Federation Manager GuideFederation Manager InstallationHow to Run the Federation Manager Configuration WizardDetermine the Deployment Mode Before Configuration › Proxy Mode

Previous Topic: Determine the Deployment Mode Before Configuration

Next Topic: Standalone Mode
Proxy Mode

In a proxy mode deployment, you use Federation Manager in the DMZ to forward requests to backend web servers that host federated applications. These backend systems sit behind a firewall and are not directly accessible.

Proxy mode offers the following advantages:

Note: You can protect the HTTP Headers against modification by an unauthorized user by setting an HTTP Header prefix. More information is available for protecting HTTP Headers in proxy mode.

Important! In proxy mode Federation Manager passes all requests to the backend network. Therefore, be sure that all resources on a backend web server are protected by SiteMinder or another access control product. For example, a backend web server may host a federated application as well as unprotected resources behind the firewall. If the administrator exposes the federated application, the unprotected resources are also exposed because Federation Manager allows full access to the backend web server without checking for authorization. This assumes that the non-federated resources are URL-addressable.

The following figure shows a typical proxy mode deployment from the perspective of the relying party.

FM--Proxy Mode Architecture

The previous figure shows the following communication flow at the relying party:

  1. A user makes an initial request for a federated resource.
  2. Based on the data in the assertion, Federation Manager authenticates the user, contacting the user directory at the internal site to complete the user disambiguation process.
  3. After successful authentication, Federation Manager returns a redirect response back to the user's browser.
  4. Federation Manager proxies the request to the target web server and the user accesses the resource.