asp.net pdf reader : Change font size in pdf file SDK application project winforms azure windows UWP j-sa-sslvpn-7.1-adminguide24-part742

Table15:eTrustSiteMinderAdvancedConfigurationOptions(continued)
Description
Option
SpecifiesthatSecureAccessshouldlookupuserattributesonthepolicy
serverimmediatelyafterauthenticationtodetermineiftheuseristruly
authenticated.Forexample,ifyoureTrustserverauthenticatesusers
basedonanLDAPserversetting,youcanselectthisoptiontoindicate
thatSecureAccessshouldauthenticateusersthroughtheeTrustserver
andthenauthorizethemthroughtheLDAPserverbeforegrantingthem
access.Iftheuserfailsauthenticationorauthorization,heisredirected
tothepageconfiguredonthepolicyserver.
Note:
Ifyoudonotselectthisoptionandyouhaveauthorizationoptions
setupthroughthePolicyUsers>Excludetabofthepolicyserver
configurationutility,auserwhomyouhavedeniedaccessmay
successfullyauthenticateintoSecureAccess.Notuntiltheusertries
toaccessaprotectedresourcedoesSecureAccesscheckhis
authorizationrightsanddenyhimaccess.
SecureAccesssendsthesameresourcetothepolicyserverfor
authorizationasforauthentication.
ThisoptionisnotsupportedwiththeAuthenticateusingHTMLform
postoptionortheAutomaticsign-in.
Authorizewhile
Authenticating
Youcaneliminatetheoverheadofverifyingauser’sSMSESSIONcookie
eachtimetheuserrequeststhesameresourcebyindicatingthatSecure
Accessshouldconsiderthecookievalidforacertainperiodoftime.
Duringthatperiod,SecureAccessassumesthatitscachedcookieisvalid
ratherthanre-validatingitagainstthepolicyserver.Ifyoudonotselect
thisoption,SecureAccesscheckstheuser’sSMSESSIONcookieoneach
request.Notethatthevalueenteredheredoesnotaffectsessionoridle
timeoutchecking.
EnableSession
Grace Period,
Validatecookie
every Nseconds
Bydefault,whenauserrequestsaresource,SecureAccesssendsthe
entireURLforthatresourcetothepolicyserver(includingthequery
parameter,ifpresent).Forexample,SecureAccessmaysendthe
followingURLtothepolicyserver:http://foo/bar?param=value.(Query
dataappearsafterthe?characterintheURL.WithinthisURL,
param=valuerepresentsthequeryparameter.)
SecureAccessthencachestheresultoftheauthorizationrequestfor10
minutes,includingthequeryparameter.Iftheuserthenrequeststhe
sameresourcethatisspecifiedinthecachedURL,therequestfailssince
thequeryportionofthecachedURLdoesnotmatchthenewrequest.
SecureAccessthenhastore-contactthepolicyservertomakearequest
thatincludesthenewqueryparameter.
IfyouselecttheIgnoreQueryDataoption,SecureAccessdoesnotcache
thequeryparameterinitsURLs.Therefore,ifauserrequeststhesame
resourceasisspecifiedinthecachedURL,therequestshouldnotfail.
Forexample,ifyouenabletheIgnoreQueryDataoption,bothofthe
followingURLsareconsideredthesameresource:
http://foo/bar?param=value1
http://foo/bar?param=value2
Enablingthisoptionmayimproveperformance.
IgnoreQueryData
205
Copyright©2012,JuniperNetworks,Inc.
Chapter8:AuthenticationandDirectoryServers
Change font size in pdf file - Compress reduce PDF size in C#.net, ASP.NET, MVC, Ajax, WinForms, WPF
C# Code & .NET API to Compress & Decompress PDF Document
pdf page size dimensions; change font size pdf
Change font size in pdf file - VB.NET PDF File Compress Library: Compress reduce PDF size in vb.net, ASP.NET, MVC, Ajax, WinForms, WPF
VB.NET PDF Document Compression and Decompression Control SDK
.pdf printing in thumbnail size; pdf compression settings
Table15:eTrustSiteMinderAdvancedConfigurationOptions(continued)
Description
Option
Thevalueenteredinthisfieldmustmatchtheaccountingportvalue
enteredthroughthePolicyServerManagementConsole.Bydefault,this
fieldmatchesthepolicyserver’sdefaultsettingof44441.
