Symantec Access Management

 View Only
  • 1.  Legacy Federation setup - SAML 1.1

    Posted Jul 21, 2017 06:12 AM

    I am trying to setup SSO between 2 applications using SAML 1.1 Legacy Federation. I have gone through the SiteMinder documentation, but few points are not clear.


    1. On the IDP/Producer side, where in the affiliate domain do we define the configurations for SP/Consumer, Is it the 'SAML Service Providers' tab or the 'Resource Partners' ?
    2. How to define the IDP/Producer configurations on the SP/Consumer side ?
      I read that we have to create an authentication scheme with SAML Post Profile (if we are using HTTP-Post) and then bind it to realms and make a policy.
      But how just binding it to a policy will help in creating a trust with the IDP/Producer. There is no where that we are defining the IDP/Producer config on the SP/Consumer side.

    Please throw some light.




  • 2.  Re: Legacy Federation setup - SAML 1.1

    Broadcom Employee
    Posted Jul 21, 2017 09:19 PM

    Hi Anurag,


    Are you sure you need SAML 1.1?  This is older technology and I haven't seen customers setting up new 1.1 applications in quite some time.  Also, some of the terminology you are using is SAML 2.0.  


    For SAML 2.0, on the IDP side you configure a Service Provider object within an Affiliate Domain.  The Affiliate Domain defines the User Stores that are available while the Service Provider object defines the relationship with the SP.


    On the SP side, you configure a SAML 2.0 Authentication Scheme using the SAML 2.0 Template.  Within the auth scheme properties is a SAML 2.0 Configuration button (called Additional Configuration in older releases) which will open all the SAML specific properties that define the relationship/trust with the IDP including x509 certs for signing and encryption.


    If you need SAML 1.1, I would need to do some research as I haven't worked with this directly myself due to so few customers using it today.



  • 3.  Re: Legacy Federation setup - SAML 1.1

    Posted Aug 01, 2017 07:51 AM

    Thank you! Pete_Burant

    I agree, but there was a client dependency where in they were not ready to move to SAML 2.0 and had been using SAML 1.1 from a long time. So to be in sync we had to use SAML 1.1 only.

    I was able to achieve a basic SAML 1.1 setup using Partnership Federation instead of the Legacy one.

    I earlier assumed that SAML 1.1 could only be achieved by Legacy Federation, but after reading the documentation I found that we can achieve it via Partnership Federation also.

    Thanks for your suggestion!