Release NotesFederation Security Services Release NotesDefects Fixed for the Web Agent 6.x QMR 2 Option PackFixes for Web Agent v6.x QMR 2 Option Pack › Back-channel Cert-based Authentication Fails on IIS 5.0 (30929)

Previous Topic: HTTP Response Body with Extra Characters Prevents SiteMinder from Consuming Assertions (30799)

Next Topic: Federation Web Services Ignores CookieDomain and CookieDomainScope Settings (38373)
Back-channel Cert-based Authentication Fails on IIS 5.0 (30929)

Symptom:

Because of a known limitation, the IIS 5.0 Web Agent does not handle in-line client certificates over an SSL connection. When Federation Web Services (FWS) is installed and configured to consume assertions and the customer requires certificate authentication for back-channel requests to the SAML credential collector, the Web Agent is unable to protect FWS.

Solution:

Use the IIS 5.0 Web server to do client certificate authentication. FWS has been modified to obtain the client certificate from the HTTP request on IIS 5.0. This solution requires that the client certificate's subject DN value contain the affiliate name in the CN attribute field.