Previous Topic: Optional Configuration Tasks at a 1.x ProducerNext Topic: Create a Policy to Protect the Authentication URL

Federation Security Services GuideConfigure SiteMinder as a SAML 1.x ProducerAdd a Consumer to an Affiliate Domain

Add a Consumer to an Affiliate Domain

Entities that consume SAML 1.x assertions are called consumers in the Federation Security Services documentation. However, in the Policy Server User Interface, the term affiliate is used to represent the consumer. When used in the Policy Server User Interface, the term affiliate is synonymous with consumer.

To add a consumer to an affiliate domain

  1. Log into the FSS Administrative UI.
  2. Display the list of domains.
  3. Expand the affiliate domain where you want to add a consumer.
  4. Click on the Affiliates icon.
  5. From the menu bar, select Edit, Create Affiliate.

    The Affiliate dialog box opens.

  6. Complete the following required fields.

    Note: Click Help for a description of fields, controls, and their respective requirements.

  7. Select the Enabled check box to activate the affiliate object.

    This check box must be marked for the Policy Server and Federation Web Services to support authentication for the consumer resources.

  8. Optionally, check the Use Secure URL check box.

    The Use Secure URL feature instructs the SSO Service to encrypt the SMPORTALURL query parameter that it appends to the Authentication URL before redirecting the user to establish a SiteMinder session. Encrypting the SMPORTALURL protects it from modification by a malicious user.

    Note: If you select this check box, set the Authentication URL field to the following URL:

    http(s)://idp_server:port/affwebservices/secure/secureredirect.

    Click Help for more details about this field.

  9. Optionally, if the SAML Affiliate Agent is acting as the SAML consumer, select the Allow Notification check box to provide event notification services for the consumer.

    The notification feature allows the producer to track user activity at the consumer. If this check box is selected, the producer can receive event notifications from the consumer about which resources a user has accessed. When the user accesses specific URLs at the consumer, the consumer may notify the producer. The producer can log this activity and use the information for auditing or reporting purposes.

    Important! The Notification service is not supported with the SAML credential collector acting as a consumer.

More Information:

Authenticate Users with No SiteMinder Session (SAML 1.x)

Authenticate Users with No SiteMinder Session (SAML 1.x)

When you add a consumer to an affiliate domain, you are required to set the Authentication URL field. The Authentication URL must point to the redirect.jsp file. The purpose of this URL is to establish a session at the producer.

The redirect.jsp file is installed at the producer where you install the Web Agent Option Pack or the SPS federation gateway. Protect the redirect.jsp file with a SiteMinder policy so that users who request a protected resource are asked to authenticate. The Web Agent presents the challenge because the user does not have a SiteMinder session.

After a user is authenticated and successfully accesses the redirect.jsp file, a session is established. The redirect.jsp file redirects the user back to the producer Web Agent. The Agent can process the request and can generate the SAML assertion.

The procedure for protecting the Authentication URL is the same in all of the following set-ups: