Previous Topic: Configure the SAML 2.0 Authentication Scheme at the SPNext Topic: Add Functionality to the Federation Deployment

Federation Security Services GuideDeploy Federation Using a Manual ConfigurationSet Up the Service ProviderProtect the Target Resource at the SP

Protect the Target Resource at the SP

After you configure a SAML 2.0 authentication scheme, use this scheme in a policy that protects the target resource at Service Provider.

To protect the target resource

  1. From the System tab of the FSS Administrative UI, create a policy domain named Domain for IdP.demo Visitors.
  2. Define a Web Agent. In this deployment, the Agent is sp-webagent. This Agent protects the server with the Web Agent Option Pack installed.
  3. Associate the sp-webagent with the Domain for Idp.demo Visitors to protect the realm in this domain.
  4. Add the user directory that holds users user1.
  5. To the policy domain, add a persistent realm with the following components then click OK to save it.
    Name

    SP Target Page Protection Realm

    Agent

    sp-webagent

    Resource Filter

    Defines the path to the target resource at the Service Provider web server. For this deployment, the resource filter is
    /spsample/protected.jsp

    Authentication Scheme

    Partner IdP.demo Auth Scheme

    Default Resource Protection

    Protected

  6. To the realm, add a rule with the following components then click OK to save it.
    Name

    SP Target Page Protection Rule

    Realm

    SP Target Page Protection Realm

    Resource

    *

    Web Agent Actions

    Get

    Accept the defaults for all other fields.

  7. Add a policy with the following components then click OK to save it.
    Name

    SP Target Page Protection Policy

    Users

    Add user1 so this user has access to the target

    Rules

    Add the SP Target Page Protection Rule

    SiteMinder protects the target resource.

  8. Exit the Policy Server User Interface.
  9. Use HTML Pages to Test the Federation Set-up.

The protection policy for the target resource is complete.

Test SAML 2.0 Single Sign-on

To test single sign-on in a SiteMinder-to-SiteMinder network, use the web pages included with the sample application. You must have previously run the sample application script to access the web pages. If you do not run the sample application, use your own web pages to test single sign-on.

The sample application web pages are located in the following two folders.

policy_server_home/samples/federation/content/idpsample

policy_server_home/samples/federation/content/spsample
policy_server_home

Specifies the installed location of the SiteMinder Policy Server.

Important! If you have run the sample application, the idpsample and spsample folders are automatically copied into the document root directory of your web server.

If you use your own HTML page to test SP-initiated single sign-on, the HTML page must contain a hard-coded link to the AuthnRequest service. For this deployment, the sample link for POST binding is:

http://www.sp.demo:81/affwebservices/public/saml2authnrequest?ProviderID=idp.demo

The AuthnRequest Service redirects the user to the Identity Provider specified in the link to retrieve the authentication context of the user. After the Identity Provider authenticates the user and establishes a session, it directs the user back to the target resource at the Service Provider.

Note: The ProviderID in the Authnrequest link must match the IdP ID field value specified in the SAML authentication scheme at the SP. The IdP ID field is on the Scheme Setup tab of the Authentication Scheme Properties dialog.

After you run the sample application, test single sign-on.

To test federated single sign-on

  1. Open up a browser.
  2. Enter the URL for the web page that has links to trigger single sign-on.

    The following figure is the IdP.demo home page:

    Graphic showing an Idp Demo Page

    The following illustration is the SP.demo home page:

    Graphic showing a Demo site

  3. Click on the SAML2 POST profile link.

    The following login challenge appears:

    Graphic showing a logon prompt page

  4. Using the login of an existing user in your user store, enter the user credentials. For example, if user1 is a user in the user store, enter the credentials for this user.

    If single sign-on is successful, the following welcome page appears:

    Graphic showing the Welcome Page for a demo site

  5. After you test single sign-on, you can Add Functionality to the Federation Deployment.