Previous Topic: Backward Compatibility SettingsNext Topic: How to Modify the Sample Code to Remove Open Format Cookies When Users Log Out

Web Agent GuidesWeb Agent Configuration GuideSSO Security ZonesAgent Setting for Federation Domains

Agent Setting for Federation Domains

If CA SiteMinder® is acting as a legacy federation SP, you can configure the Identity Provider Discovery (IPD) profile for SAML 2.0 transactions. IPD enables a user to select which IdP generates an assertion for an authentication request.

During the discovery process, you can prevent a user from being redirected to a malicious web site. Configure the Web Agent to validate the domain of the IdP that satisfies the authentication request.

To enable the validation process, set the value of the following parameter:

ValidFedTargetDomain

(Federation only–SAML 2.0). Lists all valid domains for your federated environment when implementing Identity Provider Discovery.

When the CA SiteMinder® Identity Provider Discovery (IPD) Service receives a request, it examines the IPDTarget query parameter in the request. This query parameter lists a URL where the Discovery Service must redirect to after it processes the request. For an IdP, the IPDTarget is the SAML 2.0 Single Sign-on service. For an SP, the target is the requesting application that wants to use the common domain cookie.

Federation Web Services compares the domain of the IPDTarget URL to the list of domains specified for the ValidFedTargetDomain parameter. If the URL domain matches one of the configured domains in the ValidFedTargetDomain, the IPD Service redirects the user to the designated URL in the IPDTarget parameter. This redirect is to a URL at the SP.

If there is no domain match, the IPD Service denies the user request and they receive a 403 Forbidden in the browser. Additionally, errors are reported in the FWS trace log and the affwebservices log. These messages indicate that the domain of the IPDTarget is not defined as a valid federation target domain.

If you do not configure the ValidFedTargetDomain setting, no validation is done and the user is redirected to the target URL.

Limits: Valid domains within the federated network

Default: No default

Specify a valid domain in the ValidFedTargetDomain parameter. This setting is a multi-value parameter, so you can enter multiple domains.

If you are modifying a local configuration file, list the domains separately, for example:

validfedtargetdomain=".examplesite.com"

validfedtargetdomain=".abccompany.com"

For more information about the Identity Provider Discovery profile, see the Federation Security Services Guide.