Previous Topic: Configure Single Sign-on for SAML 2.0Next Topic: Configure the Authentication Scheme that Protects the Artifact Service


Grant Access to the Service for Assertion Retrieval (Artifact SSO)

For HTTP-Artifact single sign-on, the relying party needs permission to access the policy that protects the FWS service for obtaining assertions.

To grant access:

Add a Web Agent to the Federation Agent Group

Add the Web Agent that protects the FWS application to the Agent group FederationWebServicesAgentGroup.

Follow these steps:

  1. Log in to the Administrative UI.
  2. Select Infrastructure, Agents, Create Agent.
  3. Specify the name of the Web Agent in your deployment. Click Submit.
  4. Select Infrastructure, Agent Groups.
  5. Select the FederationWebServicesAgentGroup entry.

    The Agent Groups dialog opens.

  6. Click Add/Remove and the Agent Group Members dialog opens.
  7. Move the web agent from the Available Members list to the Selected Members list.
  8. Click OK to return to the Agent Groups dialog.
  9. Click Submit then click Close to return to the main page.
Add Relying Partners to the FWS Policy for Obtaining Assertions

If you are using HTTP-Artifact binding for single sign-on, the relying party in the partnership needs permission to access the assertion retrieval service. CA SiteMinder® protects the SAML 1.x and 2.0 retrieval services with a policy.

When you install the Policy Server, the FederationWebServicesDomain is installed by default. This domain includes the following policies for the service from which CA SiteMinder® retrieves assertions:

SAML 1.x

FederationWSAssertionRetrievalServicePolicy

SAML 2.0

SAML2FWSArtifactResolutionServicePolicy

Note: WS-Federation does not use the HTTP-Artifact profile. Therefore, this procedure does not apply to Resource Providers.

Grant access for these policies to any relevant relying partners.

Follow these steps:

  1. In the Administrative UI, navigate to Policies, Domain, Domain Policies.

    A list of domain policies displays.

  2. Select the policy for the SAML profile:
    SAML 1.x

    FederationWSAssertionRetrievalServicePolicy

    SAML 2.0

    SAML2FWSArtifactResolutionServicePolicy

    The Domain Policies page opens.

  3. Click Modify to change the policy.
  4. Select the Users tab.
  5. In the dialog for the appropriate user directory, click Add Members:
    SAML 1.x

    FederationWSCustomUserStore

    SAML 2.0

    SAML2FederationCustomUserStore

    The User/Groups page opens.

    The affiliate domain that you previously configured is listed in the Users/Groups dialog. For example, if the affiliate domain is named fedpartners, the entry is affiliate:fedpartners.

  6. Select the check box next to the affiliate domain with the partners that require access to the service. Click OK.

    You return to the User Directories list.

  7. Click Submit.

    You return to the policies list.