Federation Security Services GuideIdentify Service Providers for a SAML 2.0 Identity Provider › Protect the Authentication URL to Create a SiteMinder Session (SAML 2.0)

Previous Topic: Integrate the Assertion Generator Plug-in with SiteMinder (SAML 2.0/WS-Federation)

Next Topic: Protect the Artifact Resolution Service with Client Certificate Authentication (optional)

Protect the Authentication URL to Create a SiteMinder Session (SAML 2.0)

When you add a Service Provider to an affiliate domain, one of the parameters you are required to set is the AuthenticationURL parameter.

The file that the Authentication URL points to is the redirect.jsp file. This file is installed at the Identity Provider site where you install the Web Agent Option Pack or the SPS federation gateway. The redirect.jsp file must be protected by a SiteMinder policy so that an authentication challenge is presented to users who request a protected Service Provider resource but do not have a SiteMinder session.

A SiteMinder session is required for the following bindings:

After a user is authenticated and successfully accesses the redirect.jsp file, a session is established. The redirect.jsp file redirects the user back to the Identity Provider Web Agent or the SPS federation gateway so that the request can be processed and delivered to the SAML assertion for the user.

The procedure for protecting the Authentication URL is the same regardless of the following set-ups:

To create a policy to protect the Authentication URL

  1. Log into the FSS Administrative UI.
  2. From the System tab, create Web Agents to bind to the realms that you will define for the web server at the IdP. You can assign unique Agent names for the web server at the Identity Provider and the Federation Web Services application or use the same Agent name for both.
  3. Create a policy domain for the users who want to access Service Provider resources.
  4. From the Users tab, select the users that should have access to the resources that are part of the policy domain.
  5. Define a realm for the policy domain with the following values:
    1. Agent: select the Agent for the Web Server at the Identity Provider.
    2. Resource Filter:

      Web Agents v5.x QMR 4 and later, and SPS federation gateway enter:

      /siteminderagent/redirectjsp/

      Web Agents v5.x QMR 1, 2, or 3, enter:

      /affwebservices/redirectjsp/

      The resource filter, /siteminderagent/redirectjsp/ is an alias, set up automatically by the Federation Web Services application. It references the following:

      • web_agent_home/affwebservices/redirectjsp
      • sps_home/secure-proxy/Tomcat/webapps/affwebservices/redirectjsp
    3. For the remaining settings, accept the defaults or modify as needed.
  6. For HTTP artifact binding only, select the Session tab and check the Persistent Session check box.

    To enable single sign-on using the SAML artifact binding, configure a persistent session for the Identity Provider realm. If you do not configure a persistent session, the user cannot access Service Provider resources.

  7. Click OK to save the realm.
  8. Create a rule for the realm. In the Resource field, accept the default value, the asterisk (*), to protect all resources for the realm. Select the Web Agent actions GET, POST, and PUT as the allowed actions.
  9. Create a policy for the Web Server at the Identity Provider that includes the rule created in the previous step.

Copyright © 2010 CA. All rights reserved. Email CA about this topic