A user must have a session at the IdP Policy Server for the Policy Server to generate an assertion. To establish the session, the single sign-on service at the IdP redirects the user to an application by way of an authentication URL. Protect the authentication URL with a policy so that the user is presented with an authentication challenge. The user then logs in and a session is established.
The Authentication URL must point to the redirect.jsp file. For example:
http://webserver1.example.com/affwebservices/redirectjsp/redirect.jsp
In this example, webserver1 identifies the web server with the Web Agent Option Pack. The redirect.jsp file is included with the Web Agent Option Pack, which is installed at the Identity Provider.
After successful authentication, the redirect.jsp application redirects the user back to the single sign-on service for assertion generation.
Two steps are required to enable session creation:
A policy must protect the authentication URL to trigger the authentication challenge.
Follow these steps:
To bind to the realm defined for the asserting party web server, create a web agent. Assign unique agent names for the web server.
Create a policy domain for the authentication URL. Add the user directory that contains the users who get challenged.
Agent for the asserting party web server. You created this agent in step 2.
/affwebservices/redirectjsp
This resource filter applies for a Web Agent and an SPS federation gateway.
Protected
Basic
Select the Persistent check box in the Session section of the realm dialog for the HTTP-Artifact profile and to store session information. Session information is required for features such as single logout and for an attribute authority.
/*
The asterisk means that the rule applies to all resources in the realm.
Allow Access
Enabled check box is selected.
Web Agent actions
Get, Post, Put
A policy now protects the authentication URL. An authentication challenge is triggered when the user is redirected to this URL. Finally, a session is created.
After you configure a policy to protect the Authentication URL, specify this URL in the asserting-to-relying party partnership, such as the IdP->SP partnership.
The Authentication URL is set as part of the single sign-on configurations. In the Authentication section of the dialog, select Local for the Authentication Mode field and enter the complete Authentication URL. For example:
http://webserver1.example.com/affwebservices/redirectjsp/redirect.jsp
In this example, webserver1.example.com identifies the web server with the Web Agent Option Pack.
Copyright © 2015 CA Technologies.
All rights reserved.
|
|