The Federation Web Services (FWS) application is installed with the Web Agent Option Pack on a server that has a connection to a SiteMinder Policy Server. The Federation Web Services and the SiteMinder Web Agent support the following web browser single sign-on profiles. These profiles convey information from one site to another through a standard browser.
The supported profiles are:
For the SAML 1.x artifact and POST profiles, the Federation Web Services application uses the following services:
A producer-side component. This service handles a SAML request for the assertion that corresponds to a SAML artifact by retrieving the assertion from the SiteMinder session store. The SAML specification defines the assertion retrieval request and response behavior.
Note: Only the SAML artifact profile uses the assertion retrieval service..
A consumer-side component that receives a SAML artifact or an HTTP form with an embedded SAML response and obtains the corresponding SAML assertion. The credential collector issues SiteMinder cookies to a browser of the user.
A producer-side component for the SAML POST profile. The intersite transfer service transfers a user from the producer site to a consumer site. For the SAML artifact profile, the Web Agent performs the same function as the intersite transfer service.
For SAML 2.0 artifact and POST profiles, the Federation Web Services application uses the following services:
An Identity Provider-side service that corresponds to the SAML 2.0 authentication using the HTTP-artifact binding. This service retrieves the assertion stored in the SiteMinder session store at the Identity Provider.
Note: Only the HTTP-artifact binding uses the artifact resolution service.
A Service Provider component that receives a SAML artifact or an HTTP form with an embedded SAML response and obtains the corresponding SAML assertion. The Assertion Consumer Service issues SiteMinder cookies to a browser.
Note: The Assertion Consumer Service accepts an AuthnRequest with an AssertionConsumerServiceIndex value of 0. All other values for this setting are denied.
This service is deployed for use by SAML 2.0. A Service Provider can generate an <AuthnRequest> message to authenticate a user for cross-domain single sign-on. This message contains information that enables the Federation Web Services application to redirect the browser to the single sign-on service at the Identity Provider. The AuthnRequest service is used for POST and Artifact single sign-on.
The single sign-on service enables an Identity Provider to process AuthnRequest messages. The service also invokes the assertion generator to create an assertion that is sent to the Service Provider.
This service implements processing of single logout functionality, which an Identity Provider or a Service Provider can initiate.
Implements SAML 2.0 Identity Provider Discovery Profile and sets and retrieves the common domain cookie. An IdP requests to set the common domain cookie after authenticating a principal. An SP requests to obtain the common domain cookie to discover which Identity Provider a principal is using.
For the WS-Federation Passive Requestor profile, the Federation Web Services application uses the following services:
Note: WS-Federation is only available with legacy federation.
A Resource Partner component that receives a security token and extracts the corresponding SAML assertion. The Security Token Consumer Service issues SiteMinder cookies to a browser.
Enables an Account Partner to process a wsignin message and gather the necessary Resource Partner information to authenticate the user. This service also invokes the assertion generator to create an assertion that is sent to the Resource Partner.
Implements processing of single logout functionality by way of a signout servlet. An Account Partner or a Resource Partner can initiate signout.
|
Copyright © 2012 CA Technologies.
All rights reserved.
|
|