Hello Neeraj,
My answers are as below:
1. Is it mandatory for target parameter to be protected with SAML auth scheme.
--->TARGET is required to be protected with SAML auth-scheme in the Legacy Federation. If you use the Partnership Model this detail is hidden.
2. Once assertion is consumed at SP end and user is redirected to a target Url having siteminder agent. Should that agent create a new SMSESSION for SP end session management?
---> During the process of Assertion Consumption, SAML auth-scheme is invoked or rather SAML auth-scheme facilitates the SAML assertion consumption. Yes, SMSESSION would be set for the SP domain after asseetion is successfully consumed at the SP.
3. Do we do any additional configuration for the webagent protecting the target Url with saml authscheme to generate SMSESSION at SP end?
----->SAML auth-scheme conifg is the main config step at the SP side. You could also consider and use partnership model since what we are discussing here is Legacy Federation and as of r12.5 version onwards, we do have partnership model of Federation config available.
4. Is the agent treated as affiliate agent if it protects the target Url with SAML authscheme? ---> Nope, it’s any regular Web Agent
Any confugurations spectic to affiliate agent? --->Affiliate Agent is EOS now, so not sure if you still have it and if so just know Affiliate Agent only supports and works with SAML 1.0 Artifact Binding
I have all these questions because I have tested two scenarios.
1. I generate an authnrequest and post assertion validation redirect to target url protected with saml authscheme, redirection fails because agent on target Url does not find any smsession.
---> hmmm, yes that is something I would suggest to be followed through a support ticket and please provide fiddler traces, WA traces, FWS traces ald the Wa log and affwebserv log upfront to showcase the problem. There must be either SMSESSION not being returned by the browser for seom reason or possibly set for a different domain.
2. If I repeat the same test in a way that I generate smsession for the domain in which target Url is present and test the journey, redirection happens becoz agent found smsession in the browser.
---> What is the TARGET domain and domain of the FWS/WAOP?
Thanks & Regards,
------ Manjari
From: CA Security Global User CommunityMessage Boards [mailto:
CommunityAdmin@communities-mail.ca.com]
Sent: Tuesday, April 29, 2014 2:14 PM
To:
mb_message.2253364.114703691@myca-email.ca.com
Subject: [CA SiteMinder General Discussion] RE: [CA SiteMinder General Discussion] How to generate SAML AuthnRequest at
Hi Manjari, Thanks for the detailed explanation. I can see authnrequest is getting generated for me which redirects the user to IDP end. User is authenticated at IDP end and assertion is posted back to siteminder assertion consumer service. I want to understand more about target parameter in auth scheme.Have few queries: 1. Is it mandatory for target parameter to be protected with SAML auth scheme. 2. Once assertion is consumed at SP end and user is redirected to a target Url having siteminder agent. Should that agent create a new SMSESSION for SP end session management? 3. Do we do any additional configuration for the webagent protecting the target Url with saml authscheme to generate SMSESSION at SP end? 4. Is the agent treated as affiliate agent if it protects the target Url with SAML authscheme? Any confugurations spectic to affiliate agent? I have all these questions because I have tested two scenarios. 1. I generate an authnrequest and post assertion validation redirect to target url protected with saml authscheme, redirection fails because agent on target Url does not find any smsession. 2. If I repeat the same test in a way that I generate smsession for the domain in which target Url is present and test the journey, redirection happens becoz agent found smsession in the browser. Can you please review my post and help me with the concepts so that I can implement it. :) Thanks for your help. Regards, Neeraj. Posted by:b55
--
CA Communities Message Boards
114706231
mb_message.2253364.114703691@myca-email.ca.com<mailto:
mb_message.2253364.114703691@myca-email.ca.com>
https://communities.ca.com