Previous Topic: Authentication Users with no SiteMinder Session (SAML 2.0)Next Topic: Configure Single Sign-on for SAML 2.0


Create a Policy to Protect the Authentication URL

To create a policy to protect the AuthenticationURL

  1. Open the FSS Administrative UI.
  2. From the System tab, create Web Agents to bind to the realms that you define for the producer-side Web Server. You can assign unique Agent names for the Web Server and the Federation Web Services or use the same Agent name for both.
  3. Create a policy domain for the users who should be challenged when they try to access a consumer resource.
  4. From the Users tab, select the users that should have access to the resources that are part of the policy domain.
  5. Define a realm for the policy domain with the following values:
    1. Agent: select the Agent for the producer Web Server
    2. Resource Filter:

      Web Agents v5.x QMR 4 and later, and SPS federation gateway enter:

      /siteminderagent/redirectjsp/

      Web Agents v5.x QMR 1, 2, or 3, enter:

      /affwebservices/redirectjsp/

      The resource filter /siteminderagent/redirectjsp/ is an alias, set up automatically by FWS. It is a reference to the following:

      • For a Web Agent:

        web_agent_home/affwebservices/redirectjsp

      • For the SPS federation gateway:

        sps_home/secure-proxy/Tomcat/webapps/affwebservices/redirectjsp

    3. For the remaining settings, accept the defaults or modify as needed.
  6. For SAML artifact only, select the Session tab and check the Persistent Session check box.

    To enable single sign-on using the SAML artifact profile from a realm at the producer to a realm at the consumer, configure a persistent session for the producer realm. If you do not configure a persistent session, the user cannot access consumer resources.

  7. Click OK to save the realm.
  8. Create a rule for the realm. In the Resource field, accept the default value, the asterisk (*), to protect all resources for the realm.
  9. Create a policy for the producer Web Server that includes the rule created in the previous step.
  10. Complete the task in Select Users for Which Assertions Will Be Generated.