AccountingPort
Thevalueenteredinthisfieldmustmatchtheauthenticationportvalue
enteredthroughthePolicyServerManagementConsole.Bydefault,this
fieldmatchesthepolicyserver’sdefaultsettingof44442.
AuthenticationPort
Thevalueenteredinthisfieldmustmatchtheauthorizationportvalue
enteredthroughthePolicyServerManagementConsole.Bydefault,this
fieldmatchesthepolicyserver’sdefaultsettingof44443.
AuthorizationPort
Comparestherequestmethodtothemethodslistedhere.Ifamatchis
found,WebAgentdoesnotcreateaneworupdateanexisting
SMSESSIONcookie,norwillitmakeanyupdatestothecookieprovider
forthatrequest.
Youcanentermultiplemethods;useacommatoseparatemethod
names.
IfOverlookSessionforMethodsparameterissetbutnotOverlook
SessionforURLs,thenallrequeststhatmatchthemethodsdefinedin
thisparameterareprocessed(SMSESSIONcookiecreation/updateis
blocked).
IfbothOverlookSessionforMethodsandOverlookSessionfor
URLsparametersareset,boththemethodandtheURLoftherequest
arematchedbeforeproceeding.Then,allURLswithspecifiedmethods
areprocessed(SMSESSIONcookiecreation/updateisblocked).
OverlookSession
forMethods
ComparestherequestURLtotheURLslistedinthisparameter.Ifamatch
isfound,WebAgentdoesnotcreateaneworupdateanexisting
SMSESSIONcookie,norwillitmakeanyupdatestothecookieprovider
forthatrequest.
SpecifyarelativeURL.Forexample:IftheURLis
http://fqdn.host/MyDocuments/index.html,enter
/MyDocuments/index.html
IfOverlookSessionforURLsissetbutnotOverlookSessionfor
Methods,thenallrequests,regardlessofthemethods,matchingthe
URLsdefinedinthisparameterareprocessed(SMSESSIONcookie
creation/updateisblocked).
IfbothOverlookSessionforMethodsandOverlookSessionfor
URLsparametersaredefined,boththemethodandtheURLofthe
requestarematchedbeforeproceeding.Then,allURLswithspecified
methodsareprocessed(SMSESSIONcookiecreation/updateisblocked).
OverlookSession
forURLs
UsetodeletetheSecureAccessresourcecache,whichcachesresource
authorizationinformationfor10minutes.
FlushCache
Copyright©2012,JuniperNetworks,Inc.
206
JunosPulseSecureAccessServiceAdministrationGuide
C# PDF Sticky Note Library: add, delete, update PDF note in C#.net
Allow users to add comments online in ASPX webpage. Able to change font size in PDF comment box. Able to save and print sticky notes in PDF file.
change font size in pdf form; pdf optimized format
C# PDF insert text Library: insert text into PDF content in C#.net
existing scanned PDF text. Ability to change text font, color, size and location and output a new PDF document. XDoc.PDF for .NET
change font size pdf comment box; reader compress pdf
Related
Documentation
UsingSiteMinderUserAttributesforSecureAccessRoleMapping
AfteryoucreateuserattributesonaSiteMinderpolicyserver,youcanusetheminrole
mappingrulesforarealmthatusestheSiteMinderpolicyserver.
TouseSiteMinderuserattributesforSecureAccessrolemapping:
1.
Intheadminconsole,chooseAdministrators>AdminRealmsorUsers>UserRealms.
2.
OntheGeneraltaboftheAuthenticationRealmspagefortheSecureAccessrealm
thatusestheSiteMinderpolicyserver,chooseSameasAbovefromthe
Directory/Attributelist.
NOTE: IfyouchooseLDAPfromtheDirectory/Attributelistinsteadof
SameasAbove,youcanusebothSiteMinderandLDAPattributesinrole
mappingrules.
3.
OntheSecureAccessRoleMappingtab,createarulebasedonSecureAccessuser
attributesthatreferencesaSiteMinderuserattributecookie.
Forexample,toreferenceaSiteMinderuserattributecookienameddepartment,add
departmenttothelistofSecureAccessuserattributesontheSecureAccessRole
Mappingtab.ThenspecifyavaluefortheSiteMinderuserattributecookie,suchas
sales.
