Previous Topic: Set Up the Service ProviderNext Topic: Install the SP Web Agent

Federation Security Services GuideDeploy Federation Using a Manual ConfigurationSet Up the Service ProviderInstall the SP Policy Server

Install the SP Policy Server

At the Service Provider, install the Policy Server.

Set up the Policy Server.

To install the Policy Server

  1. Install a Policy Server.

    For instructions, see the SiteMinder Policy Server Installation Guide.

  2. Select the web server that is used for the UI.

    In this deployment, an IIS Web Server is the server on which the Policy Server is installed. Your network can use a different supported web server.

  3. Select a policy store.

    In this deployment, a Sun Java LDAP directory is serving as the policy store. The installation configures and initializes this policy store for you.

    Important! If you initialize a new policy store, the Policy Server installer automatically imports the affiliate objects contained in the ampolicy.smdif file. These objects are necessary for federation. If you use an existing policy store that you do not initialize, import the affiliate objects manually. To verify that the import is successful, log in to the FSS Administrative UI and click on Domains in the System tab. If the import is successful, you can see the FederationWebServices domain object.

  4. (Optional) Enable Policy Server Trace Logging so you can use the log to troubleshoot your setup.

Point the Policy Server to the LDAP Policy Store.

More information:

Enable Trace Logging for Federation Components at the SP

Point the Policy Server to the SP LDAP Policy Store

Point the Policy Server to the SP LDAP Policy Store

Establish the connection between the Policy Server and the LDAP policy store.

Follow these steps:

  1. Open the Policy Server Management Console.
  2. Select the Data tab.

    Complete the following fields:

    Databases

    Policy Store

    Storage

    LDAP

    LDAP IP Address

    sp.demo:389

    Root DN

    o=sp.demo

    Admin Username

    cn=Directory Manager

    Password

    federation

    Confirm Password

    federation

  3. Click OK.
  4. Set up the SP user store.

Set Up the SP User Store

At the SP, configure a user store and add user records for users that require assertions. When the assertion is presented during authentication, the Service Provider looks in the user store for the user record.

In this deployment, the Sun ONE LDAP user directory is the user store. Use the Sun ONE Server Console to add users to the directory.

To configure the user store

  1. Add the following users:
  2. Fill in the attributes for user1 and user2 as follows:
    user1

    userpassword: customer

    mail: user1@sp.demo

    user2

    userpassword: customer

    mail: user2@sp.demo

    Important! The email address must be the same in the Identity Provider user store for the same users.

  3. Enable trace logging.

Enable Trace Logging for Federation Components at the SP

At the SP Policy Server, configure the SiteMinder Profiler to log federation components to the trace log, smtracedefault.log and examine trace messages.

To enable logging

  1. Open the Policy Server Management Console.
  2. Click on the Profiler tab and customize the contents of the trace log. Be sure to include the Fed_Server component in the log to see the federation trace messages.

    To configure trace logging at the Policy Server, using the Policy Server Management Console.

  3. Install the SP Web Agent.