Previous Topic: Configure a Name ID for a WS-Federation AssertionNext Topic: Customize a SAML Assertion Response (optional)


Configure Single Sign-on for WS-Federation

An assertion provides the necessary identity information to facilitate single sign-on at the Resource Partner. The Account Partner generates a SAML 1.1 assertion for a user with an established session. The Account Partner places the assertion in a WS-Federation RequestSecurityTokenResponse message then delivers the token to the Resource Partner. The Resource Partner consumes security tokens and establishes a session that is based on the contents of the WS-Federation security token.

As part of single sign-on configuration, determine how the Account Partner delivers an assertion to a Resource Partner.

To configure single sign-on at the Account Partner

  1. Navigate to the SAML Profiles settings for the Resource Partner object.
  2. Complete the fields in the SSO section of the page.

    Click Help for field descriptions.

  3. Click Submit to save your changes.
Initiate Single Sign-on at the Account Partner

A user can visit the Account Partner before going to the Resource Partner. If the user goes to the Account Partner first, a link must generate an HTTP Get request. The hard-coded link points to the Single Sign-on Service of the Account Partner. The request contains the RP Provider ID and optionally other parameters.

The syntax for the link to the Single Sign-on Service is as follows:

https://ap_server:port/affwebservices/public/wsfedsso?wa=wsignin1.0&wtrealm=RP_ID

ap_server:port

Specifies the server and port number of the system at the Account Partner. The system is hosting the Web Agent Option Pack or the SPS federation gateway, depending on which component is installed in your federation network.

RP_ID

Resource Partner identity, The entity ID is case-sensitive. Enter it exactly as it appears in the Administrative UI.

Initiate Single Sign-on at the Resource Partner

When a user starts at the Resource Partner to initiate single sign-on, typically the user selects from a list of Account Partners. The site selection page is in an unprotected realm.

The link on the site selection page points to the Single Sign-on Service at an Account Partner. After the link is selected, the Resource Partner redirects the user to the Account Partner to get the assertion.