|
|
|
The easiest way to become familiar with SiteMinder Federation Security Services is to deploy the SiteMinder FSS sample application and use it to test SAML 2.0 single sign-on and single logout. After running the sample application, you can look at the SiteMinder policy objects created by the sample application and examine the SiteMinder logs containing assertions. Finally, you can use the sample application objects as a basis for configuring your own federation environment.
Note: The FSS sample application cannot be used with SAML 1.x.
The federation sample application automates all the configuration tasks you would perform manually to accomplish SAML 2.0 single sign-on and single logout.
In a deployment that includes only SiteMinder Federation Security Services, we recommend that you install all components on a single system acting as an Identity Provider (IdP) and Service Provider (SP). However, the sample application can be installed on two separate machines, one acting as the IdP and the other as the SP.
The sample application contains the following components:
FederationSample.conf contains configuration settings that define the IdP and SP-side SiteMinder policy objects. The information in this file is also used to create sample web pages to test single sign-on and single logout using the local environment settings.
Important! For FSS-to-FSS communication, the SMFEConfig.conf file is not used, but it is installed with the Policy Server.
SMFEConfig.conf contains information used to create SMFE objects, such as the SP and IdP connection settings for SMFE-to-FSS communication. The information in this file is also used to create sample web pages to test single sign-on and single logout using the local environment settings.
For information about the SMFEConfig.conf file, see the SiteMinder Federation Endpoint Deployment Guide.
SetupFederationSample.pl is a Perl script that executes the FSS sample application. This script creates the objects needed for the IdP and SP sites. The script also creates the necessary web pages required to initiate single sign-on and single logout between the IdP and the SP. The script relies on the information in the FederationSample.conf file to operate.
Note: By default, the script assumes an FSS-to-FSS configuration.
The sample application installs web pages with HTML links to trigger SAML 2.0 single sign-on and single logout transactions between the IdP and SP. When you install the sample application, the directories with these pages are copied to the web server's document root directory that you specify in the FederationSample.conf file.
The IdP web pages are in the idpsample directory within the web server's document root. These pages include:
Index.jsp is the first web page the user accesses at the IdP for Idp-initiated single sign-on. This page provides the link to the protected target resource at the sp.demo partner site. This page also provides a single logout link.
Note: The single logout link is displayed only if FSS is the IdP and an SMSESSION cookie is in the request headers.
SLOConfirm.jsp displays a message that the user has successfully logged out from idp.demo and sp.demo domains.
The SP web pages are in the spsample directory under the web server's document root. These pages include:
Index.jsp is the first web page the user accesses at the SP for SP-initiated single sign-on. This page provides a link to the protected target resource with the user's credentials at the idp.demo partner site. This page also provides single logout link.
Note: The single logout link is displayed only if FSS is the IdP and an SMSESSION cookie is in the request headers.
Target.jsp a protected page at the sp.demo partner site, located in /spsample/protected directory. It is protected by the SAML 2.0 authentication scheme. A user sees this page when single sign-on between the IdP and SP is successful.
SLOConfirm.jsp displays a message that the user has successfully logged out from the idp.demo and sp.demo domains.
| Copyright © 2010 CA. All rights reserved. | Email CA about this topic |