Federation Security Services Guide › Authenticate WS-Federation Users at a Resource Partner › How To Protect a Target Resource with a WS-Federation Authentication Scheme

How To Protect a Target Resource with a WS-Federation Authentication Scheme

After configuring a WS-Federation authentication scheme, you can use the scheme to protect the realm that holds the target resources requested by users. These resources then need to be protected by a SiteMinder policy.

At the Resource Partner, you must configure a WS-Federation authentication scheme for each Account Partner that generates assertions. The Account Partner is identified in the Account Partner ID field of the Scheme Setup tab. Each scheme must then be bound to a realm, which consists of all the target URLs that comprise the Resource Partner resources.

There are two ways to set-up a realm that contains target URLs:

• You can create a unique realm for each authentication scheme and Account Partner already configured.
• You can configure a single target realm that uses a custom authentication scheme to dispatch requests to the corresponding WS-Federation authentication schemes. Configuring one realm with a single target for all Account Partners simplifies configuration of realms for authentication.

Important! Each target URL in the realm is also identified in an unsolicited response URL. An unsolicited response is sent from the Account Partner to the Resource Partner, without an initial request from the Resource Partner. In this response is the target. At the Account Partner site, an administrator needs to include this response in a link so that this link the user gets redirected to the Resource Partner.