A user must have a session at the IdP Policy Server for the Policy Server to generate an assertion. To establish the session, the single sign-on service at the IdP redirects the user to an application using an authentication URL. The Authentication URL must point to the redirect.jsp file, which is installed with the Web Agent Option Pack or Access Gateway product. Protect the authentication URL with a policy so that the user is presented with an authentication challenge. After the user logs in and is successfully authenticated, a session is established. The redirect.jsp application then redirects the user back to the single sign-on service for assertion generation.
Two steps are required to enable session creation:
Create a policy to protect the redirect.jsp file.
Specify the Authentication URL in a partnership.
Log in to the Administrative UI.
Select Infrastructure, Agents, Create Agent.
To bind to the realm defined for the asserting party web server, create a web agent. Assign unique agent names for the web server.
Select Policies, Domain, Domains, Create Domain.
Create a policy domain for the authentication URL. Add the user directory that contains the users who get challenged.
6. In the Rules section of the realm dialog, click Create Rule. Complete the fields with the following values:
7. Select the Policies tab and create a policy that includes the following components:
The set of users you selected your user directory.
The realm that contains the redirectjsp application and the associated rule.
A policy now protects the authentication URL. An authentication challenge is triggered when the user is redirected to this URL. Finally, a session is created.
After you configure a policy to protect the Authentication URL, specify this URL in the asserting-to-relying party partnership, such as an IdP->SP partnership.
The Authentication URL is set as part of the single sign-on configurations. In the Authentication section of the dialog, select Local for the Authentication Mode field and enter the complete Authentication URL. Examples:
In these examples, webserver1 is the web server with the Web Agent Option Pack or the Access Gateway installed at the Identity Provider.