Federation Security Services Guide › Identify WS-Federation Resource Partners at the Account Partner › Protect the Authentication URL to Generate a SiteMinder Session

Protect the Authentication URL to Generate a SiteMinder Session

When you add a Resource Partner to an affiliate domain, one of the parameters you are required to set is the Authentication URL parameter.

The Authentication URL points to the redirect.jsp file, which is installed at the Account Partner site, where you install the Web Agent Option Pack or SPS federation gateway. The redirect.jsp file must be protected by a SiteMinder policy so that an authentication challenge is presented to users who request a protected Resource Partner resource but do not have a SiteMinder session.

A SiteMinder session is required for the following bindings:

• For users requesting a protected Resource Partner resource
• For single sign-on

  A user must have a session, but it does not have to be a persistent session because security token response messages are delivered directly to the Resource Partner site through the user's browser. The tokens do not have to be stored in the session server.

• For signout

  If you enable signout, a persistent session is required. When a user first requests a Resource Partner resource, the session established at that time must be stored in the session server so that the necessary session information is available when signout is later executed.

After a user is authenticated and successfully accesses the redirect.jsp file, a session is established. The redirect.jsp file redirects the user back to the Account Partner so the request can be processed and the assertion can be delivered to the user.

The procedure for protecting the Authentication URL is the same regardless of the following conditions:

• Web Agent Option Pack is installed on the same system as the Web Agent
• Web Agent Option Pack is installed on an application server with a Web Agent installed on a Web server proxy
• Web Agent Option Pack is installed on an application server protected by an Application Server Agent
• SPS federation gateway provides the redirect.jsp file

To create a policy to protect the Authentication URL

1. Log into the FSS Administrative UI.
2. From the System tab, create Web Agents to bind to the realms that you will define for the Account Partner Web Server. You can assign unique Agent names for the Web Server at the Account Partner and the Federation Web Services application or use the same Agent name for both.
3. Create a policy domain for the users who want to access Resource Partner resources.
4. From the Users tab, select the users that should have access to the resources that are part of the policy domain.
5. Define a realm for the policy domain with the following values:
   1. Agent: select the Agent for the Web Server at the Account Partner.
   2. Resource Filter:

      Web Agents v5.x QMR 4 and later, and SPS federation gateway enter:

      /siteminderagent/redirectjsp/

      Web Agents v5.x QMR 1, 2, or 3, enter:

      /affwebservices/redirectjsp/

      The resource filter, /siteminderagent/redirectjsp/ is an alias, set up automatically by the Federation Web Services application. It is a reference to the following:

      • For a Web Agent:

        web_agent_home/affwebservices/redirectjsp

      • For an SPS federation gateway:

        sps_home/secure-proxy/Tomcat/webapps/affwebservices/redirectjsp

   3. For the remaining settings, accept the defaults or modify as needed.
6. Click OK to save the realm.
7. Create a rule for the realm. In the Resource field, accept the default value, the asterisk (*), to protect all resources for the realm. Select the Web Agent actions GET, POST, and PUT as the allowed actions.
8. Create a policy for the Web Server at the Account Partner that includes the rule created in the previous step.