Federation Security Services Guide › Identify Consumers at a SAML 1.x Producer › Protect the Authentication URL to Create a SiteMinder Session (SAML 1.x)

Protect the Authentication URL to Create a SiteMinder Session (SAML 1.x)

When you add a consumer to an affiliate domain, one of the parameters you are required to set is the AuthenticationURL parameter.

The file that the AuthenticationURL points to is the redirect.jsp file. This file is installed at the producer site where you install the Web Agent Option Pack or the SPS federation gateway. The redirect.jsp file must be protected by a SiteMinder policy so that the Web Agent presents an authentication challenge to users who request a protected consumer resource but do not have a SiteMinder session.

A SiteMinder session is required for the following features:

• For users requesting a protected Service Provider resource

  If you configure single sign-on using an HTTP artifact profile, a persistent session is needed to store SAML assertions in the session server.

• For single sign-on using an HTTP POST profile

  A user must have a session, but it does not have to be a persistent session because assertions are delivered directly to the consumer site through the user's browser. The assertions do not have to be stored in the session server.

After a user is authenticated and successfully accesses the redirect.jsp file, a session is established. The redirect.jsp file redirects the user back to the producer Web Agent so that the Agent can process the request and generate the SAML assertion for the user.

The procedure for protecting the Authentication URL is the same regardless of the following set-ups:

• Web Agent Option Pack installed on the same system as the Web Agent
• Application server with a Web Agent installed on a Web server proxy
• Application server protected by an Application Server Agent
• SPS federation gateway installed at the Identity Provider