Federation Security Services Guide › Identify Service Providers for a SAML 2.0 Identity Provider › Allow Access to the Federation Web Services Application

Allow Access to the Federation Web Services Application

After you add affiliates to an affiliate domain, the affiliates need permission to access the Federation Web Services application. When you install the Policy Server, the FederationWebServicesDomain is installed by default. This domain includes the following policies:

• FederationWSAssertionRetrieval
• FederationWSNotificationService
• FederationWSSessionServicePolicy
• SAML2FWSArtifactResolutionServicePolicy

To specify permission to the Federation Web Services application

1. From the Domains tab, expand FederationWebServicesDomain and select Policies.
2. Select one of the policies, and click Edit, Properties of Policy.

   For SAML 1.x, you need to permit access to:

   •   FederationWSAssertionRetrieval
   •   FederationWSNotificationService
   •   FederationWSSessionServicePolicy

   For SAML 2.0, you need to permit access to SAML2FWSArtifactResolutionServicePolicy

   The SiteMinder Policy dialog opens.

3. From the Users tab, select one of the following:
   • FederationWSCustomUserStore tab for SAML 1.x
   • SAML2FederationCustomUserStore tab for SAML 2.0.

   The Users/Groups dialog opens.

   The consumers, Service Providers, and Resource Partners are the "users" included in the listed user stores.

4. Click Add/Remove on the appropriate tab.
5. From the Available Members list, choose the affiliate domains that should have access to Federation Web Services then move them to the Current Members list.
6. Click OK to return to the Policy List.
7. Repeat this procedure for all policies relevant for the SAML version you are using.