YoucanalsousethefollowingsyntaxtoreferenceaSiteMinderuserattributecookie
inacustomexpressionforarolemappingrule:
userAttr.<cookie-name>
Forexample:
<userAttr.department=("sales"and"eng")>
Related
Documentation
CreatinganAuthenticationRealmonpage228
RoleMappingRulesonpage230
DefiningaSiteMinderRealmforAutomaticSign-In
SiteMinderAutomaticSignInrequiresarealmwhoseauthenticationserveristhe
SiteMinderserver.IfyouperformanupgradeandyouhavealreadydefinedtheAutomatic
SignInrealmthatdoesnotspecifytheSiteMinderserverforauthentication,andyouhave
configuredtheSiteMinderserver:
TherealmsdonotappearintheSiteMinderrealmlistunderSiteMinderauthentication
settingsintheadminconsole.
207
Copyright©2012,JuniperNetworks,Inc.
Chapter8:AuthenticationandDirectoryServers
C# PDF Field Edit Library: insert, delete, update pdf form field
Able to add text field to specified PDF file position in C#.NET class. Support to change font size in PDF form. Able to delete form fields from adobe PDF file.
300 dpi pdf file size; pdf compress
C# PDF Text Box Edit Library: add, delete, update PDF text box in
Support to change font color in PDF text box. Ability to change text size in PDF text box. Adding text box is another way to add text to PDF page.
pdf files optimized; change paper size in pdf
TheupgradeprocesscreatesanewrealmcalledeTrust-Auto-Login-Realmwhichis
basedonyourexistingrealm,butwhichconfigurestheSiteMinderserverasits
authenticationserver.
ToconfiguretheSiteMinderrealmonanewinstallation:
1.
SelectAuthentication>Auth.Servers.
2.
ChooseSiteMinderfromtheNewlistandclickNewServer.
3.
Specifythesettingsyouwant.
4.
ClickSaveChanges.
5.
Configuretherealm,andselecttheSiteMinderserverastheauthenticationserver.
6.
SelectAuthentication>Auth.Servers.
7.
ChoosetheSiteMinderserveryoudefinedpreviously.
8.
UnderSiteMinderauthenticationsettings,selecttheAutomaticSignIncheckbox.
9.
Choosetherealmyoujustconfiguredfromtheuserauthenticationrealmlist.
10.
ClickSaveChanges.
NOTE: TheuserauthenticationrealmlistontheSiteMinderserverpageonly
displaysrealmsthatareconfiguredforSiteMinder.Ifyouhavenotconfigured
anySiteMinderrealms,thedropdownmenuisempty.
Related
Documentation
ConfiguringSiteMindertoWorkwiththeSecureAccessServiceonpage191
DebuggingSiteMinderandSecureAccessIssuesonpage208
DebuggingSiteMinderandSecureAccessIssues
Problem
Atsomepoint,youmayencounterproblemsconfiguringtheeTrustSiteMinderserver
interactionswithSecureAccess.Youcanuseanumberofdebuggingtoolstoidentify
andresolveproblems:
Solution
ReviewtheSecureAccesslogfile.SecureAccesstracksfailuresofcookievalidation,
authorizingrequests,andkeyrollovers.
ReviewthePolicyServerAuthenticationlogfiles.
ReviewtheStandardWebAgentlogfileifyouhaveselectedtheAuthenticationusing
HTLMFormPOSToption.
ConfirmthatSecureAccesscontainsthepropersuffixthatyoudefinedintheCookie
Domainfield.IfSecureAccessisnotproperlyaddressed,thebrowsermaynotforward
thecorrectSMSESSIONcookietoSecureAccessandyoumaynotbeabletosignin.
YoumustentertheSecureAccess’sFQDNonthebrowser,nottheSecureAccessIP
address,otherwise,yourloginfails.
Copyright©2012,JuniperNetworks,Inc.
208
JunosPulseSecureAccessServiceAdministrationGuide
C# PDF Annotate Library: Draw, edit PDF annotation, markups in C#.
