Previous Topic: Enable the Session StoreNext Topic: Signing and Encrypting Messages to Secure Federated Transactions


Grant Access to Federation Web Services

This section contains the following topics:

Policies that Protect Federation Web Services

Features Associated with FWS Policies

Enforce the Policies that Protect Federation Web Services

Policies that Protect Federation Web Services

When you install the Policy Server, SiteMinder creates policies for several services. These services comprise the Federation Web Services (FWS) application. For a few federation features, the relying party needs permission to access the associated protected service.

Adding a relying partner to a policy is a task that is done only at the asserting party.

For example, for the HTTP-Artifact binding, a policy protects the service from which SiteMinder retrieves an assertion. For SiteMinder to retrieve the assertion for a specific relying partner, that partner must be added as a user to the policy that protects the service.

The following table lists the FWS policy objects that are related to FWS services.

Object Type

Object Name

Domain

FederationWebServicesDomain

Realm

FederationWebServicesRealm

public

Agent Group

FederationWebServicesAgentGroup

Rule

SAML2FWSAttributeServiceRule

FederationWSSessionServiceRule

SAML2FWSArtifactResolutionRule

FederationWSAssertionRetrievalServiceRule

FederationWSNotificationServiceRule

Policy

SAML2FWSArtifactResolutionServicePolicy

SAML2FWSAttributeServicePolicy

FederationWSAssertionRetrievalServicePolicy

FederationWSNotificationServicePolicy

FederationWSSessionServicePolicy

Variables

AllowNotification

AllowSessionSync

User Directories

FederationWSCustomUserStore

SAML2FederationCustomUserStore

Features Associated with FWS Policies

The policies that SiteMinder creates support the following Federation Security Services features:

FWS Policy

Federation Feature

SAML2FWSArtifactResolutionServicePolicy

Protects the artifact resolution service for SAML 2.0 artifact single sign-on

FederationWSAssertionRetrievalServicePolicy

Protects the assertion retrieval service for SAML 1.x artifact single sign-on

SAML2FWSAttributeServicePolicy

Protects the attribute authority service for SAML 2.0

FederationWSNotificationServicePolicy

Protects the notification service. Notifications are only available if the SAML Affiliate Agent is the consumer.

FederationWSSessionServicePolicy

Protects the session service for session management. Session management is available only if the SAML Affiliate Agent is the consumer.

Enforce the Policies that Protect Federation Web Services

If you are implementing federation features with FWS policies, the relying party needs permission to access the protected service.

Granting access involves the following tasks:

Detailed procedures for enforcing the HTTP-Artifact assertion retrieval and attribute authority policies are in the relevant sections for those features. Procedures for allowing access to the notification and session service policies are similar. These services are relevant only if a SAML Affiliate Agent is a consumer.

More information:

Grant Access to the Service for Assertion Retrieval (Artifact SSO)