Previous Topic: Add a Web Agent to the Federation Agent GroupNext Topic: Configure the Authentication Scheme that Protects the Artifact Service

Federation Security Services GuideConfigure SiteMinder as a SAML 1.x ProducerGrant Access to the Service for Assertion Retrieval (Artifact SSO)Add Relying Partners to the FWS Policy for Obtaining Assertions (Artifact SSO)

Add Relying Partners to the FWS Policy for Obtaining Assertions (Artifact SSO)

If you are using HTTP-Artifact binding for single sign-on, the relying party in the partnership needs permission to access the assertion retrieval service. SiteMinder protects the SAML 1.x and 2.0 retrieval services with a policy.

When you install the Policy Server, the FederationWebServicesDomain is installed by default.

Note: WS-Federation does not use the HTTP-Artifact profile. Therefore, this procedure does not apply to Resource Providers.

Grant access for these policies to any relevant relying partners.

Follow these steps:

  1. In the FSS Administrative UI, select the Domains tab.
  2. Expand the FederationWebServicesDomain and select Policies.

    A list of federation policies displays.

  3. Double-click the policy for the appropriate SAML profile:
    SAML 1.x

    FederationWSAssertionRetrievalServicePolicy

    SAML 2.0

    SAML2FWSArtifactResolutionServicePolicy

    The Policy Properties page opens.

  4. From the Users tab, select the tab for the appropriate directory.
    SAML 1.x

    FederationWSCustomUserStore

    SAML 2.0

    SAML2FederationCustomUserStore

  5. Click Add/Remove.

    The existing affiliate domains are listed in the Users/Groups dialog. For example, if the affiliate domain is named fedpartners, the entry is affiliate:fedpartners.

  6. Select the affiliate domain and move it to the Current Members list.
  7. Click OK until you return to the FWS policies list.

You have now added affiliates to an FWS policy.

Verify Basic Protection of the Assertion Retrieval Service

If you configure basic authentication to protect the assertion retrieval service, verify the protection.

Follow these steps:

  1. Open a web browser.

    Access Federation Web Services by entering a fully qualified host name and port number for the server where the Federation Web Services application is installed. For example:

    SAML 1.x: http://idp-fws.ca.com:81/affwebservices/assertionretriever

    SAML 2.0: http://idp-fws.ca.com:81/affwebservices/saml2artifactresolution

    If the service is protected, SiteMinder challenges you for credentials. Only an authorized affiliate is permitted access to Federation Web Services.

  2. Enter a valid name and password that is for a relying partner that is configured at the Policy Server. The name and password are the credentials for the authentication challenge.

The authentication challenge indicates that the service is protected. If SiteMinder does not present a challenge, the policy improperly configured.