Configuration GuidesFederation Security Services GuideFederation Security Services OverviewFederation Security Services Concepts › Federated Single Sign-on with Security Zones

Previous Topic: User Mapping

Next Topic: Benefits of SiteMinder Federation Security Services
Federated Single Sign-on with Security Zones

A SOA Security Manager environment can be set up to include a Web application environment for web service protection and a federation environment for federated resource protection. This method can make a SOA Security Manager deployment more efficient.

Certain federation features require a persistent user session because the SAML assertion must be stored in the session store at the Policy Server.

These features include:

Artifact Single sign-on

For SAML 1.x and SAML 2.0, the SAML assertion is stored in a persistent session that the relying party retrieves later.

Single Logout

(SAML 2.0 Single Logout and WS-Fed Signout) at producer and consumer sites. Partner data is stored in a persistent user session to facilitate notification of partners during a federated logout.

Use of persistent user sessions can slow down performance because of the calls to the session store to retrieve assertions or handle log out requests.

For asserting party applications protected by a Web Agent, security zones can eliminate the need for a persistent user session. A security zone is a segment of a single cookie domain. The security zone is used as a method of partitioning applications to permit different security requirements for resource access. All applications in a single zone permit single sign-on to one another. If an application is in another zone, the configured trust relationship determines single sign-on.

Security zones are a SOA Security Manager single sign-on feature. SOA Security Manager Web Agents implement security zones.

Note: In a federated environment, you can only configure Web Agents and SAML Affiliate Agents to use security zones. Secure Proxy Agents and Application Server Agents do not support this feature.

To configure security zones, you enter values for the following Web Agent parameters:

SSOZoneName

Identifies a single sign-on security zone. The zone name gets added to the cookie domain name so you know which are associated with which domains.

SSOTrustedZone

Displays an ordered list of trusted security zone names. When you define zones and trusted zone lists, it determines the cookies that the Web Agent is able to read and write.

These parameters are part of an Agent Configuration Object or a local Agent configuration file.

For more information about security zones, see the SOA Security Manager Web Agent Configuration Guide.