Federation Security Services Guide › Configure SiteMinder as a Resource Partner › Configure the WS-Federation Authentication Scheme

Configure the WS-Federation Authentication Scheme

The configuration of the WS-Federation authentication scheme provides information about the Account Partner that generates the assertion for the Resource Partner and instructs how the Resource Partner supports the authentication process.

To configure the common setup and scheme setup

1. Complete the authentication scheme prerequisites.
2. Log in to the FSS Administrative UI.
3. From the menu bar, select Edit, System Configuration, Create Authentication Scheme.

   The Authentication Scheme Properties dialog opens.

4. From the Authentication Scheme Type drop-down list, select WS-Federation Template.

   The contents of the SiteMinder Authentication Scheme dialog change for the scheme.

5. Configure the scheme common setup section by entering values for the fields.

   Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

6. Configure the scheme setup by entering values for the following fields:
   • Resource Partner ID
   • Account Partner ID
   • Skew Time
   • Alias (required if signature processing enabled)
7. Verify that the Disable Signature Processing option is set appropriately for single sign-on.

   Important! For debugging purposes only, you can temporarily disable all signature processing (both signing and verification of signatures) by enabling the Disable Signature Processing option.

After you configure an authentication scheme, associate the scheme with a realm that contains the resource you want to protect.

More Information:

How To Protect a Target Resource with a WS-Federation Authentication Scheme

Locate User Records for Authentication

When you configure an authentication scheme, you define a way for the authentication scheme to look up a user in the local user store. After the correct user is located, the system generates a session for that user. Locating the user in the user store is the process of disambiguation. How SiteMinder disambiguates a user depends on the configuration of the authentication scheme.

For successful disambiguation, the authentication scheme first determines a LoginID from the assertion. By default, the LoginID is extracted from the Name ID value in the assertion. You can also obtain the LoginID by specifying an Xpath query.

After the authentication scheme determines the LoginID, SiteMinder checks if a search specification is configured for the authentication scheme. If no search specification is defined for the authentication scheme, the LoginID is passed to the Policy Server. The Policy Server uses the LoginID together with the user store search specification to locate the user. For example, imagine that the LoginID value is Username and the LDAP search specification is set to the uid attribute. The Policy Server uses the uid value (Username=uid) to search for the user.

If a search specification is configured for the authentication scheme, the LoginID is not passed to the Policy Server. Instead, the search specification is used to locate a user.

The disambiguation process involves two steps:

1. Obtain the LoginID by the default behavior or by using an Xpath query.
2. Locate the user in the user store by the default behavior or with a search specification.

Note: The use of Xpath and the search specification are optional.