Previous Topic: Set Up the Identity ProviderNext Topic: Install the IdP Web Agent

Federation Security Services GuideDeploy Federation Using a Manual ConfigurationSet Up the Identity ProviderInstall the IdP Policy Server

Install the IdP Policy Server

Set up the Policy Server.

To install the Policy Server

  1. Install a Policy Server.

    For instructions, see the SiteMinder Policy Server Installation Guide.

  2. Select the web server that is used for the UI.

    In this deployment, an IIS Web Server is the server on which the Policy Server is installed. Your network can use a different supported web server.

  3. Select a policy store.

    In this deployment, a Sun Java LDAP directory is serving as the policy store. The installation configures and initializes this policy store for you.

    Important! If you initialize a new policy store, the Policy Server installer automatically imports the affiliate objects contained in the ampolicy.smdif file. These objects are necessary for federation. If you use an existing policy store that you do not initialize, import the affiliate objects manually. To verify that the import is successful, log in to the FSS Administrative UI and click on Domains in the System tab. If the import is successful, you can see the FederationWebServices domain object.

  4. (Optional) Enable Policy Server Trace Logging so you can use the log to troubleshoot your setup.
  5. Point the Policy Server to the LDAP Policy Store.

More information:

Point the Policy Server to the IdP LDAP Policy Store

Enable Policy Server Trace Logging at the IdP

Point the Policy Server to the IdP LDAP Policy Store

In this deployment, an LDAP policy store is used. Verify that the Policy Server is pointing to the LDAP policy store.

Note: The guide assumes that you know how to add users to the user store in your deployment.

Follow these steps:

  1. Open the Policy Server Management Console.
  2. Select the Data tab.
  3. Complete the following fields:
    Databases

    Policy Store

    Storage

    LDAP

    IP Address (LDAP directory)

    www.idp.demo:389

    Root DN

    o=idp.demo

    Admin Username

    cn=Directory Manager

    Password

    password

    Confirm Password

    password

  4. Click OK to save your changes and exit the console.
  5. Go to Set Up the IdP User Store.

Set Up the IdP User Store

At the Identity Provider, a user store with users defined is required. The Identity Provider can create assertions for these users. In this deployment, the user store is a Sun ONE LDAP user directory. The Sun ONE Server Console is used to add users to this user store.

To configure the user store

  1. Add the following users:
  2. Fill in the attributes for user1 and user2 as follows:
    user1

    userpassword: test

    mail: user1@idp.demo 

    user2

    userpassword: test

    mail: user2@idp.demo

    Important! The email address must be the same in the Service Provider user store for the same users.

  3. Enable trace logging.

Enable Policy Server Trace Logging at the IdP

At the Identity Provider, enable logging for the Policy Server. You can view the log file smtracedefault.log to examine trace messages about single sign-on and single log out. This log file is in the directory policy_server_home/siteminder/log.

Follow these steps:

  1. Open the Policy Server Management Console.
  2. Click on the Profiler tab and customize the contents of the trace log.

    Note: Include the Fed_Server component in the log to see the federation trace messages.

    You configure trace logging at the Policy Server using the Policy Server Management Console.

  3. Install the IdP Web Agent.