Federation Security Services GuideAuthenticate SAML 2.0 Users at the Service ProviderSupply SAML Attributes as HTTP Headers › Create an Authorization Rule to Validate Users

Previous Topic: Set the Redirect Mode to Store SAML Attributes

Next Topic: Configure a Response to Send Attributes as HTTP Headers

Create an Authorization Rule to Validate Users

For the realm containing the protected target resource, you need to create a rule that is triggered during the authorization process to retrieve the SAML attributes from the session store.

The rule is based on an authorization event (onAccessAccept) because the user has already been authenticated by the FWS application, therefore the Web Agent cannot re-authenticate the user and pass on the HTTP headers. So, the retrieval of the attributes must happen during the authorization stage.

To create an OnAccessAccept Rule for the realm

  1. Log on to the FSS Administrative UI.
  2. From the Domains tab, navigate to the realm which protects the target resource.
  3. Select the realm with the target resource and choose Create Rule under Realm.

    The Rule Properties dialog opens.

  4. Enter a name in the Name field that describes the rules purpose as an authorization rule.
  5. Choose the realm protecting the target resource for the Realm field.
  6. Enter an asterisk (*) in the Resource field.
  7. Select Authorization events and OnAccessAccept in the Action group box..
  8. Ensure that Enabled is checked in the Allow/Deny and Enable/Disable group box.
  9. Click OK to save the rule.

The authorization rule is now defined for the realm with the protected resource.

Copyright © 2010 CA. All rights reserved. Email CA about this topic