Federation Security Services Guide › Federation Security Services Overview › SiteMinder Components for Federation Security Services › Federation Web Services › SAML POST Profile Protocol
SAML POST Profile Protocol
For SAML POST Profile protocol, the Federation Web Services application includes the following services:
- Artifact Resolution Service (SAML 2.0)--An Identity Provider-side service that corresponds to the SAML 2.0 authentication using the HTTP-artifact binding. This service retrieves the assertion stored in the SiteMinder session server at the Identity Provider. This is a SiteMinder-specific service.
Note: The artifact resolution service is used only by the HTTP-artifact binding.
- Assertion Consumer Service (SAML 2.0)--A Service Provider component that receives a SAML artifact or an HTTP form with an embedded SAML response and obtains the corresponding SAML assertion. The Assertion Consumer Service issues SiteMinder cookies to a user's browser.
Note: The Assertion Consumer Service will accept an AuthnRequest with an AssertionConsumerServiceIndex value of 0. All other values for this setting will be denied.
- AuthnRequest Service (SAML 2.0)--This service, a SiteMinder-specific service, is a servlet deployed as part of the Federation Web Services application for SAML 2.0. It implements processing for a Service Provider to generate an <AuthnRequest> message to authenticate a user for cross-domain single sign-on. This message contains information that enables the Federation Web Services application to redirect the user's browser to the single sign-on service at the Identity Provider. The AuthnRequest service is used for single sign-on using the POST or artifact binding.
Note: The format of the AuthnRequest message issued by this service is specified in the Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0.
- Single Sign-on Service (SAML 2.0)--This service implements processing for an Identity Provider to process an AuthnRequest message and gather the necessary SP configuration information to authenticate the user, redirect the user to the Web Agent to authenticate, and invokes the assertion generator to obtain an assertion that is passed back to the Service Provider.
- Single Logout Service (SAML 2.0)--This service implements processing of single logout functionality, which can be initiated by an Identity Provider or a Service Provider.
- Identity Provider Discovery Service -- implements SAML 2.0 Identity Provider Discovery Profile and sets and retrieves the common domain cookie. An IdP requests to set the common domain cookie after authenticating a principal. An SP requests to obtain the common domain cookie to discover which Identity Provider a principal is using.