Federation Security Services Guide › Configure SiteMinder as a SAML 2.0 Identity Provider › Configure Single Sign-on for SAML 2.0 › Define Indexed Endpoints for Different Single Sign-on Bindings

Define Indexed Endpoints for Different Single Sign-on Bindings

You can configure indexed endpoints for federated communication. An indexed endpoint is the site where assertions are consumed. In the context of SiteMinder, this endpoint is the Service Provider where the Assertion Consumer Service resides.

Each endpoint you configure is assigned a unique index value, instead of a single, explicit reference to an Assertion Consumer Service URL. The assigned index is added to the assertion request that the Service Provider sends to the Identity Provider.

You can configure indexed endpoints for a SiteMinder Service Provider that has a federated relationship with a third-party Identity Provider that supports indexed endpoints. You can also configure different protocol bindings (artifact, POST) for the Assertion Consumer Service by assigning more than one endpoint to the service.

Note: If your network contains different SiteMinder versions, for example, the Service Provider is r12.0 SP2 and the Identity Provider is r12.0 SP3, you cannot configure indexed endpoints. Configure only one Assertion Consumer Service for both HTTP bindings.

The following figure shows a network that benefits from indexed endpoints.

Indexed Endpoints Flow Diagram

The following illustration shows how single sign-on works using an indexed endpoint.

Note: The Web Agent Option Pack or the SPS federation gateway can provide the FWS functionality.

Using indexed endpoints, the sequence of events is as follows:

1. The user selects a link to authenticate with a specific IdP. The link contains the IdP ID and AssertionConsumerServiceIndex query parameters index as query parameters because the index feature is enabled.
2. The SP Federation Web Services (FWS) application asks for an AuthnRequest from its local Policy Server. The request that it sends includes the IdP ID and optionally, the AssertionConsumerServiceIndex and ForceAuthn query parameters.

   A protocol binding is not part of the request because the ACS Index and the Protocol Binding parameters are mutually exclusive. The AssertionConsumerServiceIndex is already associated with a binding so there is no need to specify a Protocol Binding value. If the protocol binding and the AssertionConsumerServiceIndex are passed as query parameters, the local Policy Server responds with an error denying the request.

3. The AuthnRequest service extracts the IdP information from the SP Policy Server and generates the AuthnRequest message, which includes the AssertionConsumerServiceIndex. Because the AssertionConsumerServiceIndex is one of the query parameters, its value is verified against the IdP from an IdP descriptor document. This document is previously sent from the IdP to the SP.

   The AuthnRequest service reacts as follows:

   • If the index for the artifact binding is set in the IdP metadata, this index is compared to the AssertionConsumerServiceIndex value. If the values match, the index value remains part of the AuthnRequest. If the index values do not match, the IdP metadata is verified. The AssertionConsumerServiceIndex must correspond to the POST binding.
   • If the index corresponding to the HTTP-POST binding, this index value is again compared with the AssertionConsumerServiceIndex in the AuthnRequest. If the value of the AssertionConsumerServiceIndex parameter does not match the POST binding, the AuthnRequest service generates an error. The error states that the AssertionConsumerServiceIndex does not match the index in the IdP metadata.
4. Assuming that the IdP metadata index and AssertionConsumerServiceIndex values match, the SP Policy Server generates the AuthnRequest.
5. The SP Policy Server returns the AuthnRequest in an HTTP-redirect binding.
6. The the SP FWS application redirects the AuthnRequest to the single sign-on service at the IdP. The SP knows the URL of the single sign-on service because the URL is part of the configuration information in the AuthnRequest.
7. The browser requests the single sign-on service.
8. The single sign-on service extracts the AssertionConsumerServiceIndex value from the AuthnRequest. The service determines the Assertion Consumer Service URL using the AssertionConsumerServiceIndex. If the Index is not in the metadata, the service generates an error. The error message indicates that an invalid AssertionConsumerServiceIndex is in the AuthnRequest message.

   The Assertion Consumer URL to send the assertion or artifact to the SP, depending on the single sign-on profile in use.

   Note: If the AssertionConsumerServiceIndex parameter is not in the AuthnRequest, the value of the Assertion Consumer Service and the corresponding binding are used by default.