Previous Topic: Permit Access to the FWS Policy that Protects the Artifact Resolution ServiceNext Topic: Add a CA Certificate for an SSL Back Channel at the SP

Federation Security Services GuideDeploy Federation Using a Manual ConfigurationAdd Functionality to the Federation DeploymentProtect the Target Resource at the SPSelect the Artifact Binding at the IdP

Select the Artifact Binding at the IdP

For artifact single sign-on, enable the artifact binding.

To configure artifact single sign-on

  1. Log in to the FSS Administrative UI.
  2. From the Domains tab, expand Federation Sample Partners and select SAML Service Providers to display the Service Providers.
  3. Select sp.demo and right-click to open the properties of this dialog.
  4. Select the SSO tab.
  5. Complete the following fields:
    Audience

    sp.demo

    This value must match the value at the Service Provider.

    Assertion Consumer Service
    http://www.sp.demo:81/affwebservices/public/
saml2assertionconsumer
  6. Select the HTTP-Artifact check box.
  7. For the Artifact encoding, select URL.

    The artifact is added to a URL-encoded query string.

  8. Complete the password fields:
    Password

    smfederation

    Confirm Password

    smfederation

    The sp.demo uses this password to access the Federation Web Services application at the Identity Provider. This value must also match the value at the Service Provider.

  9. For the Authentication Level, Validity Duration, and AuthnContext Class Ref fields, accept the defaults.

    In a test environment, you can increase the Validity Duration value above 60, the default, if you see the following message in the Policy Server trace log:

    Assertion rejected (_b6717b8c00a5c32838208078738c05ce6237) - current time (Fri Sep 09 17:28:33 EDT 2005) is after SessionNotOnOrAfter time (Fri Sep 09 17:28:20 EDT 2005)
  10. Click OK.
  11. Add a CA Certificate to the Smkeydatabase at the SP.