Previous Topic: Define Indexed Endpoints for Different Single Sign-on BindingsNext Topic: Determine Digital Signing Options

Federation Security Services GuideConfigure SiteMinder as a SAML 2.0 Identity ProviderConfigure Single Sign-on for SAML 2.0Define Indexed Endpoints for Different Single Sign-on BindingsConfigure Indexed Endpoints for the Assertion Consumer Service

Configure Indexed Endpoints for the Assertion Consumer Service

When the single sign-on service extracts an ACS Index value from a Service Provider's AuthnRequest, it compares the index value to its list of index entries and determines the Assertion Consumer Service URL associated with that index value. The single sign-on service then knows where to send the assertion or artifact, depending on the binding associated with the index value.

To configure index entries at the Identity Provider

  1. Log in to the FSS Administrative UI.
  2. Display the list of domains and from the Affiliate domain, select the Service Provider you want to configure.

    The SAML Service Provider Properties dialog opens.

  3. Select the SSO tab.
  4. Click the ellipses button at the end of the Assertion Consumer Service field.

    The Assertion Consumer Service dialog opens.

  5. Click on Add to define an index entry.

    The Add Assertion Consumer Service dialog opens.

  6. Complete the following required fields:

    Note: You can use different index values assigned to the same Assertion Consumer Service URL.

  7. Click OK to save your changes.

Note: Remember to configure index entries in the SAML 2.0 authentication scheme at the Service Provider.

Enforce the Authentication Scheme Protection Level for SSO

When a user requests a federated resource, they must have a SiteMinder session. If a user does not have a SiteMinder session, the user is redirected to the Authentication URL to establish a session. The authentication scheme protecting the Authentication URL is configured with a particular protection level. This protection level must be the same or greater than the authentication level you configure for the SAML Service Provider configuration.

If the protection level for the Authentication URL is less than the Authentication Level set in the Administrative UI, SiteMinder does not generate an assertion.