To sign SAML POST responses, which is required by the SAML specification, add a private key and certificate to the SiteMinder key database file, smkeydatabase.
Go to one of the following:
At the SAML 1.x producer, create pages that contain links which direct the user to the consumer site. Each link represents an intersite transfer URL. The user has to visit the intersite transfer URL, which sends a request to the producer-side Web Agent. The user is then redirected to a consumer site.
The link that the user selects at the producer must contain certain query parameters. These parameters are part of an HTTP GET request to the producer Web Agent.
For the SAML artifact profile, the syntax for the intersite transfer URL is:
http://producer_site/affwebservices/public/intersitetransfer?SMASSERTIONREF= QUERY&NAME=affiliate_name&TARGET=http://consumer_site/target_url?query_parameter_name%3Dquery_parameter_value%26query_parameter_name%3Dquery_parameter_value&SMCONSUMERURL=http://consumer_site/affwebservices/public/samlcc&AUTHREQUIREMENT=2
Specifies the server and port number of the system hosting the Web Agent Option Pack or the SPS federation gateway, depending on which components are installed in your federation network.
Specifies the server and port number of the system hosting the Web Agent Option Pack or the SPS federation gateway, depending on which components are installed in your federation network.
For the SAML POST profile, the syntax for the intersite transfer URL is:
http://producer_site/affwebservices/public/intersitetransfer?SMASSERTIONREF= QUERY&NAME=affiliate_name&TARGET=http://consumer_site/target_url
Specifies the server and port number of the system hosting the Web Agent Option Pack or the SPS federation gateway, depending on which components are installed in your federation network.
Specifies the server and port number of the system hosting the Web Agent Option Pack or the SPS federation gateway, depending on which components are installed in your federation network.
Note: The SAML POST profile does not use SMCONSUMERURL and AUTHREQUIREMENT parameters. However, if you include one of these parameters in the intersite transfer URL, include the other parameter.
If a user visits the Identity Provider before going to the Service Provider (POST or artifact binding), initiate an unsolicited response at the Identity Provider. To initiate an unsolicited response, the Federation Web Service application and assertion generator accept an HTTP Get request with a query parameter. This query parameter indicates the Service Provider ID for which the IdP generates the response.
For SAML 2.0 artifact or post profile, the syntax for the link is:
http://IdP_server:port/affwebservices/public/saml2sso?SPID=SP_ID
Identifies the web server and port hosting the Web Agent Option Pack or SPS federation gateway.
Service Provider ID value.
Add the ProtocolBinding query parameter to this link depending on which bindings are enabled.
Note: You do not need to HTTP-encode the query parameters.
You can also initiate single sign-on at the Service Provider.
To initiate WS-Federation single sign-on, a user clicks on a page with a hard-coded HTML link. This HTML link directs the browser of the user to the single sign-on service at the Account Partner. The Account Partner then redirects the user to the Resource Partner.
The link that initiates single sign-on can be included at any site, but it must always first direct the user to the Account Partner.
The syntax for the link is:
https://AP:port/affwebservices/public/wsfedsso?wa=wsignin1.0&wtrealm=RP_ID
Specifies the server and port number of the system at the Account Partner. The system is hosting the Web Agent Option Pack or the SPS federation gateway, depending on which component is installed in your federation network.
Note: You do not need to HTTP-encode the query parameters.
|
Copyright © 2012 CA.
All rights reserved.
|
|