FederationFederation Security Services GuideDeploying Federation without the FSS Sample ApplicationAdd Functionality to the Federation DeploymentConfigure SAML 2.0 Artifact Single Sign-on › Select the Artifact Binding at the IdP

Previous Topic: Protect Federation Web Services at the IdP (required-POST/Artifact)

Next Topic: Add a CA Certificate for an SSL Back Channel at the SP
Select the Artifact Binding at the IdP

For artifact single sign-on, you need to enable the artifact binding.

To configure artifact single sign-on

  1. Log in to the Policy Server User Interface.
  2. From the Domains tab, expand Federation Sample Partners and select SAML Service Providers to display the Service Providers.
  3. Select sp.demo and right-click to open the properties of this dialog.
  4. Select the SSO tab.
  5. Complete the following fields:
    Audience

    sp.demo

    This value must match the value at the Service Provider.

    Assertion Consumer Service
    http://www.sp.demo:81/affwebservices/public/
saml2assertionconsumer
  6. Select the HTTP-Artifact check box.
  7. For the Artifact encoding, select URL.

    The artifact will be added to a URL-encoded query string.

  8. Complete the password fields:
    Password

    smfederation

    Confirm Password

    smfederation

    This is the password that sp.demo will use to access the Federation Web Services application at the Identity Provider. This value must also match the value at the Service Provider.

  9. For the Authentication Level, Validity Duration, and AuthnContext Class Ref fields, accept the defaults.

    In a test environment, you may want to increase the Validity Duration value above 60, the default, if you see the following message in the Policy Server trace log:

    Assertion rejected (_b6717b8c00a5c32838208078738c05ce6237) - current time (Fri Sep 09 17:28:33 EDT 2005) is after SessionNotOnOrAfter time (Fri Sep 09 17:28:20 EDT 2005)
  10. Click OK.
  11. Add a CA Certificate to the Smkeydatabase at the SP.