Federation Guides › Partnership Federation Guide › Require a Session by Protecting the Authentication URL

Require a Session by Protecting the Authentication URL

A user must have a session at the IdP Policy Server for the Policy Server to generate an assertion. To establish the session, the single sign-on service at the IdP redirects the user to an application by way of an authentication URL. Protect the authentication URL with a policy so that the user is presented with an authentication challenge. The user then logs in and a session is established.

The Authentication URL must point to the redirect.jsp file. For example:

http://webserver1.example.com/affwebservices/redirectjsp/redirect.jsp

In this example, webserver1 identifies the web server with the Web Agent Option Pack. The redirect.jsp file is included with the Web Agent Option Pack, which is installed at the Identity Provider.

After successful authentication, the redirect.jsp application redirects the user back to the single sign-on service for assertion generation.

Two steps are required to enable session creation:

1. Create the policy for the redirect.jsp file.
2. Specify the Authentication URL in a partnership.

Create the Policy for the Redirect.jsp

A policy must protect the authentication URL to trigger the authentication challenge.

Follow these steps:

1. Log in to the Administrative UI.
2. Select Infrastructure, Agents, Create Agent.

   To bind to the realm defined for the asserting party web server, create a web agent. Assign unique agent names for the web server.

3. Select Policies, Domain, Domains, Create Domain.

   Create a policy domain for the authentication URL. Add the user directory that contains the users who get challenged.

4. Select the users that must have access to the resources that are part of the policy domain.
5. Select the Realms tab and define a realm for the policy domain with the following values:

   Agent

   Agent for the asserting party web server. You created this agent in step 2.

   Resource Filter

   /affwebservices/redirectjsp

   This resource filter applies for a Web Agent and an SPS federation gateway.

   Default Resource Protection

   Protected

   Authentication Scheme

   Basic

   Persistent Session

   Select the Persistent check box in the Session section of the realm dialog for the HTTP-Artifact profile and to store session information. Session information is required for features such as single logout and for an attribute authority.

6. In the Rules section of the realm dialog, click Create Rule. Complete the fields with the following values:

   Resource

   /*

   The asterisk means that the rule applies to all resources in the realm.

   Allow/Deny and Enable/Disable

   Allow Access

   Enabled check box is selected.

   Action

   Web Agent actions

   Get, Post, Put

7. Select the Policies tab and create a policy that includes the following components:
   • The set of users you selected your user directory.
   • The realm that contains the redirectjsp application and the associated rule.

A policy now protects the authentication URL. An authentication challenge is triggered when the user is redirected to this URL. Finally, a session is created.

Specify the Authentication URL in a Partnership

After you configure a policy to protect the Authentication URL, specify this URL in the asserting-to-relying party partnership, such as the IdP->SP partnership.

The Authentication URL is set as part of the single sign-on configurations. In the Authentication section of the dialog, select Local for the Authentication Mode field and enter the complete Authentication URL. For example:

http://webserver1.example.com/affwebservices/redirectjsp/redirect.jsp

In this example, webserver1.example.com identifies the web server with the Web Agent Option Pack.