Does the application server which serves affwebservices for Federation need to be proxied by the Web Server?
We would like to use affwebservices with only the Application Server and Agent option pack without having the application server plugin on the web server.
Agent Guide -
Remember, ServletExec and the Web Agent Option Pack must be installed on
the same web server where you installed the Web Agent.
Important! Be sure to apply the most current hot fixes for ServletExec.
Without the hot fixes, Federation Web Services will not work with
To obtain the hot fixes, go to the New Atlanta Communication web site.
Web Agent Option Pack only handles Federation. It does not handle protection of anything. The Web agent is needed for protection of affwebservices as well as the rest of Federated Web Servcies.
You need to be authenticated to generate an Assertion otherwise Federation does not work as you can't generate an assertion without authorization. Hitting the /affwebservices/assertionretriever without an established session does not generate an assertion even though it's page comes up.
For Example the Protection of the authentication url, redirect.jsp, is handled by the Web Agent.
Protection of the Artifact Resolution services including saml2artifactresolution, assertionretriever, etc is also done by the Web Agent.
The Application Server can be installed on a separate machine. With this type of installation a proxy plugin for the application server is installed on the webserver on the agent box. The Agent option pack needs to be installed on the Appserver Box. Also the Webagent.conf and smhost.conf need to be copied over from the Agent Box to the application server box inorder for /affwebservices to be able to connect to the Policy Server. The Affwebservices properties files need to be configured to use the WebAgent.conf and also to setup logging. (see SiteMinder Docs for Details)