For HTTP-Artifact single sign-on, the relying party needs permission to access the policy that protects the FWS service for obtaining assertions.
To grant access:
Other than adding users to a given policy, all other policy objects are set up automatically.
Add the Web Agent that protects the FWS application to the Agent group FederationWebServicesAgentGroup.
Follow these steps:
If you are using HTTP-Artifact binding for single sign-on, the relying party in the partnership needs permission to access the assertion retrieval service. CA SiteMinder® protects the SAML 1.x and 2.0 retrieval services with a policy.
When you install the Policy Server, the FederationWebServicesDomain is installed by default. This domain includes the following policies for the service from which CA SiteMinder® retrieves assertions:
FederationWSAssertionRetrievalServicePolicy
SAML2FWSArtifactResolutionServicePolicy
Note: WS-Federation does not use the HTTP-Artifact profile. Therefore, this procedure does not apply to Resource Providers.
Grant access for these policies to any relevant relying partners.
Follow these steps:
A list of domain policies displays.
FederationWSAssertionRetrievalServicePolicy
SAML2FWSArtifactResolutionServicePolicy
The Domain Policies page opens.
FederationWSCustomUserStore
SAML2FederationCustomUserStore
The User/Groups page opens.
The affiliate domain that you previously configured is listed in the Users/Groups dialog. For example, if the affiliate domain is named fedpartners, the entry is affiliate:fedpartners.
You return to the User Directories list.
You return to the policies list.
If you configure basic authentication to protect the assertion retrieval service, verify the protection.
Follow these steps:
Access Federation Web Services by entering a fully qualified host name and port number for the server where the Federation Web Services application is installed. For example:
SAML 1.x: http://idp-fws.ca.com:81/affwebservices/assertionretriever
SAML 2.0: http://idp-fws.ca.com:81/affwebservices/saml2artifactresolution
If the service is protected, CA SiteMinder® challenges you for credentials. Only an authorized affiliate is permitted access to Federation Web Services.
The authentication challenge indicates that the service is protected. If CA SiteMinder® does not present a challenge, the policy improperly configured.
Copyright © 2013 CA.
All rights reserved.
|
|