Previous Topic: Add the User Directory to the Affiliate Domain at the IdPNext Topic: Select Users for which the IdP Generates Assertions

Federation Security Services GuideDeploy Federation Using a Manual ConfigurationSet Up the Identity ProviderAdd the Service Provider to the Affiliate Domain at the IdP

Add the Service Provider to the Affiliate Domain at the IdP

To add sp.demo to the affiliate domain, specify values on the Users tab, the General tab, and the SSO tab before you can save a Service Provider object.

To add sp.demo to the Federation Sample Partners domain

  1. Begin at the Domains tab.
  2. Select Federation Sample Partners, right-click, and select Create SAML Service Provider.
  3. Complete the following fields:
    Name

    sp.demo

    Description

    Service Provider

    Authentication URL

    http://www.idp.demo/siteminderagent/redirectjsp/redirect.jsp

    This redirect.jsp is included with the Web Agent Option Pack that is installed at the Identity Provider site. In this deployment, that server is www.idp.demo. If the user does not have a SiteMinder session, the SSO service at the IdP redirects the user to the authentication URL for log in.

    After successful authentication, the redirect.jsp application redirects the user back to the SSO service for assertion generation. A SiteMinder policy must protect this URL.

    Enabled

    Verify that this option is selected. By default, this option is selected.

  4. Keep the Policy Server User Interface open and Select Users For Which Assertions Will Be Generated at the IdP.
Protect the Authentication URL (SAML 2.0)

You must protect the Authentication URL with a SiteMinder policy. Protecting the Authentication URL ensures that a user requesting a protected federated resource is presented with an authentication challenge if they do not have a SiteMinder session at the IdP.

To protect the Authentication URL at the Identity Provider

  1. From the Domains tab, create a policy domain called Authentication URL Protection Domain.
  2. Add the IdP LDAP user directory in the User Directories tab.
  3. From the Authentication URL Protection domain, create a persistent realm with the following field entries:
    Name

    Authentication URL Protection Realm

    Agent

    Using the lookup button, select FSS web agent

    This is the Web Agent protecting the server with the Web Agent Option Pack.

    Resource Filter

    /siteminderagent/redirectjsp/redirect.jsp

    Accept the defaults for the other settings.

    Session tab

    Select Persistent Session

  4. From the IDP Authentication URL Protection Realm, create a rule under the realm with the following field entries:
    Name

    Authentication URL Protection Rule

    Realm

    Authentication URL Protection Realm

    Resource

    *

    Web Agent actions

    Get

    Accept the defaults for the other settings.

  5. From the Authentication URL Protection domain, create a policy with the following entries:
    Name

    Authentication URL Protection Policy

    Users tab

    Add user1 from the IdP LDAP user directory

    Rules tab

    add Authentication URL Protection Rule

    You now have a policy that protects the Authentication URL at the Identity Provider.