Previous Topic: Add a CA Certificate for an SSL Back Channel at the SPNext Topic: Include an Attribute in the Assertion

Federation Security Services GuideDeploy Federation Using a Manual ConfigurationAdd Functionality to the Federation DeploymentProtect the Target Resource at the SPEnable the Artifact Binding for SAML Authentication at the SP

Enable the Artifact Binding for SAML Authentication at the SP

At the Service Provider, configure the single sign-on bindings for the SAML authentication scheme so the Service Provider knows how to communicate with the Identity Provider.

To specify artifact binding for the authentication scheme

  1. Log on to the FSS Administrative UI.
  2. From the System tab, select Authentication Schemes.
  3. Select Partner IdP.demo Auth Scheme and right-click to open the properties for this scheme.
  4. Click Additional Configuration.
  5. Select the SSO tab.
  6. On the SSO tab, check HTTP-Artifact and enter the following value for the Resolution Service field:

    https:/www.idp.demo:443/affwebservices/saml2artifactresolution

  7. Select the Backchannel tab and complete the following fields:
    Authentication

    Basic

    SP Name

    sp.demo

    Password

    password

    Confirm Password

    password

    The password must match at the Identity Provider.

  8. Click OK.
  9. Add a Link at the SP to Initiate Artifact Single Sign-on
Test Artifact Single Sign-on

Test single sign-on in a SiteMinder-to-SiteMinder network using the web pages included with the sample application. The sample web pages are available provided you run the sample application script. If you do not run the sample application, use your own web pages to test single sign-on.

The sample application web pages are located in the following two folders.

policy_server_home/samples/federation/content/idpsample

policy_server_home/samples/federation/content/spsample
policy_server_home

Specifies the installed location of the SiteMinder Policy Server

Important! If you have run the sample application, the idpsample and spsample folders are automatically copied into the document root directory of your web server.

If you use your own HTML page, it must contain a hard-coded link to the AuthnRequest service. For this deployment, the link for Artifact binding is:

http://<server:port>/affwebservices/public/saml2authnrequest?ProviderID=
IdP_ID&ProtocolBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact
server:port

Defines the name and port of the server at the SP where the Web Agent Option Pack is installed.

IdP_ID

Defines the provider ID.

The link for this deployment is:

http://www.sp.demo:81/affwebservices/public/saml2authnrequest?ProviderID=
idp.demo&ProtocolBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact

The HTML source file with the link is similar to the following example:

<a href="http://www.sp.demo:81/affwebservices/public/saml2authnrequest?ProviderID=
idp.demo&ProtocolBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact">
Link for ARTIFACT Single Sign-on</a>

The AuthnRequest Service redirects the user to the Identity Provider specified in the link to retrieve the authentication context of the user. After the Identity Provider authenticates the user and establishes a session, it directs the user back to the target resource at the Service Provider.

Note: The ProviderID in the Authnrequest link must match the IdP ID field value at the SAML authentication scheme at the SP. The IdP ID field is on the Scheme Setup tab of the Authentication Scheme Properties dialog.

Now, follow the steps to test SP-initiated single sign-on.