Previous Topic: How to Configure a SiteMinder Resource PartnerNext Topic: Configure the WS-Federation Authentication Scheme


WS-Federation Authentication Scheme Overview

If you purchased the Policy Server or SPS federation gateway, any SiteMinder site can consume a WS-Federation <RequestSecurityTokenResponse> message and use the assertion in the response to authenticate and authorize users. If you have sites in your federated network that have user stores, you can use WS-Federation authentication.

The WS-Federation authentication scheme lets a Resource Partner authenticate a user. It enables cross-domain single sign-on by consuming a SAML assertion and establishing a SiteMinder session. After the user is identified, the Resource Partner site can authorize the user for specific resources.

A site can be both a WS-Federation Resource Partner and Account Partner.

Graphic showing the components of a resource partner

Note: The SPS federation gateway can replace the Web Agent and Web Agent Option Pack to provide the Federation Web Services application functions. For information about installing and configuring the SPS federation gateway, see the Secure Proxy Server Administration Guide.

The WS-Federation authentication scheme is configured at the Resource Partner-side Policy Server and is invoked by the WS-Federation Security Token Consumer Service. The Security Token Consumer Service is a component of the Federation Web Services application and is installed on the Resource Partner-side Web Agent. This service obtains information from the WS-Federation authentication scheme at the Policy Server and uses that information to extract the necessary information from the assertion to authenticate a user.

The SAML assertion becomes the user credentials to login to the Policy Server at the Resource Partner site. The user is authenticated and authorized, and if authorization is successful, the user is redirected to the target resource.