Federation Security Services Guide › Configure SiteMinder as a SAML 2.0 Identity Provider › Configure Single Sign-on for SAML 2.0 › Grant Access to the Service for Assertion Retrieval (Artifact SSO)

Grant Access to the Service for Assertion Retrieval (Artifact SSO)

For HTTP-Artifact single sign-on, the relying party needs permission to access the policy that protects the FWS service for obtaining assertions.

To grant access:

• Add the Web Agent that protects the FWS application to the agent group FederationWebServicesAgentGroup.
• Add relying partners as users who are permitted to access the specific service.

  Other than adding users to a given policy, all other policy objects are set up automatically.

Add a Web Agent to the Federation Agent Group

Add the Web Agent that protects the FWS application to the Agent group FederationWebServicesAgentGroup.

• For ServletExec, this Agent is on the web server where the Web Agent Option Pack is installed.
• For an application server, such as WebLogic or JBOSS, this Web Agent is installed where the application server proxy is installed. The Web Agent Option Pack can be on a different system.

Follow these steps:

1. Log in to the Administrative UI.
2. Select Infrastructure, Agents, Create Agent.
3. Specify the name of the Web Agent in your deployment. Click Submit.
4. Select Infrastructure, Agent Groups.
5. Select the FederationWebServicesAgentGroup entry.

   The Agent Groups dialog opens.

6. Click Add/Remove and the Agent Group Members dialog opens.
7. Move the web agent from the Available Members list to the Selected Members list.
8. Click OK to return to the Agent Groups dialog.
9. Click Submit then click Close to return to the main page.

Add Relying Partners to the FWS Policy for Obtaining Assertions

If you are using HTTP-Artifact binding for single sign-on, the relying party in the partnership needs permission to access the assertion retrieval service. SiteMinder protects the SAML 1.x and 2.0 retrieval services with a policy.

When you install the Policy Server, the FederationWebServicesDomain is installed by default. This domain includes the following policies for the service from which SiteMinder retrieves assertions:

SAML 1.x

FederationWSAssertionRetrievalServicePolicy

SAML 2.0

SAML2FWSArtifactResolutionServicePolicy

Note: WS-Federation does not use the HTTP-Artifact profile. Therefore, this procedure does not apply to Resource Providers.

Grant access for these policies to any relevant relying partners.

Follow these steps:

1. In the Administrative UI, navigate to Policies, Domain, Domain Policies.

   A list of domain policies displays.

2. Select the policy for the SAML profile:

   SAML 1.x

   FederationWSAssertionRetrievalServicePolicy

   SAML 2.0

   SAML2FWSArtifactResolutionServicePolicy

   The Domain Policies page opens.

3. Click Modify to change the policy.
4. Select the Users tab.
5. In the dialog for the appropriate user directory, click Add Members:

   SAML 1.x

   FederationWSCustomUserStore

   SAML 2.0

   SAML2FederationCustomUserStore

   The User/Groups page opens.

   The affiliate domain that you previously configured is listed in the Users/Groups dialog. For example, if the affiliate domain is named fedpartners, the entry is affiliate:fedpartners.

6. Select the check box next to the affiliate domain with the partners that require access to the service. Click OK.

   You return to the User Directories list.

7. Click Submit.

   You return to the policies list.

Verify Basic Protection of the Assertion Retrieval Service

If you configure basic authentication to protect the assertion retrieval service, verify the protection.

Follow these steps:

1. Open a web browser.

   Access Federation Web Services by entering a fully qualified host name and port number for the server where the Federation Web Services application is installed. For example:

   SAML 1.x: http://idp-fws.ca.com:81/affwebservices/assertionretriever

   SAML 2.0: http://idp-fws.ca.com:81/affwebservices/saml2artifactresolution

   If the service is protected, SiteMinder challenges you for credentials. Only an authorized affiliate is permitted access to Federation Web Services.

2. Enter a valid name and password that is for a relying partner that is configured at the Policy Server. The name and password are the credentials for the authentication challenge.

The authentication challenge indicates that the service is protected. If SiteMinder does not present a challenge, the policy improperly configured.