Federation Security Services Guide › Overview of a SiteMinder Federation Setup › Set Up Relying Party Components › Install the Relying Party Policy Server

Install the Relying Party Policy Server

Install the Policy Server at the relying party site. The Policy Server provides functions such as the federation authentication schemes.

At the relying party, do the following:

1. Install the Policy Server.

   See the SiteMinder Policy Server Installation Guide.

2. Set up a policy store.

   See the SiteMinder Policy Server Installation Guide.

   Important! If you initialize a new policy store, the Policy Server installer automatically imports the affiliate objects in the ampolicy.smdif file. These objects are necessary for federation. If you use an existing policy store, import the affiliate objects manually. To verify that the import is successful, log in to the Administrative UI and navigate to Policy, Domain, Domains. If the import is successful, you can see the FederationWebServices domain object in the list.

3. Set up a user store and add users permitted to access target resources.

   See the SiteMinder Policy Server Configuration Guide.

Configure a SAML or WS-Federation Authentication Scheme

At the relying party Policy Server, configure an authentication scheme (artifact, POST profile, SAML 2.0, WS-Federation) for each asserting party.

Important! The name of the partner that you specify for the authentication scheme must match the name of the relying party that you specify at the asserting party.

Specifically:

• For SAML 1.x authentication schemes, the Affiliate Name field of the scheme configuration must match an Affiliate Name for an affiliate object at the producer site.
• For SAML 2.0, the equivalent field is the SP ID, which must match the SP ID at the Identity Provider.
• For WS-Federation, the Resource Partner ID for the scheme configuration must match the Resource Partner ID at the Account Partner.

More Information:

Configure SiteMinder as a SAML 1.x Consumer

Configure SiteMinder as a SAML 2.0 Service Provider

Configure SiteMinder as a Resource Partner

Protect Target Resources at the Relying Party

After creating a SAML or WS-Federation authentication scheme, assign the scheme to a unique realm or a single custom realm. The realm is the collection of target resources at the relying party that require an assertion for user access. The relying party identifies target resources in one of the following ways:

• TARGET variable in the intersite transfer URLs (SAML 1.x).
• AuthnRequest URL (SAML 2.0 and WS-Federation).
• Authentication scheme configuration (SAML 2.0 and WS-Federation).

After you create a realm and assign a SAML or WS-Federation authentication scheme to it, create a rule for the realm, then add the rule to a policy that protects the resource.

Install a Web Agent or SPS Federation Gateway (Relying Party)

The Web Agent is a required component in a SiteMinder Federation Security Services network. You can either install a Web Agent on a web server or install an SPS federation gateway, which has an embedded web agent.

At the relying party, set up the following components:

1. Install one of the following components:
   • Web Agent

     For instructions, see the Web Agent Installation Guide.

   • SPS federation gateway

     For instructions, see the Secure Proxy Server Administration Guide.

2. Configure the Web Agent or SPS federation gateway.

Install a Web or Application Server for the Web Agent Option Pack (Relying Party)

If you are implementing Federation Security Services with a Web Agent and Web Agent Option Pack (not with an SPS federation gateway), install the Web Agent Option Pack. Install this component on a web or application server.

At the relying party:

1. Install one of the following servers to run Federation Web Services, the application that is installed with the Web Agent Option Pack.
   • Web server running ServletExec
   • WebLogic Application Server
   • WebSphere Application Server
   • JBOSS Application Server
   • Tomcat Application Server
2. Deploy Federation Web Services on these systems.

More Information:

Deploy Federation Web Services as a Web Application

Install the Web Agent Option Pack at the Relying Party

The Web Agent Option Pack supplies the Federation Web Services application, which is a required component for Federation Security Services.

At the relying party:

1. Install the Web Agent Option Pack.

   For instructions, see the Web Agent Option Pack Guide.

2. Verify that you install a JDK. The Web Agent Option Pack requires this JDK.

   To determine the required JDK version, go to the Technical Support site and search for SiteMinder Platform Matrix.

Note: The SPS federation gateway can replace the Web Agent and Web Agent Option Pack to provide the Federation Web Services application functions. For information about installing and configuring the SPS federation gateway, see the Secure Proxy Server Administration Guide.

Configure Federation Web Services at the Relying Party

These steps enable you to set up the Federation Web Services application. The Federation Web Services application is installed on the server with the Web Agent Option Pack or the SPS federation gateway.

To configure Federation Web Services at the relying party

1. Configure one of the supported application servers to use the Web Agent Option Pack. Refer to the Web Agent Option Pack deployment instructions.

   If you are using the SPS federation gateway, the Federation Web Services application is already deployed.

2. Set the AgentConfigLocation parameter in the AffWebServices.properties file to the full path to the WebAgent.conf file. Verify that the syntax is correct and the path appears on one line in the file.

   The AffWebServices.properties file contains the initialization parameters for Federation Web Services. This file is located in the one of the following directories:

   • web_agent_home/affwebservices/WEB-INF/classes
   • sps_home/secure-proxy/Tomcat/webapps/affwebservices/WEB-INF/classes

   web_agent_home

   Represents the installed location of the Web Agent

   sps_home

   Represents the installed location of the SPS federation gateway

3. Enable error and trace logging for Federation Web Services application. Logging is enabled in the LoggerConfig.properties file. The logs enable you to see the communication between the asserting party and the relying party.
   • Error logging is recorded in the affwebserv.log file, the default error log file.
   • Trace logging is recorded in the FWSTrace.log, the default trace log file.
4. Test Federation Web Services by opening a web browser and entering the following link:

   http://fqhn:port_number/affwebservices/assertionretriever

   fqhn

   Defines the fully qualified host name.

   port_number

   Defines the port number of the server where the Federation Web Services application is installed.

   For example:

   http://myhost.ca.com:81/affwebservices/assertionretriever

   If Federation Web Services is operating correctly, the following message appears:

   Assertion Retrieval Service has been successfully initialized.
   The requested servlet accepts only HTTP POST requests.
   

   This message indicates that Federation Web Services is listening for data activity. If Federation Web Services is not operating correctly, you see a message that the Assertion Retrieval Service has failed. If the test fails, look at the Federation Web Services log.

More Information:

Configure Federation Web Services (Asserting Party)