Federation Security Services Guide › Deploying Federation without the FSS Sample Application › Add Functionality to the Federation Deployment › Configure SAML 2.0 Artifact Single Sign-on › Protect Federation Web Services at the IdP (required-POST/Artifact)
Protect Federation Web Services at the IdP (required-POST/Artifact)
Protecting the Federation Web Services application ensures that the services that make up the application are secure.
The policies for the Federation Web Services application are created automatically by the installation of the Web Agent Option Pack. However, to enforce protection and specify who can access Federation Web Services, there are a few additional steps.
To protect the Federation Web Services application at the IdP
- Log on to the FSS Administrative UI.
- Select the System tab.
- From the menu bar, select Edit, Create Agent.
- In the Agent Properties dialog, enter a name for the Web Agent then click OK. In this deployment, the Web Agent is idp-webagent.
- If you do not have Agent Groups displayed, select View, Agent Groups from the menu bar.
- Double-click the FederationWebServicesAgentGroup entry to open the Properties of Agent Group dialog.
- Click on Add/Remove and the Available Agents and Groups dialog opens.
- Add idp-webagent, the IdP Web Agent protecting the Federation Web Services application, to the Agent group, by selecting it from the Available Members list and clicking the left arrow to move it to the Current Members list.
- Click OK until you exit the Agent Groups dialog.
- Specify that all the Service Providers under the affiliate domain Federation Sample Partners can access the Federation Web Services application to retrieve the assertion, as follows:
- Select the Domains tab and expand FederationWebServicesDomain.
- Select Policies.
- From the Policy List, double-click the SAML2FWSArtifactResolutionServicePolicy entry.
The SiteMinder Policy dialog box opens.
- From the Users tab, select the SAML2FederationCustomUserStore tab then click Add/Remove.
affiliate: Federation Sample Partners is the "user" listed in the Available Members list.
- From the Available Members list, choose the SP Partners domain and move it to the Current Members list, then click Apply.
- Click OK to return to the Policy List.
Federation Web Services is now protected.