Federation Guides › Legacy Federation Guide › Federation Web Services URLs Used by SiteMinder

Federation Web Services URLs Used by SiteMinder

This section contains the following topics:

Federation Services URLs

URLs for Services at the Asserting Party

URLs for Services at the Relying Party

The Web.xml File

Federation Services URLs

The Federation Web Services contains many services to implement legacy federation. When configuring single sign-on, single logout, or identity provider discovery profile through the Administrative UI, you are required to specify URLs that reference the different services.

The following service descriptions include:

• A brief description of the service
• The URL for the service
• The field in the Administrative UI where you enter the URL
• Associated servlet and servlet mapping in the Web.xml file

The Web.xml file is one of the deployment descriptors for the Federation Web Services application. This file lists servlets and URL mappings.

URLs for Services at the Asserting Party

The following services are provided at the asserting party (Producer/Identity Provider/Account Partner); however, you enter the service URL at the relying party (Consumer/Service Provider/Resource Partner).

The Federation Web Services application supplies the following services:

• Intersite Transfer Service (SAML 1.x producer)
• Assertion Retrieval Service (SAML 1.x producer)
• Artifact Resolution Service (SAML 2.0 IdP)
• Single sign-on Service (SAML 2.0 IdP)
• Single logout Service (SAML 2.0 IdP)
• Identity Provider Discovery Profile Service (SAML 2.0)
• Attribute Service (SAML 2.0)
• Single sign-on Service (WS-Federation)
• Signout Service (WS-Federation)
• WSFedDispatcher Service (WS-Federation)

Intersite Transfer Service URL (SAML 1.x)

For SAML 1.x POST and artifact profiles, the intersite transfer URL is a producer-side component that transfers a user from the producer to the consumer.

Default URL for this Service

http://producer_server:port/affwebservices/public/intersitetransfer

producer_server:port

Identifies the web server and port number of the system at the producer hosting the Web Agent Option Pack or the SPS federation gateway.

Intersite Transfer URL

Include the URL in a hard-coded link on a page at the producer.

Associated Servlet and Servlet Mapping in the Web.xml file

<servlet>
  <servlet-name>intersiteTransferService</servlet-name>
  <display-name>Intersite Transfer Service</display-name>
  <description>This servlet acts as the Intersite Transfer URL.</description>
  <servlet-class>com.netegrity.affiliateminder.webservices.
    IntersiteTransferService
  </servlet-class>
</servlet>


<servlet-mapping>
  <servlet-name>intersiteTransferService</servlet-name>
  <url-pattern>/public/intersitetransfer/*</url-pattern>
</servlet-mapping>

Assertion Retrieval Service URL (SAML 1.x)

The Assertion Retrieval Service retrieves an assertion for a SAML. 1.x consumer site.

Default URLs for this Service

• For Basic or Basic over SSL to protect this service, the URL is: https://producer_server:port/affwebservices/assertionretriever
• For client certificate authentication to protect this service, the URL is: https://producer_server:port/affwebservices/certassertionretriever

producer_server:port

Identifies the web server and port number of the system at the producer hosting the Web Agent Option Pack or the SPS federation gateway.

Assertion Retrieval URL

Specified in the Assertion Retrieval URL field. This field is in the Scheme Setup section of the SAML 1.x authentication scheme page.

Associated Servlet and Servlet Mapping in the Web.xml file

<servlet>
  <servlet-name>assertionretriever</servlet-name>
  <display-name>SAML Assertion Retrieval servlet</display-name>
  <description>This servlet processes the HTTP post based SAML requests and returns the SAML Response elements. Both SAML Request and Response elements are SOAP encoded.</description>
  <servlet-class>com.netegrity.affiliateminder.webservices.
     AssertionRetriever</servlet-class>
</servlet>


<servlet-mapping>
  <servlet-name>assertionretriever</servlet-name>
  <url-pattern>/assertionretriever/*</url-pattern>
</servlet-mapping>
<servlet-mapping>

  <servlet-name>assertionretriever</servlet-name>
  <url-pattern>/certassertionretriever/*</url-pattern>
</servlet-mapping>

Artifact Resolution Service URL (SAML 2.0)

The Artifact Resolution Service retrieves SAML 2.0 assertions for a Service Provider.