Able to edit and change PDF annotation properties such as font size or color. Abilities to draw markups on PDF document or stamp on PDF file.
change font size in pdf form; pdf change font size in textbox
C# PDF Convert to Word SDK: Convert PDF to Word library in C#.net
PDF document, keeps the elements (like images, tables and chats) of original PDF file and maintains the original text style (including font, size, color, links
acrobat compress pdf; change font size fillable pdf
ConfirmthattheSecureAccesssystemtimeissynchronizedwiththeSiteMinderserver’s
systemtime.Ifthetwosystemtimesaretoodivergent,thetimeoutsettingsmaynot
functioncorrectly,rejectingyourattemptstosignin.
IntheSiteMinderserver,confirmthatyouhavedefinedtheproperSessionTimeout
optionsmaxtimeoutandidleintheSiteminderRealmdialog.
IfyousignintoSecureAccessandbrowsetoaeTrust-protectedWebagent,then
reachtheeTrustsign-inpageinsteadofthesinglesignon(SSO)page,checkthe
SecureAccessCookieDomainvaluetoconfirmthatthedomainmatchesthedomain
oftheeTrust-protectedWebagent.ReviewthesettingfortheSendCookieSecurely
option.IfSendCookieSecurelyissettoyes,SSOworksonlywithsecurehttps://sites.
IfSendCookieSecurelyissettono,SSOworkswithbothhttp://andhttps://sites.
Related
Documentation
ConfiguringSiteMindertoWorkwiththeSecureAccessServiceonpage191
ConfiguringaSAMLServerInstance
SecureAccessacceptsauthenticationassertionsgeneratedbyaSAMLauthorityusing
eitheranartifactprofileoraPOSTprofile.Thisfeatureallowsausertosignintoasource
siteorportalwithoutgoingthroughSecureAccessfirst.andthentoaccessSecureAccess
withsinglesign-on(SSO)throughtheSAMLconsumerservice.
Asaresult,theuserwhoauthenticateselsewhereisabletoaccessresourcesbehind
SecureAccesswithoutsigninginagain.
UsingtheArtifactProfileandPOSTProfile
Thetwosupportedprofilesprovidedifferentmethodsofaccomplishingthesametask.
Theend-user’sgoalistosignintoalldesiredresourcesonce,withoutexperiencing
multiplesign-inpagesfordifferentresourcesorapplications.Althoughtheend-user
wantstransparency,you,theadministrator,wanttoensurecompletesecurityacrossthe
resourcesonyoursystem,regardlessoftheserversorsitesrepresented.
Theartifactprofilerequiresthatyouconstructanautomatedrequest-responseHTTP
messagethatthebrowsercanretrievebasedonanHTTPGETrequest.
ThePOSTprofilerequiresthatyouconstructanHTMLformthatcancontaintheSAML
assertion,andwhichcanbesubmittedbyanend-useractionorascriptaction,usingan
HTTPPOSTmethod.
UsingtheArtifactProfileScenario
TheSAMLservergenerallysupportsthefollowingartifactprofilescenario:
1.
Theuseraccessesasourcesiteviaabrowser.Thesourcesitemightbeacorporate
portalusinganon-SecureAccessauthenticationaccessmanagementsystem.
2.
Thesourcesitechallengestheuserforusernameandpassword.
3.
Theuserprovidesusernameandpassword,whichthesourcesiteauthenticates
throughacalltoanLDAPdirectoryorotherauthenticationserver.
209
Copyright©2012,JuniperNetworks,Inc.
Chapter8:AuthenticationandDirectoryServers
C# PDF File Split Library: Split, seperate PDF into multiple files
RasterEdge.Imaging.Drawing.dll. RasterEdge.Imaging.Font.dll. This C# sample codes explain how to split a PDF file into multiple ones by output PDF file size.
reduce pdf file size; adjust file size of pdf
VB.NET PDF File Split Library: Split, seperate PDF into multiple
RasterEdge.Imaging.Drawing.dll. RasterEdge.Imaging.Font.dll. This VB.NET sample codes explain how to split a PDF file into multiple ones by output PDF file size.
can pdf files be compressed; change page size pdf
4.
Theuserthenclicksonalinkonthesourcesite,whichpointstoaresourceonaserver
thatisprotectedbehindtheSecureAccessdevice.
5.
