Previous Topic: Enable a Persistent Session to Store Assertions at the IdPNext Topic: Select the Artifact Binding at the IdP

Federation Security Services GuideDeploy Federation Using a Manual ConfigurationAdd Functionality to the Federation DeploymentProtect the Target Resource at the SPPermit Access to the FWS Policy that Protects the Artifact Resolution Service

Permit Access to the FWS Policy that Protects the Artifact Resolution Service

The Web Agent Option Pack installs the Federation Web Services application (FWS). When you install the Policy Server for the same IdP as the Web Agent, several policies for services within the FWS application are automatically created. One of these policies protects the artifact resolution service for HTTP-Artifact single sign-on.

Specify which relying partners can access the artifact resolution service by enforcing protection of this artifact resolution policy.

Follow these steps: at the IdP

  1. Log on to the FSS Administrative UI.
  2. Select the System tab.
  3. From the menu, select Edit, Create Agent.
  4. In the Agent Properties dialog, enter a name for the Web Agent then click OK. In this deployment, the Web Agent is idp-webagent.
  5. If you do not have Agent Groups displayed, select View, Agent Groups from the menu bar.
  6. Double-click the FederationWebServicesAgentGroup entry to open the Properties of Agent Group dialog.
  7. Click Add/Remove and the Available Agents and Groups dialog opens.
  8. Add idp-webagent, the IdP Web Agent protecting the FWS application, to the Agent group, by selecting it from the Available Members list and clicking the left arrow to move it to the Current Members list.
  9. Click OK until you exit the Agent Groups dialog.
  10. Specify that all the Service Providers under the affiliate domain Federation Sample Partners can access the artifact resolution service, as follows:
    1. Select the Domains tab and expand FederationWebServicesDomain.
    2. Select Policies.
    3. From the Policy List, double-click the SAML2FWSArtifactResolutionServicePolicy entry.

      The SiteMinder Policy dialog opens.

    4. From the Users tab, select the SAML2FederationCustomUserStore tab then click Add/Remove.

      affiliate: Federation Sample Partners is the "user" listed in the Available Members list.

    5. From the Available Members list, select the SP Partners domain and move it to the Current Members list, then click Apply.
    6. Click OK to return to the Policy List.

The policy that protects the artifact resolution service is now being enforced.