Default URL for this Service

• For Basic authentication to protect this service, the URL is:

  http://idp_server:port/affwebservices/saml2artifactresolution

• For Basic over SSL or X.509 client certificate authentication to protect this service, the URL is:

  https://idp_server:port/affwebservices/saml2certartifactresolution

idp_server:port

Identifies the web server and port hosting the Web Agent Option Pack or SPS federation gateway.

Resolution Service URL

Specified in the Resolution Service field. This field is in the Bindings section of the SSO settings for the SAML 2.0 authentication scheme. To make the field active, select HTTP-Artifact as the binding.

Associated Servlet and Servlet Mapping in the Web.xml file

<servlet>
  <servlet-name>saml2artifactresolution</servlet-name>
  <display-name>SAML 2.0 Single Sign-On service</display-name>
  <description>This servlet is the SAML 2.0 Artifact Resolution 
      service at an IdP.</description>
  <servlet-class>com.netegrity.affiliateminder.webservices.
    saml2.ArtifactResolution</servlet-class>
</servlet>

<servlet-mapping>
<servlet-name>saml2artifactresolution</servlet-name>
<url-pattern>/saml2artifactresolution/*</url-pattern>
</servlet-mapping>

<servlet-mapping>
<servlet-name>saml2artifactresolution</servlet-name>
<url-pattern>/saml2certartifactresolution/*</url-pattern>
</servlet-mapping>

Single Sign On Service URL (SAML 2.0)

The single sign-on service implements single sign-on for SAML 2.0.

Default URL for this Service

http://idp_server:port/affwebservices/public/saml2sso

idp_server:port

Identifies the web server and port hosting the Web Agent Option Pack or SPS federation gateway.

SSO Service URL

Specified in the SSO Service field. This field is in the SSO settings for the SAML 2.0 authentication scheme.

Associated Servlet and Servlet Mapping in the Web.xml file

<servlet>
  <servlet-name>saml2sso</servlet-name>
  <display-name>SAML 2.0 Single Sign-On service</display-name>
  <description>This servlet is the SAML 2.0 Single Sign-On service at an IdP.</description>
  <servlet-class>com.netegrity.affiliateminder.webservices.
saml2.SSO</servlet-class>
</servlet>


<servlet-mapping>
  <servlet-name>saml2sso</servlet-name>
  <url-pattern>/public/saml2sso/*</url-pattern>
</servlet-mapping>

Single Sign-on Service URL (WS-Federation)

The WS-Federation single sign-on service implements single sign-on for WS-Federation.

Default URL for this Service

http://ap_server:port/affwebservices/public/wsfedsso

ap_server:port

Specifies the server and port number of the system at the Account Partner. The system is hosting the Web Agent Option Pack or the SPS federation gateway, depending on which component is installed in your federation network.

SSO Service URL

Specified in the SSO Service field. This field is in the SSO settings of the WS-Federation authentication scheme.

Associated Servlet and Servlet Mapping in the Web.xml file

<servlet> 
<servlet-name>wsfedsso</servlet-name> 
<display-name>WSFED Single Sign-On service</display-name> 
<description>This servlet is the WSFED Single Sign-On service at an Account Partner.</description> 
<servlet-class>com.netegrity.affiliateminder.webservices.wsfed.SSO
  </servlet-class> 
</servlet>

<servlet-mapping> 
<servlet-name>wsfedsso</servlet-name> 
<url-pattern>/public/wsfedsso/*</url-pattern> 
</servlet-mapping>

Single Logout Service URL at the IdP (SAML 2.0)

This service implements single logout for SAML 2.0.

Default URL for this Service

http://idp_server:port/affwebservices/public/saml2slo

idp_server:port

Identifies the web server and port hosting the Web Agent Option Pack or SPS federation gateway.

SLO Location URL/SLO Response Location URL

Specified in the fields of the same name at the Identity Provider. These fields are in the SLO section of the SAML Profiles settings for the SAML Service Provider object.

Associated Servlet and Servlet Mapping in the Web.xml file

<servlet>
  <servlet-name>saml2slo</servlet-name>
  <display-name>SAML 2.0 Single Logout service</display-name>
  <description>This servlet is the SAML 2.0 Single Logout service at an IdP.</description>
  <servlet-class>com.netegrity.affiliateminder.webservices.
     saml2.SLOService</servlet-class>
</servlet>

<servlet-mapping>
  <servlet-name>saml2slo</servlet-name>
  <url-pattern>/public/saml2slo/*</url-pattern>
</servlet-mapping>

Signout Service URL at the AP (WS-Federation)

This signout service implements WS-Federation sign out functionality.