ThelinkredirectstheusertotheIntersiteTransferServiceURLonthesourcesite.The
sourcesitepullsanauthenticationassertionmessagefromitscacheandenclosesit
inaSOAPmessage.ThesourcesiteconstructsaSAMLartifact(aBase64string)that
itreturnstothebrowserinaURIalongwiththedestinationandassertionaddress.
6.
Thedestinationsitequeriestheauthenticatedassertionfromthesourcesite,based
ontheartifactitreceivesfromthesourcesite.
7.
Iftheelapsedtimefallswithintheallowableclockskewtime,SecureAccessaccepts
theassertionasavalidauthentication,andtheusermeetsanyotherSecureAccess
policyrestrictions,SecureAccessgrantstheuseraccesstotherequestedresource.
ThemaintasksyouarerequiredtofulfilltosupportSecureAccessastherelyingparty
withtheartifactprofileinclude:
Implementtheassertionconsumerservice,which:
ReceivestheredirectURLcontainingtheartifact
GeneratesandsendstheSAMLrequest
ReceivesandprocessestheSAMLresponse
IntegratetheassertionconsumerservicewiththeexistingSecureAccessprocess,
which:
MapstheSAMLassertiontoalocaluser
CreatesaSecureAccessusersession
Performslocalauthorization
Servestheresourceordeniesaccess
UsingthePOSTProfileScenario
TheSAMLservergenerallysupportsthePOSTprofilescenario,asfollows:
1.
Theend-useraccessesthesourceWebsite,hereafterknownasthesourcesite.
2.
Thesourcesiteverifieswhetherornottheuserhasacurrentsession.
3.
Ifnot,thesourcesitepromptstheusertoenterusercredentials.
4.
Theusersuppliescredentials,forexample,usernameandpassword.
5.
Iftheauthenticationissuccessful,thesourcesiteauthenticationservercreatesa
sessionfortheuseranddisplaystheappropriatewelcomepageoftheportal
application.
6.
Theuserthenselectsamenuoptionorlinkthatpointstoaresourceorapplication
onadestinationWebsite.
Copyright©2012,JuniperNetworks,Inc.
210
JunosPulseSecureAccessServiceAdministrationGuide
7.
Theportalapplicationdirectstherequesttothelocalinter-sitetransferservice,which
canbehostedonthesourcesite.TherequestcontainstheURLoftheresourceonthe
destinationsite,inotherwords,theTARGETURL.
8.
Theinter-sitetransferservicesendsanHTMLformbacktothebrowser.TheHTML
FORMcontainsaSAMLresponse,withinwhichisaSAMLassertion.Theresponse
mustbedigitallysigned.TypicallytheHTMLFORMwillcontainaninputorsubmit
actionthatwillresultinanHTTPPOST.Thiscanbeauser-clickableSubmitbutton
orascriptthatinitiatestheHTTPPOSTprogrammatically.
9.
Thebrowser,eitherduetoauseractionorbywayofanauto-submitaction,sendsan
HTTPPOSTcontainingtheSAMLresponsetothedestinationWebsite’sassertion
consumerservice.
10.
Thereplyingparty'sassertionconsumer(inthiscase,onthedestinationWebsite)
validatesthedigitalsignatureontheSAMLResponse.
11.
Ifvalid,theassertionconsumersendsaredirecttothebrowser,causingthebrowser
toaccesstheTARGETresource.
12.
SecureAccess,onthedestinationsite,verifiesthattheuserisauthorizedtoaccess
thedestinationsiteandtheTARGETresource.
13.
TIftheuserisauthorizedtoaccessthedestinationsiteandtheTARGETresource,
SecureAccessreturnstheTARGETresourcetothebrowser.
ThemaintasksyouarerequiredtofulfilltosupportSecureAccessastherelyingparty
withthePOSTprofileinclude:
Implementtheassertionconsumerservice,whichreceivesandprocessesthePOST
form
IntegratetheassertionconsumerservicewiththeexistingSecureAccessprocess,
which:
MapstheSAMLassertiontoalocaluser
CreatesaSecureAccessusersession
Performslocalauthorization
Servestheresourceordeniesaccess
Related
Documentation
UnderstandingAssertionsonpage211
UnderstandingAssertions
Eachpartyintherequest-responsecommunicationmustadheretocertainrequirements.
