Symantec Access Management

Expand all | Collapse all

Rules needed for IdP to SP initiated partnership

  • 1.  Rules needed for IdP to SP initiated partnership

    Posted 01-05-2021 04:23 PM
    Good Afternoon,

    I am looking for some guidance on rules needed for an SP to IdP partnership that is IdP to SP initiated. We are using the Web Agent Option Pack to carry out this request. I have created a "public" rule on the Reverse Proxy that is unprotected to allow the assertion consumer to pass through. I also created a Get,Post rule in the target applications domain for the assertion consumer. When the user tries to access the application via the link, they are presented with a basic authscheme login window. Which doesn't work if they put in their credentials.

    So I know I am missing something, I am just not sure what. Do I need an OnAuthAccept rule added to the SAML Realm I have created on the application Domain? This is the first time I have tried to do any type of Federation with Siteminder and could use some guidance. Thank you in advance.

    -Brian J


  • 2.  RE: Rules needed for IdP to SP initiated partnership

    Posted 01-11-2021 10:54 AM
    Can no one help out with this or has experience doing this?


  • 3.  RE: Rules needed for IdP to SP initiated partnership

    Broadcom Employee
    Posted 01-11-2021 11:05 AM

    Hi Brian,

    It sounds like you are the SP, and the transaction is IDP-initiated.  You should not be protecting /affwebservices/public.  Specifically, the saml2assertionconsumer service needs to be unprotected for your use case to succeed.  Protecting the this URL, often referred to as the ACS URL, creates a catch 22 for any SAML users.  SAML uses will not have a session until their assertion is consumed by the ACS URL, so if you protect the ACS URL, the user will not have any way to authenticate to access the page, and thus why the users cannot authenticate at the basic prompt that's currently popping.

    Unprotect the ACS URL so that unauthenticated users can post their assertions to it.  


    Regards,
    Pete




  • 4.  RE: Rules needed for IdP to SP initiated partnership

    Posted 01-11-2021 11:36 AM
    Thanks for the response Peter. I currently have the /affwebservices/public/saml2assertionconsumer unprotected at the reverse proxy via a realm. Should I also unprotect /affwebservices/public/saml2assertionconsumer at the application also and get rid of the Get/Post rule that I currently have there for /affwebservices?