Federation Security Services Guide › Federation Security Services Overview › Solutions for Federation Use Cases › Solution 12: SSO with Attributes from a Web Application › Configure SSO with Attributes from a Web Application

Configure SSO with Attributes from a Web Application

To configure single sign-on based on attributes from a web application, configure the following

1. Create a custom web application for the IdP in your network. This custom application can prompt the user for as many attributes as required or it can simply supply standard attributes and not prompt the user for any information. How attributes are gathered is entirely dependent on how the custom application is written.

   Important! For IdP-initiated single sign-on, if the user is directed to the web application before the SSO service, the web application must include the parameter AllowApplicationPost=yes for the POST to be accepted by the SSO service.

   The SiteMinder Web Agent Option Pack comes with sample JSP applications that you can use as a basis for your custom web application. The path to the sample JSP applications is: web_agent_home/affwebservices/. The sample applications are:

   • sample_application.jsp

     This sample application can be used for IdP- or SP-initiated single sign-on, when the user is first directed to the SSO Service and then sent to the custom web application. This application can be entered for the Application URL in the Service Provider Properties (SAML 2.0) dialog or the Resource Provider Properties (WS-Federation) dialog.

   • unsolicited_application.jsp

     This sample application can be used for IdP-initiated single sign-on when the user is sent directly to the web application and not initially to the SSO Service. It assumes the user is already authenticated at the Identity Provider.

     Note: It shows how to use the AllowApplicationPost parameter in an application.

2. (Optional) If the user is initially directed to the IdP SSO service:
   1. Specify an Application URL in the SAML 2.0 authentication scheme.
   2. Configure the Assertion Generator plug-in to add the attributes to the assertion. The Assertion Generator Plug-in is specified in the Advanced tab of the SAML Service Provider Properties dialog.
3. (Optional) If the user is sent directly to the custom web application when they click on a link at the IdP, you do not have to provide a value for the Application URL parameter in the Policy Server User Interface. However, the Assertion Generator plug-in still needs to be written and configured to work with SiteMinder.

Note: The order of the procedure steps is provided as a guideline. You can perform these steps in a different order.