Previous Topic: Allow Access to Federation Web Services (Relying Party)Next Topic: Setup the SAML 1.x Assertion Generator File


Set-up the smkeydatabase for Artifact Single Sign-on (optional)

The smkeydatabase is a local flat-file key database that stores keys and certificates needed for PKI specific operations such as encryption, decryption, signing, verification and client authentication.

For artifact single sign-on, the key database at the asserting party holds the certificate of the certificate authority used to establish an SSL connection. The SSL connection secures the back channel that the assertion is sent across for artifact single sign-on.

A set of common root CAs are shipped in the default smkeydatabase. To use root CAs for web servers that are not in smkeydatabase, import these root CAs into the file.

To modify smkeydatabase, use the smkeytool utility.

Create Links to Initiate Single Sign-on (optional)

For SAML 2.0 and WS-Federation, if a user visits the relying party before visiting the asserting party, establish hard-coded links. The hard-coded links redirect the user to the asserting party to fetch the authentication context. This authentication context consists of the characteristics that enable the relying party to understand how the user was authenticated.

More Information:

Initiate SAML 2.0 Single Sign-on at the SP (optional)

Initiate WS-Federation Single Sign-on at the Resource Partner

Initiate SAML 2.0 Single Sign-on at the SP (optional)

If a user visits the Service Provider before visiting the Identity Provider, the Service Provider must redirect the user to the Identity Provider. At the Service Provider, create an HTML page that contains hard-coded links to the AuthnRequest Service. The AuthnRequest service, in turn, redirects the user to the Identity Provider to fetch the authentication context.

Note: The HTML page has to reside in an unprotected realm.

The hard-coded link that the user clicks at the Service Provider must contain certain query parameters. These parameters become part of an HTTP GET request to the AuthnRequest service. The AuthnRequest service is on the Policy Server at the Service Provider.

For SAML 2.0 (artifact or profile), the syntax for the link is:

http://SP_site/affwebservices/public/saml2authnrequest?ProviderID=IdP_ID

sp_server:port

Specifies the server and port number at the Service Provider hosting the Web Agent Option Pack or the SPS federation gateway.

IdP_ID

Specifies the identity that is assigned to the Identity Provider.

You can add the ProtocolBinding query parameter to this link depending on which bindings are enabled. For more information about configuring links at the Service Provider, see Set Up Links at the IdP or SP to Initiate Single Sign-on.

Note: You do not need to HTTP-encode the query parameters.

You can also create links at the Identity Provider.

More Information:

Set Up Links at the IdP or SP to Initiate Single Sign-on

Initiate WS-Federation Single Sign-on at the Resource Partner

If a user visits the Resource Partner before visiting the Account Partner, the Resource Partner must redirect the user to the Account Partner. Create an HTML page, such as a site selection page that contains links to Account Partners with which to authenticate. Upon selecting a link, the user is directed to the single sign-on service at the Account Partner.

Note: The site selection page has to reside in an unprotected realm.

The hard-coded link that the user clicks at the Resource Partner must contain certain query parameters. These parameters are part of an HTTP GET request to the Single Sign-on Service at the Policy Server of the Account Partner.

The syntax for the link is:

https://host:port/affwebservices/public/wsfedsso?wa=wsignin1.0&wtrealm=RP_ID

host:port

Indicates the server and port number where the single sign-on service resides

RP_ID

Specifies the Resource Partner identity

Note: You do not need to HTTP-encode the query parameters.