Federation Security Services Guide › Federation Security Services Overview › Solutions for Federation Use Cases › Solution 13: SAML 2.0 SSO with Dynamic Account Linking at the SP › Configure SAML 2.0 SSO with Dynamic Account Linking at the SP

Configure SAML 2.0 SSO with Dynamic Account Linking at the SP

You need to configure several components at the Service Provider to enable SAML 2.0 single sign-on with dynamic account linking:

• AllowCreate feature--enables the creation of attributes in an existing user store
• Redirect URL--sends the user to the linkaccount.jsp file when authentication fails. This URL is protected by an authentication scheme that prompts the user to log in so a SiteMinder session is created.
• Post Preservation at the Web Agent--must be enabled at the Service Provider Web Agent
• Search Specification-- indicates which attribute will be replaced by the NameID from the assertion.

To enable dynamic account linking for POST or Artifact single sign-on, configure the following at the Service Provider

1. For the linkaccount.jsp file, do the following:
   • (Optional) Customize the linkaccount.jsp file to provide a custom user experience when the user is redirected after a failed authentication attempt. This file must POST the accountlinking and samlresponse parameters back to the Assertion Consumer Service URL. Note that accountlinking must be set to yes (accountlinking=yes).

     The default location for this file is http://sp_home/affwebservices/public/.

   • Protect the linkaccount.jsp file with a SiteMinder forms authentication scheme, which supports POST-Preservation. Using a scheme that supports POST preservation is necessary because the SAML response that contains the assertion is posted to the Assertion Consumer Service after the user has logged in locally at the Service Provider. The SAML response POST data needs to be preserved during the entire local authentication process.

     To protect resources with an authentication scheme, refer to information about authentication schemes in the Policy Server Configuration Guide.

2. Enable the Allow/Create feature at the Service Provider.
3. For the Web Agent at the Service Provider, set the POST Preservation parameter to yes. This enables the POST data from the SAML response to be preserved.
4. Configure a redirect URL that sends the user to the linkaccount.jsp file if authentication fails. You must direct the user only to this file.

   The redirect URL is part of the SAML 2.0 authentication scheme setup at the Service Provider, specifically, in the Advanced tab of the SAML Auth Properties dialog.

   Complete the following fields with the values shown:

   • Redirect URL for the User Not Found Status

     http://sp_home/protected_realm/linkaccount.jsp

     Example: http://smwidgets.com/partner_resources/linkaccount.jsp

     The default location of the linkaccount.jsp file is http://sp_home/affwebservices/public/. Copy the file from this directory to a directory that will be configured as a protected realm.

   • Mode

     Http POST

5. Configure a Search Specification in the Users tab of the SAML Auth Scheme Properties dialog. For example, if buyerID is going to be replaced by the Name ID from the assertion, the Search Specification would be buyerID=%s.