Administration Guide › Using the SPS with Federation Security Services › Solutions for SPS Use Cases › Solution 2: SSO Using User Attribute Profiles

Solution 2: SSO Using User Attribute Profiles

Solution 2 shows how SiteMinder Federation Security Services can be deployed at smcompany.com and partsco.com to solve Use Case 2: Single Sign-on Based on User Attribute Profiles.

SiteMinder v6.x is deployed at both sites. The interactions between the user and each site is similar, where partsco.com is acting as the consuming authority. The FWS application at the producing side provides the service that retrieves assertions. The FWS application at the consuming side provides the service that consumes assertions.

The following illustration is similar for SAML 1.x, SAML 2.0, and WS-Federation; however, the Federation Web Services components are different as follows:

• For SAML 1.x, the Assertion Retrieval Service (for artifact profile only) is at the Producer and the SAML credential collector is at the SP.
• For SAML 2.0, the Artifact Resolution Service (for artifact binding only) is at the IdP and the Assertion Consumer Service at the SP.
• For WS-Federation, the Single Sign-on Service is at the AP and the Security Token Consumer Service is at the RP.

  Note: WS-Federation only supports HTTP-POST binding.

The configuration is similar to Solution 1: Single Sign-on based on Account Linking, except for the following:

• The administrator at smcompany.com defines the consumer/SP for partsco.com with an attribute specifying the user’s department at the company. The assertion generator will include this attribute as part of the user profile in the SAML assertion created for partsco.com.
• The administrator at partsco.com defines an authentication scheme (artifact, post, or WS-federation) for smcompany.com. The scheme extracts the department attribute from the SAML assertion and searches the user directory at partsco.com for the user record that matches the department value taken from the assertion. The administrator defines one user profile record for each department that is allowed to access partsco.com's web site.