Previous Topic: Basic over SSL to Protect the Assertion Retrieval ServiceNext Topic: Setting Up Sessions for a SAML Affiliate Agent Consumer (optional)


Create the Policy to Protect the Retrieval Service

Create the policy at the asserting party to protect the service from which the asserting party retrieves the assertion.

Follow these steps:

  1. For each affiliate requesting assertions, add a separate entry to a user directory. Create a user directory or use an existing directory.

    In the user record, enter the same value that is specified in the Name field of the affiliate general settings in the Administrative UI. For example, if Company A is the value of the Name field for the affiliate, the user directory entry is:

    uid=CompanyA, ou=Development,o=CA

    The Policy Server maps the subject DN value of the affiliate client certificate to this directory entry.

  2. Add the configured user directory to the FederationWebServicesDomain.
  3. Create a certificate mapping entry.

    Map the Attribute Name to the user directory entry for the affiliate. The attribute represents the subject DN entry in the certificate for the affiliate. For example, you select CN as the Attribute Name, and this value represents the affiliate named cn=CompanyA,ou=Development,o=partner.

    Navigate to Infrastructure, Directory, Certificate Mappings for the mapping settings.

  4. Configure an X509 Client Certificate authentication scheme.
  5. Create a realm under the FederationWebServicesDomain containing the following entries:
    Name

    any_name

    Example: cert assertion retrieval

    Agent

    FederationWebServicesAgentGroup

    Resource Filter

    /affwebservices/certassertionretriever (SAML 1.x)

    /affwebservices/saml2certartifactresolution (SAML 2.0)

    Authentication Scheme

    Client certificate authentication scheme created in the previous step.

  6. Create a rule under the cert assertion retriever realm containing the following information:
    Name

    any_name

    Example: cert assertion retrieval rule

    Resource

    *

    Web Agent Actions

    GET, POST, PUT

  7. Create a Web Agent response header under the FederationWebServicesDomain.

    The assertion retrieval service uses this HTTP header to verify that the affiliate is the site retrieving the assertion.

    Create a response with the following values:

    Name

    any_name

    Attribute

    WebAgent-HTTP-Header-Variable

    Attribute Kind

    User Attribute

    Variable Name

    consumer_name

    Attribute Name

    Enter the use directory attribute that contains the affiliate name value.

    Example: uid=CompanyA.

    Based on the following entries, the Web Agent returns a response named HTTP_CONSUMER_NAME.

  8. Create a policy under the FederationWebServicesDomain containing the following values:
    Name

    any_name

    User

    Add the users from the user directory created in previously in this procedure.

    Rule

    rule_created_earlier_in_this_procedure

    Response

    response_created_earlier_in_this_procedure

The policy to protect the artifact resolution service is complete.

At the relying party, the administrator has to enable client certificate authentication across the back channel that connects to the relevant assertion service:

SAML 1.x: Enable client certificate authentication for the Assertion Retrieval Service

SAML 2.0: Enable client certificate authentication for the Artifact Resolution Service