Federation Security Services Guide › Deploying Federation without the FSS Sample Application › Set Up the Identity Provider › Protect the Authentication URL (SAML 2.0)

Protect the Authentication URL (SAML 2.0)

You must protect the Authentication URL with a SiteMinder policy. Protecting the Authentication URL ensures that a user requesting a protected federated resource is presented with an authentication challenge if they do not have a SiteMinder session at the IdP.

To protect the Authentication URL at the Identity Provider

1. From the Domains tab, create a policy domain called Authentication URL Protection Domain.
2. Add the IdP LDAP user directory in the User Directories tab.
3. From the Authentication URL Protection domain, create a persistent realm with the following field entries:
   • Name

     Authentication URL Protection Realm

   • Agent

     Using the lookup button, select FSS web agent

     This is the Web Agent protecting the server with the Web Agent Option Pack.

   • Resource Filter

     /siteminderagent/redirectjsp/redirect.jsp

   Accept the defaults for the other settings.

   • Session tab

     Select Persistent Session

4. From the IDP Authentication URL Protection Realm, create a rule under the realm with the following field entries:
   • Name

     Authentication URL Protection Rule

   • Realm

     Authentication URL Protection Realm

   • Resource

     *

   • Web Agent actions

     Get

   Accept the defaults for the other settings.

5. From the Authentication URL Protection domain, create a policy with the following entries:
   • Name

     Authentication URL Protection Policy

   • Users tab

     Add user1 from the IdP LDAP user directory

   • Rules tab

     add Authentication URL Protection Rule

   You now have a policy that protects the Authentication URL at the Identity Provider.