Federation Guides › Legacy Federation Guide › Configure CA SiteMinder® as a SAML 2.0 Identity Provider › Grant Access to the Service for Assertion Retrieval (Artifact SSO)

Grant Access to the Service for Assertion Retrieval (Artifact SSO)

For HTTP-Artifact single sign-on, the relying party needs permission to access the policy that protects the FWS service for obtaining assertions.

To grant access:

• Add the Web Agent that protects the FWS application to the agent group FederationWebServicesAgentGroup.
• Add relying partners as users who are permitted to access the specific service.

  Other than adding users to a given policy, all other policy objects are set up automatically.

Add a Web Agent to the Federation Agent Group

Add the Web Agent that protects the FWS application to the Agent group FederationWebServicesAgentGroup.

• For ServletExec, this Agent is on the web server where the Web Agent Option Pack is installed.
• For an application server, such as WebLogic or JBOSS, this Web Agent is installed where the application server proxy is installed. The Web Agent Option Pack can be on a different system.

Follow these steps:

1. Log in to the Administrative UI.
2. Click Infrastructure, Agent, Agents.
3. Click Create Agent.
4. Specify the name of the Web Agent in your deployment. Click Submit.
5. Click Infrastructure, Agent, Agent Groups.
6. Select the FederationWebServicesAgentGroup entry.
7. Click Add/Remove and the Agent Group Members dialog opens.
8. Move the web agent from the Available Members list to the Selected Members list.
9. Click OK to return to the Agent Groups dialog.
10. Click Submit then click Close to return to the main page.

Add Relying Partners to the FWS Policy for Obtaining Assertions

If you are using HTTP-Artifact binding for single sign-on, the relying party in the partnership needs permission to access the assertion retrieval service. CA SiteMinder® protects the SAML 1.x and 2.0 retrieval services with a policy.

When you install the Policy Server, the FederationWebServicesDomain is installed by default. This domain includes the following policies for the service from which CA SiteMinder® retrieves assertions:

SAML 1.x

FederationWSAssertionRetrievalServicePolicy

SAML 2.0

SAML2FWSArtifactResolutionServicePolicy

Note: WS-Federation does not use the HTTP-Artifact profile. Therefore, this procedure does not apply to Resource Providers.

Grant access for these policies to any relevant relying partners.

Follow these steps:

1. In the Administrative UI, navigate to Policies, Domain, Domain Policies.

   A list of domain policies displays.

2. Select the policy for the SAML profile:

   SAML 1.x

   FederationWSAssertionRetrievalServicePolicy

   SAML 2.0

   SAML2FWSArtifactResolutionServicePolicy

   The Domain Policies page opens.

3. Click Modify to change the policy.
4. Select the Users tab.
5. In the dialog for the appropriate user directory, click Add Members:

   SAML 1.x

   FederationWSCustomUserStore

   SAML 2.0

   SAML2FederationCustomUserStore

   The User/Groups page opens.

   The affiliate domain that you previously configured is listed in the Users/Groups dialog. For example, if the affiliate domain is named fedpartners, the entry is affiliate:fedpartners.

6. Select the check box next to the affiliate domain with the partners that require access to the service. Click OK.

   You return to the User Directories list.

7. Click Submit.

   You return to the policies list.