Federation Security Services Guide › Grant Access to Federation Web Services

Grant Access to Federation Web Services

This section contains the following topics:

Policies that Protect Federation Web Services

Enforce the Policies that Protect Federation Web Services

Policies that Protect Federation Web Services

When you install the Policy Server, SiteMinder creates policies for several services. These services comprise the Federation Web Services (FWS) application. For a few federation features, the relying party needs permission to access the associated protected service.

Adding a relying partner to a policy is a task that is done only at the asserting party.

For example, for the HTTP-Artifact binding, a policy protects the service from which SiteMinder retrieves an assertion. For SiteMinder to retrieve the assertion for a specific relying partner, that partner must be added as a user to the policy that protects the service.

The following table lists the FWS policy objects that are related to FWS services.

Object Type	Object Name
Domain	FederationWebServicesDomain
Realm	FederationWebServicesRealm public
Agent Group	FederationWebServicesAgentGroup
Rule	SAML2FWSAttributeServiceRule FederationWSSessionServiceRule SAML2FWSArtifactResolutionRule FederationWSAssertionRetrievalServiceRule FederationWSNotificationServiceRule
Policy	SAML2FWSArtifactResolutionServicePolicy SAML2FWSAttributeServicePolicy FederationWSAssertionRetrievalServicePolicy FederationWSNotificationServicePolicy FederationWSSessionServicePolicy
Variables	AllowNotification AllowSessionSync
User Directories	FederationWSCustomUserStore SAML2FederationCustomUserStore

Features Associated with FWS Policies

The policies that SiteMinder creates support the following Federation Security Services features:

FWS Policy	Federation Feature
SAML2FWSArtifactResolutionServicePolicy	Protects the artifact resolution service for SAML 2.0 artifact single sign-on
FederationWSAssertionRetrievalServicePolicy	Protects the assertion retrieval service for SAML 1.x artifact single sign-on
SAML2FWSAttributeServicePolicy	Protects the attribute authority service for SAML 2.0
FederationWSNotificationServicePolicy	Protects the notification service. Notifications are only available if the SAML Affiliate Agent is the consumer.
FederationWSSessionServicePolicy	Protects the session service for session management. Session management is available only if the SAML Affiliate Agent is the consumer.

Enforce the Policies that Protect Federation Web Services

If you are implementing federation features with FWS policies, the relying party needs permission to access the protected service.

Granting access involves the following tasks:

Adding the Web Agent that protects the FWS application to the agent group FederationWebServicesAgentGroup.
Adding relying partners as users that are permitted to access the specific service.
Other than adding users to a given policy, all other policy objects are set up automatically.

Detailed procedures for enforcing the HTTP-Artifact assertion retrieval and attribute authority policies are in the relevant sections for those features. Procedures for allowing access to the notification and session service policies are similar. These services are relevant only if a SAML Affiliate Agent is a consumer.

More information:

Grant Access to the Service for Assertion Retrieval (Artifact SSO)