Previous Topic: Customize a SAML Assertion Response (optional)Next Topic: Configure CA SiteMinder® as a SAML 1.x Consumer


Creating Links to Consumer Resources for Single Sign-on

At the producer, create pages that contain links that direct the user to the consumer site. Each link represents an intersite transfer URL. The user has to visit the intersite transfer URL, where a request to the producer-side Web Agent. The user is then redirected to the Consumer site.

For the SAML artifact profile, the syntax for the intersite transfer URL is:

http://producer_site/affwebservices/public/intersitetransfer?SMASSERTIONREF=QUERY&NAME=
affiliate_name&TARGET=http://consumer_site/target_url?query_parameter_name%
3Dquery_parameter_value%26query_parameter_name%3Dquery_parameter_value&SMCONSUMERURL=
http://consumer_site/affwebservices/public/samlcc&AUTHREQUIREMENT=2

For the SAML POST profile, the syntax for the intersite transfer URL is:

http://producer_site/affwebservices/public/intersitetransfer?SMASSERTIONREF=QUERY&NAME=
affiliate_name&TARGET=http://consumer_site/target_url

The variables in the intersite transfer URLs are as follows:

producer_site

Specifies the website where the user is authenticated.

affiliate_name

Indicates the name of an affiliate configured in an affiliate domain.

consumer_site

Indicates the site that the user wants to visit from the producer site.

target_url

Target page at the consumer site.

The intersite transfer URLs that the user selects must contain the query parameters listed in the table that follows.

Note: Query parameters for the SAML artifact profile must use HTTP-encoding.

Query Parameter

Meaning

SMASSERTIONREF (required)

For internal use. The value is always QUERY. Do not change this value.

NAME
(required)

Name of an affiliate configured in an affiliate domain.

TARGET
(required)

The target URL at the consumer site.

SMCONSUMERURL (required only for the artifact profile)

The URL at the consumer site processes the assertion and authenticates the user.

For SAML 1.x artifact binding, if a value is specified for the Assertion Consumer URL, it takes precedence over the value of this query parameter.

AUTHREQUIREMENT=2 (required only for the artifact profile)

For internal use. The value is always 2. Do not change this value.

Note: The SAML POST profile does not use SMCONSUMERURL and AUTHREQUIREMENT parameters. However, if you include one of these parameters in the intersite transfer URL you must also include the other.

Example of an intersite transfer URL for the artifact profile:

http://www.smartway.com/affwebservices/public/intersitetransfer?SMASSERTIONREF=QUERY&NAME
=ahealthco&TARGET=http://www.ahealthco.com:85/smartway/index.jsp&SMCONSUMERURL=
http://www.ahealthco.com:85/affwebservices/public/samlcc&AUTHREQUIREMENT=2

Example of an intersite transfer URL for the POST profile:

http://www.smartway.com/affwebservices/public/intersitetransfer?SMASSERTIONREF
=QUERY&NAME=ahealthco&TARGET=http://www.ahealthco.com/index.html

Choosing Whether to Protect the Intersite Transfer URL

The web pages with the intersite transfer URL links can be part of a CA SiteMinder®-protected realm that is configured for persistent sessions. When a user selects one of the links on a protected page, CA SiteMinder® presents the user with an authentication challenge. After the user logs in, a persistent session can be established, which is required to store a SAML assertion.

If these pages are unprotected, the producer directs an affiliate user without a CA SiteMinder® session to an authentication URL. This URL prompts the user to log in to receive a CA SiteMinder® session. Define the Authentication URL when you configure an affiliate in the Administrative UI.

Note: To set up persistent sessions, configure the session store. Set up a session store using the Policy Server Management Console.