Hi Brian,
It sounds like you are the SP, and the transaction is IDP-initiated. You should not be protecting /affwebservices/public. Specifically, the saml2assertionconsumer service needs to be unprotected for your use case to succeed. Protecting the this URL, often referred to as the ACS URL, creates a catch 22 for any SAML users. SAML uses will not have a session until their assertion is consumed by the ACS URL, so if you protect the ACS URL, the user will not have any way to authenticate to access the page, and thus why the users cannot authenticate at the basic prompt that's currently popping.
Unprotect the ACS URL so that unauthenticated users can post their assertions to it.
Regards,
Pete
Original Message:
Sent: 01-11-2021 10:54 AM
From: Brian Jones
Subject: Rules needed for IdP to SP initiated partnership
Can no one help out with this or has experience doing this?
Original Message:
Sent: 01-05-2021 04:23 PM
From: Brian Jones
Subject: Rules needed for IdP to SP initiated partnership
Good Afternoon,
I am looking for some guidance on rules needed for an SP to IdP partnership that is IdP to SP initiated. We are using the Web Agent Option Pack to carry out this request. I have created a "public" rule on the Reverse Proxy that is unprotected to allow the assertion consumer to pass through. I also created a Get,Post rule in the target applications domain for the assertion consumer. When the user tries to access the application via the link, they are presented with a basic authscheme login window. Which doesn't work if they put in their credentials.
So I know I am missing something, I am just not sure what. Do I need an OnAuthAccept rule added to the SAML Realm I have created on the application Domain? This is the first time I have tried to do any type of Federation with Siteminder and could use some guidance. Thank you in advance.
-Brian J