Federation Security Services Guide › Identify Consumers at a SAML 1.x Producer › Protect the Assertion Retrieval Service with Client Certificate Authentication (optional) › Create the Assertion Retrieval Service Policy

Create the Assertion Retrieval Service Policy

To create a policy that protects the Assertion Retrieval Service

1. For each affiliate, add an entry to a user directory. You can create a new user store or use an existing directory.

   Create a separate user record for each affiliate site that retrieving assertions from the producer site.

   An attribute of the user record should have the same value that is specified in the Name field of the Affiliate Properties dialog box.

   For example, if you identified the affiliate as Company A in the Name field, the user directory entry should be:

   uid=CompanyA, ou=Development,o=CA

   The Policy Server will map the subject DN value of the affiliate's client certificate to this directory entry.

2. Add the configured user directory to the FederationWebServicesDomain.
3. Create a certificate mapping entry.

   The value for the Attribute Name field in the Certificate Mapping Properties dialog box should be mapped to the user directory entry for the affiliate. The attribute represents the subject DN entry in the affiliate's certificate. For example, you may select CN as the Attribute Name, and this represents the affiliate named cn=CompanyA,ou=Development,o=CA

4. Configure an X509 Client Certificate authentication scheme.
5. Create a realm under the FederationWebServicesDomain containing the following entries:
   • Name: any_name

     Example: cert assertion retrieval

   • Agent: FederationWebServicesAgentGroup
   • Resource Filter: /affwebservices/certassertionretriever
   • Authentication Scheme: client cert authentication scheme created in the previous step.
6. Create a rule under the cert assertion retriever realm containing the following:
   • Name: any_name

     Example: cert assertion retrieval rule

   • Resource: *
   • Web Agent Actions: GET, POST, PUT
7. Create a Web Agent response header under the FederationWebServicesDomain.

   The Assertion Retrieval Service uses this HTTP header to make sure that the affiliate site for which the SAML assertion was generated is the site actually retrieving the assertion.

   Create a response with the following values:

   • Name: any_name
   • Attribute: WebAgent-HTTP-Header-Variable
   • Attribute Kind: User Attribute
   • Variable Name: consumer_name
   • Attribute Name: enter the use directory attribute that contains the affiliate name value. For example, the entry could be uid=CompanyA.

   Based on the following entries, the Web Agent will return a response named HTTP_CONSUMER_NAME.

8. Create a policy under the FederationWebServicesDomain containing the following values:
   • Name: any_name
   • User: Add the users from the user directory created in previously in this procedure
   • Rule: rule_created_earlier_in_this_procedure
   • Response: response_created_earlier_in_this_procedure
9. Complete the configuration steps at the Service Provider to use client certificate authentication, if they are not completed already.

   Instructions can be found in Access the Assertion Retrieval Service with a Client Certificate (optional).