Agent Guide › Configure the SiteMinder Identity Asserter › Configure the SiteMinder Identity Asserter in SiteMinder › Create a SiteMinder Identity Asserter Validation Realm

Create a SiteMinder Identity Asserter Validation Realm

Create a validation realm that allows the Identity Asserter to validate user credentials using session information received from SMSESSION cookies and X509 Client Certificates.

Note: The following procedure provides an overview of the steps required to create the required policy objects with appropriate parameter settings. For detailed procedural information, see the Policy Server Configuration Guide.

To configure the SiteMinder Identity Asserter validation realm

1. Open the SiteMinder Administrative UI.
2. Create an authentication scheme for the validation realm with the following properties:
   • Name

     Specifies a unique name for the authentication scheme.

   • Authentication Scheme Type

     An X509 Client Cert authentication scheme, such as X509 Client Cert Template, to enable the Identity Asserter to validate X.509 Client Certificates.

   • Server Name

     The name of the server where WebLogic is installed.

   • Target

     Leave the default value unchanged.

     Note: This authentication scheme only passes credentials to the Policy Server for verification. It does not redirect requests to an SSL credential collector. Therefore, the Policy Server does not use the values specified in the Server Name and Target fields.

     Note: See the Authentication Schemes chapter in the SiteMinder Policy Server Configuration Guide for instructions on creating an authentication scheme.

3. Create a domain and assign user directories that contain the users who can access the protected resources.
4. Create a realm with the following properties:
   • Domain

     The domain you created in step 3.

   • Name

     A unique name for the realm—for example, SiteMinder Identity Asserter Validation Realm.

   • Description

     An optional description for the realm.

   • Agent

     The name of the SiteMinder Agent identity that you created for the SiteMinder Agent.

     Enter the Agent name in the text box or click the lookup button (...) to select the Agent name from a list of configured Agent identities.

   • Resource Filter

     /smiavalidationrealm

   • Authentication Scheme

     The authentication scheme you created in Step 2.

   • Maximum Timeout

     This option must be disabled.

   • Idle Timeout

     This option must be disabled.

   • Persistent Session

     Non-persistent.

   Note: If the session timeouts are not disabled, the identity assertion process might fail and the native WebLogic security services might challenge the request.

Note: You do not need to configure any rules for the Identity Asserter validation realm.

Configure the Identity Asserter to Only Handle Requests from SiteMinder Session Holders

To configure the SiteMinder Identity Asserter to handle only requests from users with valid SiteMinder session tickets or X.509 certificates (that is, not to challenge requests for credentials), verify that the ChallengeForCredentials Agent configuration parameter is disabled by setting it to NO in the associated Agent Configuration Object or Agent configuration file.

For example:

ChallengeforCredentials=NO