The subject value for the signing certificate.

Bravura Security Fabric supports a number of event options that are invoked explicitly by federated login. For more information on event configuration, see Event Actions .

Table 2. Federation / Web Single Sign-On events

Option	Description
FEDIDP IDENTIFY SUCCESS	The SamlRequest web parameter, passed during federated login, is successfully parsed by Bravura Security Fabric . This event contains the following data: The SAML request issuer. The sp_folder used by the request. Remote IP address details.
FEDIDP IDENTIFY FAILURE	The SamlRequest web parameter, passed during federated login, could not be parsed by Bravura Security Fabric . This can occur if the SamlRequest or RelayState web parameters passed by the service provider are empty or invalid. This event contains the following data: The sp_folder used by the request.
FEDIDP AUTH SUCCESS	The SAML response assertion is successfully signed and generated by the fedidp_response plugin, following a successful federated authentication. This event contains the following data: The user’s profile ID. The sp_folder used by the request. Which authentication chain was used. The initiator of the request, either _IDP_LOGIN_ or the SP name.
FEDIDP AUTH FAILURE	The SAML response assertion could not be successfully signed or generated by fedidp_response. The most common causes of this include: The Bravura Security Fabric ’s configuration for that service provider is invalid. The service provider’s template file in <Instance>\idp\<SP folder> is invalid. The user is prohibited from accessing the service provider. The fedidp_response plugin failed to respond. The SAML signing certificate is invalid. This event contains the following data: The user’s profile ID. The sp_folder used by the request. Which authentication chain was used. The initiator of the request, either _IDP_LOGIN_ or the SP name. The reason for failure, one of: Authentication failure. Sp_access violation. Assertion construction. Assertion signing.
FEDIDP SSO SESSION CREATE	This event is triggered when a new single sign-on session is created by fedidp-assert following a successful federated login. The event contains the following data: The generated SSO session ID. The time and date the session was created. The ID of the web cookie created for this session. The full chain used to authenticate this user. The IP address from which the request originated The initiator of the request, either _IDP_LOGIN_ or the SP name.
FEDIDP SSO SESSION DESTROY	An SSO session is terminated, and the session data is removed from the database. The event contains the following data: The affected session ID The time and date of termination The session key for the affected session The IP address from which the request originated.

Federated login operation codes

The following sesslog events are fired by federated login operations, and can be tracked by the event reports and in the event viewer. These events are called alongside their respective exit trap:

FIDT, federated identification success event, launched alongside the FEDIDP IDENTIFY SUCCESS exit trap.
FATH, federated authentication success event, launched alongside the FEDIDP AUTH SUCCESS exit trap.
SSOC, single sign-on creation event, launched alongside the SSO SESSION CREATE exit trap.
SSOD, single sign-on creation event, launched alongside the SSO SESSION DESTROY exit trap.
FATN, federated authentication request sent to external IdP, launched alongside the FEDSP SAML AUTH ISSUED exit trap.
FASR, federated assertion receipt, launched alongside the FEDSP SAML AUTH ASR SUCCESS and FEDSP SAML AUTH ASR FAIL exit traps.

For more information on operation codes in Bravura Security Fabric , see Operation codes .

In this section:

Authentication chains: SAML

Federated login configuration options

Federated login operation codes

Search results