Default URL for this Service

http://ap_server:port/affwebservices/public/wsfedsignout

ap_server:port

Specifies the server and port number of the system at the Account Partner. The system is hosting the Web Agent Option Pack or the SPS federation gateway, depending on which component is installed in your federation network.

Signout Cleanup URL/Signout Confirm URL

Specified in fields of the same name at the Account Partner. These fields are in the Signout section of the SAML Profiles settings for the Resource Partner Properties object.

Associated Servlet and Servlet Mapping in the Web.xml file

<servlet>
  <servlet-name>wsfedsignout</servlet-name>
  <display-name>WS-Federation Signout Service</display-name>
  <description>This servlet is the WS-Federation Signout service 
      at an AP.</description>
  <servlet-class>com.netegrity.affiliateminder.webservices.wsfed.
    SignoutService</servlet-class>
</servlet>

<servlet-mapping> 
<servlet-name>wsfedsignout</servlet-name> 
<url-pattern>/public/wsfedsignout/*</url-pattern> 
</servlet-mapping>

Identity Provider Discovery Profile Service URL (SAML 2.0)

The Identity Provider Discovery Profile service implements the Identity Provider Discovery feature.

Default URL for this Service

https://idp_server:port/affwebservices/public/saml2ipd/*

idp_server:port

Identifies the web server and port hosting the Web Agent Option Pack or SPS federation gateway.

Service URL

Specified in the Service URL field. This field is located in the IPD section of the SAML Profile settings for the SAML Service Provider object at the Identity Provider.

Associated Servlet and Servlet Mapping in Web.xml file

<servlet>
  <servlet-name>saml2ipd</servlet-name>
  <display-name>SAML 2.X Identity Provider Discovery Profile
    service</display-name>
  <description>This servlet is the SAML 2.X Identity Provider Discovery Profile service at an SP or IdP.</description>
  <servlet-class>com.netegrity.affiliateminder.webservices.
    saml2.IPDService</servlet-class>
</servlet>


<servlet-mapping>
  <servlet-name>saml2ipd</servlet-name>
  <url-pattern>/public/saml2ipd/*</url-pattern>
</servlet-mapping>

Attribute Service URL (SAML 2.0)

The Attribute Service enables an Attribute Authority to respond to attribute queries from a SAML Requester.

Default URL for this Service

http://idp_server:port/affwebservices/saml2attributeservice

idp_server:port

Identifies the web server and port hosting the Web Agent Option Pack or SPS federation gateway.

Attribute Service URL

Specified in the Attribute Service field. This field is in the Attributes settings for the SAML 2.0 authentication scheme at the Service Provider.

Associated Servlet and Servlet Mapping in the Web.xml file

<servlet>
  <servlet-name>saml2attributeservice</servlet-name>
  <display-name>SAML 2.0 Attribute service</display-name>
  <description>This servlet is the SAML 2.0 Attribute Service
        at an IdP.</description>
  <servlet-class>com.netegrity.affiliateminder.webservices.saml2.
      AttributeService</servlet-class>
</servlet>

<servlet-mapping>
 <servlet-name>saml2attributeservice</servlet-name>
 <url-pattern>/saml2attributeservice/*</url-pattern>
</servlet-mapping>

<servlet-mapping>
 <servlet-name>saml2attributeservice</servlet-name>
 <url-pattern>/saml2certattributeservice/*</url-pattern>
</servlet-mapping>

WSFedDispatcher Service URL at the AP

The WSFedDispatcher Service receives all incoming WS-Federation messages and forwards the request processing to other services based on the query parameter data.

Default URL for this Service

https://ap_server:port/affwebservices/public/wsfeddispatcher

ap_server:port

Specifies the server and port number of the system at the Account Partner. The system is hosting the Web Agent Option Pack or the SPS federation gateway, depending on which component is installed in your federation network.

URL

Not applicable

Associated Servlet and Servlet Mapping in the Web.xml file

<servlet>
  <servlet-name>wsfeddispatcher</servlet-name>
  <display-name>WS-Federation Dispatcher service</display-name>
  <description>This servlet is the WS-Federation Dispatcher service for all WS-Federation services.</description>
  <servlet-class>com.netegrity.affiliateminder.webservices.wsfed.
     dispatcher</servlet-class>
</servlet>

<<servlet-mapping> 
<servlet-name>wsfeddispatcher</servlet-name> 
<url-pattern>/public/wsfeddispatcher/*</url-pattern> 
</servlet-mapping>

URLs for Services at the Relying Party

The relying party provides the following services; however, you enter the URL for the service at the asserting party.

