Federation Manager supports both types of Sun Java System Policy Agents 2.2: web agents and J2EE agents. They can be deployed to work with Federation Manager in any web container on which the agents are supported although they will only work in SSO only mode. No policy or access control is supported.
With respect to passing attributes to an application using agents, there are some limitations. Agents can not retrieve user attributes stored directly in Federation Manager as the user management functionality is not enabled. Either of the following options will alleviate this issue.
User attributes can be passed from identity providers and delivered to service providers (using Federation Manager) in SAML assertions. Federation Manager can mark the attributes as session attributes that policy agents will consume and pass to the applications.
Implement a post authentication and/or federation adapter SPI for the service provider (using Federation Manager) to read user attributes and set them as session attributes. The policy agent will consume the session attributes and pass them to the applications.
The following steps must be taken in order for Sun Java System Policy Agents 2.2 to work correctly with Federation Manager. On the agent side, you must do the following:
When installing the agent, specify /fm for the following URI: Primary Server Deployment URI [/amserver] = /fm
After installation, modify the following values in the AMAgents.properties file:
com.sun.am.policy.agents.config.do_sso_only = true
Restart the agent.
On the Federation Manager side, you must do the following:
Encrypt the shared secret password using the ampassword utility.
Modify the com.iplanet.am.service.secret property in AMConfig.properties by specifying the encrypted password as the value for the property.
Restart Federation Manager.