Symantec Access Management

Hi, i have configured a WS-FED federation, and Siteminder acts as Resource Partner. One of the configuration steps is to specify the target application url, that is the url where you are redirected after the federation flow end with success. By default this url is NOT protected by siteminder, so the question is Which are the possible options to protect the target url?  in same case i see someone using a wsfed auth schema to protect the target url, but i am not sure this is the right way.
Can someone help with this?
Thank you

Hi Claudio,

Maybe you are aware already, but just in case, there's a section
dedicated to protection of Target in WS-Federation use case :

How To Protect a Target Resource with a WS-Federation Authentication Scheme
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/configuring/legacy-federation/configure-a-ws-federation-resource-partner/how-to-protect-a-target-resource-with-a-ws-federation-authentication-scheme.html

I hope this helps,

Best Regards,
Patrick
Original Message:
Sent: 03-30-2020 04:56 AM
From: Claudio Fina
Subject: Best practice to protect target application

Hi, i have configured a WS-FED federation, and Siteminder acts as Resource Partner. One of the configuration steps is to specify the target application url, that is the url where you are redirected after the federation flow end with success. By default this url is NOT protected by siteminder, so the question is Which are the possible options to protect the target url?  in same case i see someone using a wsfed auth schema to protect the target url, but i am not sure this is the right way.
Can someone help with this?
Thank you

Hi Patrick,
thank you for your reply.
You are right, and the doc you mention refers to legacy federation. In that case the suggestion is to use WS-Federation template authentication schema to protect the target url.And it that scenario fits well

On the other hand, in case i define a WSFED Partnership RP-AP, protecting the target url with a WS-Federation auth schema it seems to me not the right choice. Why i need to define the partnership if then to the end i need to protect the target url with a WSFED authentication schema?

Best Regards

Claudio
Original Message:
Sent: 03-31-2020 02:18 AM
From: Patrick Dussault
Subject: Best practice to protect target application

Hi Claudio,

Maybe you are aware already, but just in case, there's a section
dedicated to protection of Target in WS-Federation use case :

How To Protect a Target Resource with a WS-Federation Authentication Scheme
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/configuring/legacy-federation/configure-a-ws-federation-resource-partner/how-to-protect-a-target-resource-with-a-ws-federation-authentication-scheme.html

I hope this helps,

Best Regards,
Patrick
Original Message:
Sent: 03-30-2020 04:56 AM
From: Claudio Fina
Subject: Best practice to protect target application

Hi, i have configured a WS-FED federation, and Siteminder acts as Resource Partner. One of the configuration steps is to specify the target application url, that is the url where you are redirected after the federation flow end with success. By default this url is NOT protected by siteminder, so the question is Which are the possible options to protect the target url?  in same case i see someone using a wsfed auth schema to protect the target url, but i am not sure this is the right way.
Can someone help with this?
Thank you

Hi Claudio,

Federation "Legacy" and "Partnership" are 2 different ways to
configure Federation relationships. For given entities, you have to
configure one or the other, but not both at the same time.

So in your case, you need to define a Legacy Federation rather than a
Partnership.

Best Regards,
Patrick
Original Message:
Sent: 03-31-2020 09:00 AM
From: Claudio Fina
Subject: Best practice to protect target application

Hi Patrick,
thank you for your reply.
You are right, and the doc you mention refers to legacy federation. In that case the suggestion is to use WS-Federation template authentication schema to protect the target url.And it that scenario fits well

On the other hand, in case i define a WSFED Partnership RP-AP, protecting the target url with a WS-Federation auth schema it seems to me not the right choice. Why i need to define the partnership if then to the end i need to protect the target url with a WSFED authentication schema?

Best Regards

Claudio
Original Message:
Sent: 03-31-2020 02:18 AM
From: Patrick Dussault
Subject: Best practice to protect target application

Hi Claudio,

Maybe you are aware already, but just in case, there's a section
dedicated to protection of Target in WS-Federation use case :

How To Protect a Target Resource with a WS-Federation Authentication Scheme
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/configuring/legacy-federation/configure-a-ws-federation-resource-partner/how-to-protect-a-target-resource-with-a-ws-federation-authentication-scheme.html

I hope this helps,

Best Regards,
Patrick
Original Message:
Sent: 03-30-2020 04:56 AM
From: Claudio Fina
Subject: Best practice to protect target application

Hi, i have configured a WS-FED federation, and Siteminder acts as Resource Partner. One of the configuration steps is to specify the target application url, that is the url where you are redirected after the federation flow end with success. By default this url is NOT protected by siteminder, so the question is Which are the possible options to protect the target url?  in same case i see someone using a wsfed auth schema to protect the target url, but i am not sure this is the right way.
Can someone help with this?
Thank you