The CA SiteMinder® relying party provides the following services:

• SAML credential collector (SAML 1.x)
• AuthnRequest service (SAML 2.0)
• Assertion Consumer Service (SAML 2.0)
• Security Token Consumer Service (WS-Federation)
• Single Logout Service (SAML 2.0)
• Signout Service (WS-Federation)
• WSFedDispatcher Service (WS-Federation)

SAML Credential Collector Service URL (SAML 1.x)

The SAML Credential Collector service assists in consuming SAML 1.x assertions.

Default URL for this Service

https://consumer_server:port/affwebservices/public/samlcc

consumer_server:port

Identifies the web server and port hosting the Web Agent Option Pack or SPS federation gateway.

Assertion Consumer URL

Specified in the Assertion Consumer URL field. This field is on the Assertions page for the SAML 1.x affiliate object. The field is also in the Scheme Setup section for the SAML 1.x POST authentication scheme at the consumer.

Associated Servlet and Servlet Mapping in the Web.xml file

<servlet>
  <servlet-name>samlcredentialcollector</servlet-name>
  <display-name>SAML Credential Collector</display-name>
  <description>This servlet acts as the SAML Credential Collector.</description>
  <servlet-class>com.netegrity.affiliateminder.webservices.
     SAMLCredentialCollector</servlet-class>
</servlet>

<servlet-mapping>
  <servlet-name>samlcredentialcollector</servlet-name>
  <url-pattern>/public/samlcc/*</url-pattern>
</servlet-mapping>

AuthnRequest Service (SAML 2.0)

This AuthnRequest service helps implement single sign-on for the artifact or POST profile.

Default URL for this Service

https://sp_server:port/affwebservices/public/saml2authnrequest

sp_server:port

Specifies the server and port number at the Service Provider hosting the Web Agent Option Pack or the SPS federation gateway.

URL for the Service

Not applicable.

The AuthnRequest is a link in an application at the Service Provider. This link initiates single sign-on and it must be in an application.

Associated Servlet and Servlet Mapping in the Web.xml file

<servlet>
  <servlet-name>saml2authnrequest</servlet-name>
  <display-name>SAML 2.0 AuthnRequest service</display-name>
  <description>This servlet is the SAML 2.0 AuthnRequest service at an SP.</description>
  <servlet-class>com.netegrity.affiliateminder.webservices.
   saml2.AuthnRequest</servlet-class>
</servlet>

<servlet-mapping>
  <servlet-name>saml2authnrequest</servlet-name>
  <url-pattern>/public/saml2authnrequest/*</url-pattern>
</servlet-mapping>

Assertion Consumer Service URL (SAML 2.0)

The Assertion Consumer Service enables the consumption of assertions.

Default URL for this Service

https://sp_server:port/affwebservices/public/saml2assertionconsumer

sp_server:port

Specifies the server and port number at the Service Provider hosting the Web Agent Option Pack or the SPS federation gateway.

Assertion Consumer URL

Specified in the Assertion Consumer URL field. This field is part of the SSO settings for the SAML Service Provider object at the Identity Provider.

Associated Servlet and Servlet Mapping in the Web.xml file

<servlet>
  <servlet-name>saml2assertionconsumer</servlet-name>
  <display-name>SAML 2.0 Assertion Consumer service</display-name>
  <description>This servlet is the SAML 2.0 Assertion Consumer service at an SP.</description>
  <servlet-class>com.netegrity.affiliateminder.webservices.
    saml2.AssertionConsumer</servlet-class>
</servlet>


<servlet-mapping>
  <servlet-name>saml2assertionconsumer</servlet-name>
  <url-pattern>/public/saml2assertionconsumer/*</url-pattern>
</servlet-mapping>

Security Token Consumer Service URL (WS-Federation)

The Security Token Consumer Service enables the consumption of assertions at the Resource Partner.

Default URL for this Service

https://rp_server:port/affwebservices/public/wsfedsecuritytokenconsumer

rp_server:port

Identifies the web server and port at the Resource Partner hosting the Web Agent Option Pack or SPS federation gateway.

