Federation Security Services GuideOverview of a SiteMinder Federation Partnership SetupSet Up Producing Authority Components › Protect Federation Web Services (Producing-side)

Previous Topic: Configure Federation Web Services (Producing-side)

Next Topic: Set up a Key Database for Signing POST Responses

Protect Federation Web Services (Producing-side)

You need to protect the Federation Web Services application so that only authorized partners have access.

To protect the Federation Web Services application

  1. Log in to the FSS Administrative UI at the producing authority.
  2. Check the Agent Configuration Object for the Web Agent to ensure the necessary parameters are set.
  3. Add the Web Agent that protects Federation Web Services to the Agent group FederationWebServicesAgentGroup. The Web Agent at the producing authority is on the Web server where the Web Agent Option Pack is installed.

    This action binds the Agent to the realms that protect Federation Web Services.

    Select View, Agent Groups to view Agent groups.

  4. Specify the consuming authorities who can access the Federation Web Services application:
    1. From the Domains tab, expand FederationWebServicesDomain and select Policies.

      The following policies are displayed in the Policy List:

      • FederationWSAssertionRetrieval
      • FederationWSNotificationService
      • FederationWSSessionServicePolicy
      • SAML2FWSArtifactResolutionServicePolicy
    2. Select one of the policies, and click Edit, Properties of Policy.

      For SAML 1.x, you need to permit access to:

      • FederationWSAssertionRetrieval
      • FederationWSNotificationService
      • FederationWSSessionServicePolicy

      For SAML 2.0, you need to permit access to:

      • SAML2FWSArtifactResolutionServicePolicy

      Note: You do not have to select a policy for WS-Federation.

      The SiteMinder Policy dialog box opens.

    3. From the Users tab, select the FederationWSCustomUserStore tab for SAML 1.x or the SAML2FederationCustomUserStore tab for SAML 2.0.

      The Users/Groups dialog box opens.

      The consumers/Service Providers are the "users" included in the listed user stores.

    4. Click Add/Remove on the appropriate tab.
    5. From the Available Members list, choose the affiliate domains that should have access to Federation Web Services then move them to the Current Members list.
    6. Click OK to return to the Policy List.
    7. Repeat this procedure for all policies relevant for the SAML version you are using.

Federation Web Services is now protected from unauthorized access.

If you try to access Federation Web Services from a link, such as
http://idp-fws.ca.com:81/affwebservices/assertionretriever, you should be challenged. Only an authorized affiliate site should have access to Federation Web Services.

For this link you must enter a fully-qualified host name and port number for the server where the Federation Web Services application is installed.

To respond to the authentication challenge, enter a valid affiliate name and the affiliate password that has been configured at the Policy Server. These will serve as the credentials.

Copyright © 2010 CA. All rights reserved. Email CA about this topic