|
|
|
For SAML 2.0 HTTP-artifact SSO, the Artifact Resolution Service retrieves the assertion stored in the SiteMinder session server at the Identity Provider so it can be sent to the Service Provider. This service needs to be protected with a SiteMinder policy so assertions are retrieved only by authorized users.
By default, there is a pre-configured policy that uses the Basic over SSL authentication scheme to protect the Artifact Resolution Service. When you configure a policy that uses the client certificate authentication scheme to protect this service, this policy must be created for a different realm than the realm that uses the Basic over SSL scheme.
Generally, the administrator at the Identity Provider should create two policies to protect the Artifact Resolution Service. One policy that uses Basic over SSL and the other that uses client certificate authentication.
To protect the Artifact Resolution Service with a client certificate authentication scheme, you:
Using Client Certificate Authentication with an IIS 5.0 Web Server
Client certificate authentication is not supported for IIS 5.0 Web servers at the producer/Identity Provider. However, it can be used on an IIS 5.0 Web server at the consumer/Service Provider to communicate with a non-SiteMinder producer/Identity Provider.
To work around this issue, use the IIS 5.0 Web server's client certificate functionality at the producer/Identity Provider and do not configure SiteMinder's client certificate functionality. If you apply this work around, be aware that the CN portion of the certificate's DN value must contain the affiliate name value.
| Copyright © 2010 CA. All rights reserved. | Email CA about this topic |