Therequirementsprovideapredictableinfrastructuresothattheassertionsandartifacts
canbeprocessedcorrectly.
TheartifactisaBase64-encodedstringof40bytes.Anartifactactsasatokenthat
referencesanassertiononthesourcesite,sotheartifactholder—SecureAccess—can
211
Copyright©2012,JuniperNetworks,Inc.
Chapter8:AuthenticationandDirectoryServers
authenticateauserwhohassignedintothesourcesiteandwhonowwantstoaccess
aresourceprotectedbySecureAccess.ThesourcesitesendstheartifacttoSecure
Accessinaredirect,aftertheuserattemptstoaccessaresourceprotectedbySecure
Access.Theartifactcontains:
TypeCode—2-bytehexcodeof0x0001thatidentifiestheartifacttype.
SourceID—20-byteencryptedstringthatdeterminesthesourcesiteidentityand
location.SecureAccessmaintainsatableofSourceIDvaluesandtheURLforthe
correspondingSAMLresponder.SecureAccessandthesourcesitecommunicate
thisinformationinabackchannel.OnreceivingtheSAMLartifact,SecureAccess
determineswhetherornottheSourceIDbelongstoaknownsourcesite,and,ifit
does,obtainsthesitelocationbeforesendingaSAMLrequest.Thesourcesite
generatestheSourceIDbycomputingtheSHA-1hashofthesourcesite’sownURL.
AssertionHandle—20-byterandomvaluethatidentifiesanassertionstoredor
generatedbythesourcesite.Atleast8bytesofthisvalueshouldbeobtainedfrom
acryptographicallysecureRNGorPRNG.
Theinter-sitetransferserviceistheidentityproviderURLonthesourcesite(notSecure
Access).YourspecificationofthisURLintheadminconsoleenablesSecureAccess
toconstructanauthenticationrequesttothesourcesite,whichholdstheuser’s
credentialsincache.Therequestissimilartothefollowingexample:
GEThttp://<inter-sitetransferhostnameand
path>?TARGET=<Target>...<HTTP-Version><otherHTTP1.0or1.1components>
Intheprecedingsample,<inter-sitetransferhostnameandpath>consistsofthehost
name,portnumber,andpathcomponentsoftheinter-sitetransferURLatthesource
andwhereTarget=<Target>specifiestherequestedtargetresourceatthedestination
(SecureAccessprotected)site.Thisrequestmightlooklike:
GEThttp://10.56.1.123:8002/xferSvc?TARGET=http://www.dest.com/sales.htm
Theinter-sitetransferserviceredirectstheuser’sbrowsertotheassertionconsumer
serviceatthedestinationsite—inthiscase,SecureAccess.TheHTTPresponsefrom
thesourcesiteinter-sitetransferservicemustbeinthefollowingformat:
<HTTP-Version>302<ReasonPhrase>
<otherheaders>
Location:http://<assertionconsumerhostnameandpath>?<SAML
searchpart><otherHTTP1.0or1.1components>
Intheprecedingsample,<assertionconsumerhostnameandpath>providesthehost
name,portnumber,andpathcomponentsofanassertionconsumerURLatthe
destinationsiteandwhere<SAMLsearchpart>=…TARGET=<Target>
…SAMLart=<SAMLartifact>…consistsofonetargetdescription,whichmustbeincluded
inthe<SAMLsearchpart>component.AtleastoneSAMLartifactmustbeincluded
intheSAML<SAMLsearchpart>component.Theassertingpartycanincludemultiple
SAMLartifacts.
Copyright©2012,JuniperNetworks,Inc.
212
JunosPulseSecureAccessServiceAdministrationGuide
NOTE: Youcanusestatuscode302toindicatethattherequestedresource
residestemporarilyunderadifferentURI.
If<SAMLsearchpart>containsmorethanoneartifact,alloftheartifacts
mustsharethesameSourceID.
Theredirectmightlooklike:
HTTP/1.1302Found
Location:
http://www.ive.com:5802/artifact?TARGET=/www.ive.com/&SAMLart=artifact
Theuser'sbrowseraccessestheassertionconsumerservice,withaSAMLartifact
representingtheuser'sauthenticationinformationattachedtotheURL.
