Previous Topic: Federation Partnership Overview

Next Topic: How To Configure the Relying Party in a Federation Partnership

SiteMinder Agent for SAP Web AS GuideConfiguration for Federation Mode with Federation ManagerConsiderations for the Asserting Party Configuration

Considerations for the Asserting Party Configuration

The deployment in this chapter shows the asserting party at the remote side of the federated partnership. Federation Manager and the SiteMinder Agent for SAP Web AS are at the local relying party side of the partnership. This chapter does not assume that Federation Manager is at the asserting party; a third-party product can generate assertions. Therefore, detailed configuration procedures for the asserting party are beyond the scope of this chapter.

The following considerations apply for asserting party configuration:

Assertion Generation

Configure the federation product at the asserting party to generate assertions. An assertion can include attributes that the target SAP application at the relying party uses for customization. If Federation Manager is at both sides of the partnership, see the CA Federation Manager Guide for instructions on configuring the asserting party.

Single Logout Configuration

An administrator at the asserting party can enable single logout (SLO) as a SAML 2.0 feature. Single logout results in the simultaneous end of all federated user sessions that are associated with the browser that initiated the logout. The asserting or the relying party can initiate single logout, and the single logout configuration settings are the same at both sides.

At the asserting party, the single logout configuration can use a logout confirmation page. The asserting party redirects the user to this page when the single logout process is complete. A URL identifies the logout page.

When communicating with the Agent for SAP Web AS at the relying party, enter the URL of the SAP Web AS logout page as the logout confirmation page. When Federation Manager initiates single logout, it directs the user to its single logout URL, and it terminates the Federation Manager user session. After terminating the Federation Manager session, Federation Manager redirects the user to the logout URL. When the logout URL is set to the SAP Web AS logout URL, this logout page invalidates the SAP Web AS session.

If your local site initiates single logout, the logout URL must be accessible to the local site. The logout URL must also be a local resource and not a resource in a federated partner domain. For example, if the local domain is acme.com and your partner is example.com, then the single logout confirmation URL must be in acme.com.