You can set up links to initiate single sign-on from either side of a WS-Federation network.
A user can visit the Account Partner before going to the Resource Partner. If the user goes to the Account Partner first, a link must generate an HTTP Get request. The hard-coded link points to the Single Sign-on Service of the Account Partner. The request contains the RP Provider ID and optionally other parameters.
The syntax for the link to the Single Sign-on Service is as follows:
https://ap_server:port/affwebservices/public/wsfedsso?wa=wsignin1.0&wtrealm=RP_ID
Specifies the server and port number of the system at the Account Partner. The system is hosting the Web Agent Option Pack or the SPS federation gateway, depending on which component is installed in your federation network.
Resource Partner identity
When a user starts at the Resource Partner to initiate single sign-on, typically the user selects from a list of Account Partners. The site selection page is in an unprotected realm.
The link on the site selection page points to the Single Sign-on Service at an Account Partner. After the link is selected, the Resource Partner redirects the user to the Account Partner to get the assertion.
Copyright © 2012 CA.
All rights reserved.
|
|