Configuration Guides › Federation Security Services Guide › Configure SOA Security Manager as a SAML 2.0 Identity Provider › Protect the Artifact Resolution Service with Client Certificate Authentication (optional) › Create the Artifact Resolution Service Policy

Create the Artifact Resolution Service Policy

To securely send an assertion across the back channel to the Service Provicer, you can use client certificate authentication. At the Identity Provider, configure a policy that uses the client certificate authentication to protect the Artifact Resolution Service.

To create a policy for the service

1. Add an entry to a user directory for each Service Provider. Create a new user store or use an existing directory.

   Create a separate user record for each partner that can retrieve an assertion.

   An attribute of the user record must have the same value specified in the Name field that identifies the Service Provider.

   For example, if you identified the Service Provider as Company A in the Name field, the user directory entry must be:

   uid=CompanyA, ou=Development,o=partner

   The Policy Server maps the subject DN value in the client certificate of the Service Provider to this directory entry.

2. Add the configured user directory to the FederationWebServicesDomain.
3. Create a certificate mapping entry.

   The value for the Attribute Name field in the Certificate Mapping Properties dialog must be mapped to the user directory entry for the Service Provider. The attribute represents the subject DN entry in the certificate of the Service Provider. For example, you select CN as the Attribute Name, and this represents the Service Provider named cn=CompanyA,ou=Development,o=partner

4. Configure an X509 Client Certificate authentication scheme.
5. Create a realm under the FederationWebServicesDomain containing the following entries:
   • Name: <any_name>

     Example: cert artifact resolution

   • Agent: FederationWebServicesAgentGroup
   • Resource Filter: /affwebservices/saml2certartifactresolution
   • Authentication Scheme: client cert auth scheme created in the previous step.
6. Create a rule under the cert artifact resolution realm containing the following:
   • Name: <any_name>

     Example: cert artifact resolution rule

   • Resource: *
   • Web Agent Actions: GET, POST, PUT
7. Create a Web Agent response header under the FederationWebServicesDomain.

   The Artifact Resolution Service uses this HTTP header to verify that the Service Provider for which the SAML assertion was generated is the one actually retrieving the assertion.

   Create a response with the following values:

   • Name: <any_name>
   • Attribute: WebAgent-HTTP-Header-Variable
   • Attribute Kind: User Attribute
   • Variable Name: consumer_name
   • Attribute Name: enter the use directory attribute that contains the Service Provider name value. For example, the entry could be uid=CompanyA.

   Based on these entries, the Web Agent returns a response named HTTP_CONSUMER_NAME.

8. Create a policy under the FederationWebServicesDomain containing the following values:
   • Name: <any_name>
   • User: Add the users from the user directory created in previously in this procedure
   • Rule: <rule_created_earlier_in_this_procedure>
   • Response: <responsecreated_earlier_in_this_procedure>
9. Complete the configuration steps at the Service Provider to use client certificate authentication, if they are not completed already.