This section contains the following topics:
Policies that Protect Federation Web Services
Features Associated with FWS Policies
Enforce the Policies that Protect Federation Web Services
When you install the Policy Server, CA SiteMinder® creates policies for several services. These services comprise the Federation Web Services (FWS) application. For a few federation features, the relying party needs permission to access the associated protected service.
Adding a relying partner to a policy is a task that is done only at the asserting party.
For example, for the HTTP-Artifact binding, a policy protects the service from which CA SiteMinder® retrieves an assertion. For CA SiteMinder® to retrieve the assertion for a specific relying partner, that partner must be added as a user to the policy that protects the service.
The following table lists the FWS policy objects that are related to FWS services.
Object Type |
Object Name |
---|---|
Domain |
FederationWebServicesDomain |
Realm |
FederationWebServicesRealm public |
Agent Group |
FederationWebServicesAgentGroup |
Rule |
SAML2FWSAttributeServiceRule FederationWSSessionServiceRule SAML2FWSArtifactResolutionRule FederationWSAssertionRetrievalServiceRule FederationWSNotificationServiceRule |
Policy |
SAML2FWSArtifactResolutionServicePolicy SAML2FWSAttributeServicePolicy FederationWSAssertionRetrievalServicePolicy FederationWSNotificationServicePolicy FederationWSSessionServicePolicy |
Variables |
AllowNotification AllowSessionSync |
User Directories |
FederationWSCustomUserStore SAML2FederationCustomUserStore |
The policies that CA SiteMinder® creates support the following legacy federation features:
FWS Policy |
Federation Feature |
---|---|
SAML2FWSArtifactResolutionServicePolicy |
Protects the artifact resolution service for SAML 2.0 artifact single sign-on |
FederationWSAssertionRetrievalServicePolicy |
Protects the assertion retrieval service for SAML 1.x artifact single sign-on |
SAML2FWSAttributeServicePolicy |
Protects the attribute authority service for SAML 2.0 |
FederationWSNotificationServicePolicy |
Protects the notification service. Notifications are only available if the SAML Affiliate Agent is the consumer. |
FederationWSSessionServicePolicy |
Protects the session service for session management. Session management is available only if the SAML Affiliate Agent is the consumer. |
If you are implementing federation features with FWS policies, the relying party needs permission to access the protected service.
Granting access involves the following tasks:
Other than adding users to a given policy, all other policy objects are set up automatically.
Detailed procedures for enforcing the HTTP-Artifact assertion retrieval and attribute authority policies are in the relevant sections for those features.
Copyright © 2014 CA.
All rights reserved.
|
|