TheHTTPrequestmustappearasfollows:
GEThttp://<assertionconsumerhostnameandpath>?<SAMLsearchpart>
<HTTP-Version><otherHTTP1.0or1.1requestcomponents>
Intheprecedingsample,<assertionconsumerhostnameandpath>providesthehost
name,portnumber,andpathcomponentsofanassertionconsumerURLatthe
destinationsite.
<SAMLsearchpart>=…TARGET=<Taret>…SAMLart=<SAMLartifact>…
AsingletargetdescriptionMUSTbeincludedinthe<SAMLsearchpart>component.
AtleastoneSAMLartifactMUSTbeincludedinthe<SAMLsearchpart>component;
multipleSAMLartifactsMAYbeincluded.Ifmorethanoneartifactiscarriedwithin
<SAMLsearchpart>,alltheartifactsMUSThavethesameSourceID.
YoushouldnotexposetheassertionconsumerURLunlessoverSSL3.0orTLS1.0.
Otherwise,transmittedartifactsmightbeavailableinplaintexttoanattacker.
TheissuervalueistypicallytheURLofthesourcesite.Youcanspecifythe<ISSUER>
variablewhichwillreturntheissuervaluefromtheassertion.
TheusernametemplateisareferencetotheSAMLnameidentifierelement,which
allowstheassertingpartytoprovideaformatfortheusername.TheSAMLspecification
allowsforvaluesinthefollowingformats:
Unspecified—indicatesthatinterpretationofthecontentisleftuptotheindividual
implementations.Inthiscase,youcanusethevariableassertionName.
EmailAddress—indicatesthatcontentisintheformofanemailaddress.Inthiscase,
youcanusethevariableassertionName.
X.509SubjectName—indicatesthatthecontentisintheformofanX.509subject
name.Inthiscase,youcanusethevariableassertionNameDN.<RDN>.
WindowsDomainQualifiedName—indicatesthatthecontentisastringintheform
ofDomainName\Username.
213
Copyright©2012,JuniperNetworks,Inc.
Chapter8:AuthenticationandDirectoryServers
YoushoulddefinetheusernametemplatetoacceptthetypeofusernameyourSAML
assertioncontains.
TopreventeavesdroppingontheSAMLartifact,sourceanddestinationsitesshould
synchronizetheirclocksascloselyaspossible.SecureAccessprovidesanAllowed
ClockSkewattributethatdictatesthemaximumtimedifferenceallowedbetween
SecureAccessandthesourcesite.SecureAccessrejectsanyassertionswhosetiming
exceedstheallowedclockskew.
Related
Documentation
ConfiguringaSAMLServerInstanceonpage209
CreatingaSAMLServerInstance(SAML1.1)onpage214
CreatinganewSAMLServerInstance
TocreateanewSAMLserverinstance,andconfigurethecommonelements:
1.
Intheadminconsole,chooseAuthentication>Auth.Servers.
2.
SelectSAMLServerfromtheNewlist,andthenclickNewServer.
3.
Specifyanametoidentifytheserverinstance.
4.
UnderSettings,specifytheSourceSiteInter-SiteTransferServiceURL.
5.
Specifytheissuervalueforthesourcesite.TypicallytheURIorhostnameoftheissuer
oftheassertion.
6.
Specifytheusernametemplate,whichisamappingstringfromtheSAMLassertion
toaSecureAccessuserrealm.Forexample,enter<assertionNameDN.CN>which
derivestheusernamefromtheCNvalueintheassertion.
7.
SpecifytheAllowedClockSkewvalue,inminutes.Thisvaluedeterminesthemaximum
alloweddifferenceintimebetweentheSASeriesApplianceclockandthesourcesite
clock.
8.
DefinetheconfigurationforeithertheartifactprofileorforthePOSTprofile.
NOTE: SAMLauthenticationdoesnotsupportsign-inURLsthatcontain
multiplerealms.Instead,mapeachsign-inURLtoasinglerealm.
Related
Documentation
ConfiguringaSAMLServerInstanceonpage209
ConfiguringtheSAMLServerInstancetoUseanArtifactProfileonpage215
ConfiguringtheSAMLServerInstancetoUsethePOSTProfileonpage215
Copyright©2012,JuniperNetworks,Inc.
214
JunosPulseSecureAccessServiceAdministrationGuide
Documents you may be interested
Documents you may be interested