Previous Topic: Install the Policy Server at the Asserting PartyNext Topic: Allow Access to Federation Web Services (asserting party)

Federation Security Services GuideOverview of a SiteMinder Federation SetupSet Up Asserting Party ComponentsSet up Affiliate Domains and Add Sites to these Domains

Set up Affiliate Domains and Add Sites to these Domains

Before you set up Federation Web Services, you establish affiliate domains and add the sites that consume assertions to the affiliate domains. The affiliate domains identify the partners to the site generating the assertions.

Follow these steps:

  1. Access the FSS Administrative UI.
  2. Create an affiliate domain.
  3. Add a user store for users that the asserting party generates assertions.
  4. Add an object for each relying party to the affiliate domain.

    There should be a one-to-one correspondence between each relying partner and each object added to the domain.

  5. After you add sites to an affiliate domain, verify that you protect the AuthenticationURL. This verification affirms that a user has a session at the asserting party prior to process a request for a federated resource.

    To do this task:

    1. Create a policy domain.
    2. Protect the policy domain with the Web Agent that is protecting the server with the Web Agent Option Pack.
    3. To this policy domain, add a realm, rule, and policy that protects the Authentication URL.

More Information:

Add Entities to an Affiliate Domain

Authenticate Users with No SiteMinder Session (SAML 1.x)

Install a Web Agent or SPS Federation Gateway at the Asserting Party

The Web Agent is a required component in a SiteMinder federation network. Install a Web Agent on a web server or install an SPS federation gateway, which has an embedded web agent.

At the asserting party, set up the following components:

  1. Install one of the following components:
  2. For artifact single sign-on, SSL-enable the web server with the Web Agent installed or the system with the SPS federation gateway.

    If the SAML Affiliate Agent is the consumer, configure the SSL-enabled web server at the producer to ignore client certificates. The Web Agent is installed on this web server. If the web server is configured to accept client certificates, the affiliate server component of the SAML Affiliate Agent cannot communicate with the Web Agent.

Install an Application Server for the Web Agent Option Pack (Asserting Party)

If you are implementing Federation Security Services with a Web Agent and Web Agent Option Pack, install the Web Agent Option Pack. Install this component on a web or application server.

At the asserting party:

  1. Install one of the following servers to run Federation Web Services, the application that is installed with the Web Agent Option Pack.
  2. Deploy Federation Web Services on these systems.
  3. For artifact single sign-on, SSL-enable the web server where the Web Agent Option Pack is installed.

More Information:

Deploy Federation Web Services as a Web Application

Install the Asserting Party Web Agent Option Pack

The Web Agent Option Pack supplies the Federation Web Services application, which is a required component for SiteMinder Federation Security Services.

At the asserting party:

  1. Install the Web Agent Option Pack.

    For instructions, see the Web Agent Option Pack Guide.

  2. Verify that you installed a JDK. The Web Agent Option Pack requires a JDK.

    For the supported JDK version, log on to the Technical Support site and search for the SiteMinder Platform Support Matrix for the release.

Note: The SPS federation gateway can replace the Web Agent and Web Agent Option Pack to provide the Federation Web Services application functions. For information about installing and configuring the SPS federation gateway, see the Secure Proxy Server Administration Guide.

Configure Federation Web Services (Asserting Party)

The Federation Web Services application is installed on the server with the Web Agent Option Pack or the SPS federation gateway.

To configure Federation Web Services at the asserting party

  1. Configure one of the supported application servers to use the Web Agent Option Pack. Refer to the Web Agent Option Pack deployment instructions.

    On the SPS federation gateway, Federation Web Services is already deployed.

  2. Verify that the AgentConfigLocation parameter in the AffWebServices.properties file is set to the full path to the WebAgent.conf file. Be sure that the syntax is correct and the path appears on one line in the file.

    The AffWebServices.properties file contains the initialization parameters for Federation Web Services. This file is located in the one of the following directories:

    web_agent_home

    Represents the installed location of the Web Agent

    sps_home

    Represents the installed location of the SPS federation gateway

  3. Enable error and trace logging for the Federation Web Services application. Enable logging in the LoggerConfig.properties file. The logs enable you to see the communication between the asserting party and the relying party.
  4. Test Federation Web Services by opening a web browser and entering the following link:

    http://fqhn:port_number/affwebservices/assertionretriever

    fqhn

    Defines the fully qualified host name.

    port_number

    Defines the port number of the server where the Federation Web Services application is installed.

    For example:

    http://myhost.ca.com:81/affwebservices/assertionretriever

    If Federation Web Services is operating correctly, you see the following message:

    Assertion Retrieval Service has been successfully initialized.
The requested servlet accepts only HTTP POST requests.

    This message indicates that Federation Web Services is listening for data activity. If Federation Web Services is not operating correctly, you receive a message that the Assertion Retrieval Service has failed. If the test fails, look at the Federation Web Services log.