Symantec Access Management

  • 1.  Federation : SAML 2.0 Use case along with SSO?

    Posted Jan 13, 2014 05:26 PM

    Hi, 

    I have this use case to resolve: would appreciate if i can get some thoughts on the inner workings of the siteminder / FSS

    Use case:

    1)Idp : ADFS solution with active directory as user store(Applications '1',' 2', '3' - all SSO'd)

    2)SP: Siteminder Solution with Oracle Ldap as user store containing (Applications 'a','b','c' - all SSO'd with Siteminder "cookie provider" setting on application - 'a' which is the cookie provider)

    Any concerns inorder to have the below achived:

    Integrate both of these using SAML 2.0 Federation to have the idp talk to sp.

    Sequence of the user activity:

    1)user logs into the ADFS portal application '1' 

    2)Clicks on the URL link to SP(App 'a') which initiates the SAML handshake of invoking "IDP initiated SSO" to target URL, protected by SAML 2.0 Authentication Scheme.

    3)Now the question is ?

    Can the user be still able to SSO into the application - 'b' and 'c' as the application to which the user was federated into (application 'a' - was not forms based authentication scheme.?

    Will the SMSession cookie be created after the initial - SSO - (SAML)Federate into application 'a'.?

     

    Thanks

    Rao.



  • 2.  RE: Federation : SAML 2.0 Use case along with SSO?

    Posted Jan 14, 2014 12:03 AM

    short answer is yes.

    when the SAML Assertion provided by the IdP (ADFS) is successfully consumed by SM FSS, SMSESSION would be created by FSS (Assertion Consumer).   A redirect then occured to the target app that setup with SAML 2.0 Auth Scheme.  let say the app is app 'a" (really it doesn't matter which, but for simplicity let us base the example on your question "...Will the SMSession cookie be created after the initial - SSO - (SAML)Federate into application 'a'.?  ...."  your users would then allow to access app 'a' after going through the typical SM challenges

    1. is the resource is Protect (isProtected call)

    2. is the user is authenticate (isAuthenticate call), but since there is a SMSESSION, it would be an isValidate call, and then

    3. is the user is authorized (isAuthorized call)

    once the user is landed in app 'a' and want to go over (SSO) to app 'b' or 'c', and since you mentioned "....(Applications 'a','b','c' - all SSO'd with Siteminder "cookie provider" setting on application - 'a' which is the cookie provider) ....", this SSO flow would continue to work.

    Note:   the above assume ADFS implementation of SAML is conform to OASIS's SAML spec.  Vendors out there would claim their product is SAML interoperable/compliance to their customers queries, but usually left out the "...by the way ..." keyword.

    T.