You can implement your own business logic in addition to the standard SAML authentication processing using the Message Consumer Plug-in. This plug-in lets you further manipulate a SAML 2.0 assertion response, which is part of the SAML 2.0 authentication processing.
The Message Consumer Plug-in is SiteMinder’s Java program that implements the SAML 2.0 Message Consumer Extension API. The plug-in can be integrated using settings provided by the SAML 2.0 authentication scheme.
A component installed by the Web Agent Option Pack that supports assertion retrieval, session synchronization and notification alerts at the asserting party. At the relying party, these services collect assertions.
For the SAML 1.x artifact and POST profiles, the Federation Web Services application uses the following services:
A producer-side component. This service handles a SAML request for the assertion that corresponds to a SAML artifact by retrieving the assertion from the SiteMinder session store. The SAML specification defines the assertion retrieval request and response behavior.
Note: Only the SAML artifact profile uses the assertion retrieval service.
A producer-side component that validates and terminates sessions for the SAML Affiliate Agent (A SiteMinder value-added service, which uses a standards-based SOAP RPC mechanism).
A producer-side component that logs resource access notification events for the SAML Affiliate Agent (A SiteMinder value-added service, which uses a standards-based SOAP RPC mechanism).
A consumer-side component that receives a SAML artifact or an HTTP form with an embedded SAML response and obtains the corresponding SAML assertion. The credential collector issues SiteMinder cookies to a browser of the user.
A producer-side component for the SAML POST profile. The intersite transfer service transfers a user from the producer site to a consumer site. For the SAML artifact profile, the Web Agent performs the same function as the intersite transfer service.
For SAML 2.0 artifact and POST profiles, the Federation Web Services application uses the following services:
An Identity Provider-side service that corresponds to the SAML 2.0 authentication using the HTTP-artifact binding. This service retrieves the assertion stored in the SiteMinder session store at the Identity Provider.
Note: Only the HTTP-artifact binding uses the artifact resolution service.
A Service Provider component that receives a SAML artifact or an HTTP form with an embedded SAML response and obtains the corresponding SAML assertion. The Assertion Consumer Service issues SiteMinder cookies to a browser.
Note: The Assertion Consumer Service accepts an AuthnRequest with an AssertionConsumerServiceIndex value of 0. All other values for this setting are denied.
This service is deployed for use by SAML 2.0. A Service Provider can generate an <AuthnRequest> message to authenticate a user for cross-domain single sign-on. This message contains information that enables the Federation Web Services application to redirect the browser to the single sign-on service at the Identity Provider. The AuthnRequest service is used for POST and Artifact single sign-on.
The single sign-on service enables an Identity Provider to process AuthnRequest messages. The service also invokes the assertion generator to create an assertion that is sent to the Service Provider.
This service implements processing of single logout functionality, which an Identity Provider or a Service Provider can initiate.
Implements SAML 2.0 Identity Provider Discovery Profile and sets and retrieves the common domain cookie. An IdP requests to set the common domain cookie after authenticating a principal. An SP requests to obtain the common domain cookie to discover which Identity Provider a principal is using.
For the WS-Federation Passive Requestor profile, the Federation Web Services application uses the following services:
Note: WS-Federation is only available with Federation Security Services.
A Resource Partner component that receives a security token and extracts the corresponding SAML assertion. The Security Token Consumer Service issues SiteMinder cookies to a browser.
Enables an Account Partner to process a wsignin message and gather the necessary Resource Partner information to authenticate the user. This service also invokes the assertion generator to create an assertion that is sent to the Resource Partner.
Implements processing of single logout functionality by way of a signout servlet. An Account Partner or a Resource Partner can initiate signout.
The SAML Affiliate Agent enables businesses using the Policy Server and Web Agent to act as a main portal and share security and customer profile information with affiliated partners. The affiliated partners use only the SAML Affiliate Agent.
Note: The SAML Affiliate Agent only supports SAML 1.0 and it is not FIPS-compatible.
The SAML Affiliate Agent is a stand-alone component. This agent provides single sign-on and session management capabilities to a third-party consumer. The consumer, or affiliate, does not maintain identities for users at the producer, or portal, site. The affiliate site can determine that the user has been registered at the portal site, and optionally, that the user has an active SiteMinder session at the portal site. Based on the affiliate policies at the portal, information can be passed to the affiliate and set as cookies or header variables for the affiliate web server.
For more information about the SAML Affiliate Agent, see the SiteMinder SAML Affiliate Agent Guide.
|
Copyright © 2012 CA.
All rights reserved.
|
|