Security Token Consumer Service URL

Specified in the Security Token Consumer Service field. This field is part of the SAML Profiles settings for the Resource Partner object at the Account Partner.

Associated Servlet and Servlet Mapping in the Web.xml file

<servlet>
  <servlet-name>wsfedsecuritytokenconsumer</servlet-name>
  <display-name>Security Token Consumer service</display-name>
  <description>This servlet is the WS-Federation Security Token 
     Consumer service at an RP.</description>
  <servlet-class>com.netegrity.affiliateminder.webservices.wsfed.
     SecurityTokenConsumer</servlet-class>
</servlet>

<<servlet-mapping> 
<servlet-name>wsfedsecuritytokenconsumer</servlet-name> 
<url-pattern>/public/wsfedsecuritytokenconsumer/*</url-pattern> 
</servlet-mapping>

Single Logout Service URL at the SP (SAML 2.0)

The single logout services implement single logout for SAML 2.0.

Default URL for this Service

http://sp_server:port/affwebservices/public/saml2slo

sp_server:port

Specifies the server and port number at the Service Provider hosting the Web Agent Option Pack or the SPS federation gateway.

SLO Location URL/SLO Response Location URL

Specified in the fields of the same name. These fields are part of the SLO settings for the SAML 2.0 authentication scheme that you configure at the Service Provider.

Associated Servlet and Servlet Mapping in the Web.xml file

<servlet>
  <servlet-name>saml2slo</servlet-name>
  <display-name>SAML 2.0 Single Logout service</display-name>
  <description>This servlet is the SAML 2.0 Single Logout service at an SP.</description>
  <servlet-class>com.netegrity.affiliateminder.webservices.
     saml2.SLOService</servlet-class>
</servlet>

<servlet-mapping>
  <servlet-name>saml2slo</servlet-name>
  <url-pattern>/public/saml2slo/*</url-pattern>
</servlet-mapping>

Signout Service URL at the RP (WS-Federation)

The Signout service implements sign out functionality for WS-Federation.

Default URL for this Service:

http://rp_server:port/affwebservices/public/wsfedsignout

rp_server:port

Identifies the web server and port at the Resource Partner hosting the Web Agent Option Pack or SPS federation gateway.

Signout Cleanup URL/Signout URL

Specified in fields of the same name. These fields are in the Signout section for the WS-Federation authentication scheme at the Resource Partner.

Associated Servlet and Servlet Mapping in the Web.xml file

<servlet>
  <servlet-name>wsfedsignout</servlet-name>
  <display-name>WS-Federation Signout Service</display-name>
  <description>This servlet is the WS-Federation Signout service
      at an RP.</description>
  <servlet-class>com.netegrity.affiliateminder.webservices.wsfed.
    SignoutService</servlet-class>
</servlet>

<servlet-mapping> 
<servlet-name>wsfedsignout</servlet-name> 
<url-pattern>/public/wsfedsignout/*</url-pattern> 
</servlet-mapping>

WSFedDispatcher Service URL at the RP

The WSFedDispatcher Service receives all incoming WS-Federation messages. The service then forwards the request processing to other services based on the query parameter data.

Default URL for this Service

https://rp_server:port/affwebservices/public/wsfeddispatcher

rp_server:port

Identifies the web server and port at the Resource Partner hosting the Web Agent Option Pack or SPS federation gateway.

URL for Service

Not applicable.

Associated Servlet and Servlet Mapping in the Web.xml file

<servlet>
  <servlet-name>wsfeddispatcher</servlet-name>
  <display-name>WS-Federation Dispatcher service</display-name>
  <description>This servlet is the WS-Federation Dispatcher service for all WS-Federation services.</description>
  <servlet-class>com.netegrity.affiliateminder.webservices.wsfed.
     dispatcher</servlet-class>
</servlet>

<<servlet-mapping> 
<servlet-name>wsfeddispatcher</servlet-name> 
<url-pattern>/public/wsfeddispatcher/*</url-pattern> 
</servlet-mapping>

The Web.xml File

The Web.xml file lists servlets and URL mappings for the Federation Web Services application.

You cannot change most of this file, but you can modify the URL mappings.

To view the Web.xml file, go to the appropriate file location:

• web_agent_home/affwebservices/WEB-INF
• sps_home/secure-proxy/Tomcat/webapps/affwebservices/WEB-INF