Previous Topic: Configure Identity Provider Discovery at the IdPNext Topic: Enabling Encryption


Enable Identity Provider Discovery Profile (optional)

For federated networks that have more than one IdP generating assertions, the Identity Provider Discovery profile enables users to select a specific IdP for authentication.

To enable the Identity Provider Discovery Profile

  1. Log on to the FSS Administrative UI.
  2. Open the Service Provider Properties dialog for the SP you want to modify.
  3. Select the IPD tab.

    The Identity Provider Discovery settings display.

  4. Select the Enable checkbox.

    The fields in the dialog become active.

  5. Fill in the necessary fields and click OK.

    Note: Set the Service URL field to the Identity Provider Discovery Profile servlet, which is:

    https://host:port/affwebservices/public/saml2ipd

Securing the IdP Discovery Target Against Attacks

When the SiteMinder Identity Provider Discovery Service receives a request for the common domain cookie, the request includes a query parameter named IPDTarget. This query parameter lists a URL where the Discovery Service must redirect to after it processes the request.

For an IdP, the IPDTarget is the SAML 2.0 Single Sign-on service. For an SP, the target is the requesting application that wants to use the common domain cookie.

We recommend protecting the IPDTarget query parameter against security attacks. An unauthorized user can place any URL in this query parameter. The URL can cause a redirection to a malicious site.

To protect the query parameter against an attack, configure the Agent Configuration Object setting ValidFedTargetDomain. The ValidFedTargetDomain parameter lists all valid domains for your federated environment.

Note: The ValidFedTargetDomain setting is similar to the ValidTargetDomain setting that the Web Agent uses, but this setting is defined specifically for federation.

The IPD Service examines the IPDTarget query parameter. The service obtains the domain of the URL that the query parameter specifies. The IPD Service compares this domain to the list of domains specified in the ValidFedTargetDomain parameter. If the URL domain matches one of the configured domains in the ValidFedTargetDomain, the IPD Service redirects the user to the designated URL.

If there is no domain match, the IPD Service denies the user request and they receive a 403 Forbidden in the browser. Additionally, errors are reported in the FWS trace log and the affwebservices log. These messages indicate that the domain of the IPDTarget is not defined as a valid federation target domain.

If you do not configure the ValidFedTargetDomain setting, the service redirects the user to the target URL without performing any validation.

More information:

Solution 7: Identity Provider Discovery Profile (SAML 2.0)

Encrypt a NameID and an Assertion

You can encrypt the Name ID in an assertion or the assertion itself. Encryption adds another level of protection when transmitting the assertion.

When you configure encryption, specify the partner certificate. The certificate is in the assertion. When the assertion arrives at the Service Provider, the Service Provider decrypts the encrypted data using the associated private key.

Note: If you enable encryption, the first federation call can cause the Policy Server memory to increase to load the encryption libraries and allocate additional memory.