Federation Security Services Guide › Authenticate SAML 2.0 Users at the Service Provider › How To Protect Resources with a SAML 2.0 Authentication Scheme

How To Protect Resources with a SAML 2.0 Authentication Scheme

At the Service Provider, you must configure a SAML authentication scheme for each Identity Provider that generates assertions. Each scheme must be bound to a realm, which consists of all the target URLs that comprise the target resources requested by users. These resources then need to be protected by a SiteMinder policy.

To protect a federation resource with a SAML authentication scheme:

1. Create a realm that uses the SAML authentication scheme. The realm is the collection of target resources being requested by users.

   There are two ways to set-up a realm that includes a SAML authentication scheme:

   • You can create a unique realm for each authentication scheme and Identity Provider already configured.
   • You can configure a single target realm that uses a custom authentication scheme to dispatch requests to the corresponding SAML authentication schemes. Configuring one realm with a single target for all Identity Providers simplifies configuration of realms for SAML authentication.
2. After configuring a realm, configure an associated rule and optionally, a response.
3. Group the realm, rule, and response into a policy that protects the target resource.

Important! Each target URL in the realm is also identified in an unsolicited response URL. An unsolicited response is sent from the Identity Provider to the Service Provider, without an initial request from the Service Provider. In this response is the target. At the Identity Provider site, an administrator needs to include this response in a link so that this link the user gets redirected to the Service Provider.