Contents
|
Provider Profile
The Provider Profile allows you to modify any of the displayed attributes, however some attributes are only displayed for specific provider types. The attribute fields are as follows:
- Common Attributes- Common to all providers
- Communication URLs - Common to all providers
- Communication Profiles - Common to all providers
- Authentication Domains - Common to all providers
- Service Provider - Displayed only for service providers, either remote or hosted.
- Access Manager Configuration - Displayed only for hosted identity and service providers.
- SAML Attributes - Displayed only for hosted identity and service providers.
- Proxy Authentication Configuration - Displayed only for identity providers.
- Organization - Common to all providers.
- Provider Contact Persons - Common to all providers.
Common Attributes
Valid Until. This field allows you to enter the expiration date for the metadata pertaining to the provider. Use the following format:
yyyy-mm-dd hh:mm:ss.SZ
For example, 2004-12-31 12:30:00.0-0800
Cache Duration. This field defines the duration period for the metadata to be cached and uses the xs:duration format.
Protocol Support Enumeration. This field defines the protocol release supported by the entity. urn:liberty:iff:2003-08 refers to Identity Federation Framework (ID-FF) 1.2 and urn:liberty:iff:2002-12 refers to Federation Identity Framework (ID-FF) 1.1.
Server Name Identifier Mapping Binding. This field defines the SAML authority binding at the identity provider to which identifier mapping queries are sent.
Additional Meta Locations. This field specifies the location of other relevant metedata about the provider.
Signing Key Alias. This field defines the signing certificate key alias that is used to sign the requests and responses for a hosted (local) provider. For a remote provider, this is a public key that the provider uses to verify the signatures.
Encryption Key Alias. This field defines the Security Certificate alias. The certificates are stored in the JKS keystore against an alias. This alias (the Security Key) is used to fetch the required certificate.
Encryption Key Size. This field constrains the length of keys used by the consumer when interacting with another entity.
Encryption Method. This field defines the encryption preferences URI.
Communication URLs
SOAP Endpoint URL. This field specifies the location for the receiver of SOAP requests. This is used to communicate on the back-channel (non-browser communication) through SOAP.
Single Sign-On Service URL. The Single Sign-On Service URL is used by an identity provider to send and receive single sign-on requests.
Single Logout Service URL. The Single Logout Service URL is used by a service provider or identity provider to send and receive logout requests.
Single Logout Return URL. This specifies the URL to which logout requests are redirected after processing.
Federation Termination Service URL. This field specifies the URL to which federation termination requests are sent.
Federation Termination Return URL. This field specifies the URL to which federation termination requests are redirected after processing.
Name Registration Service URL. This field uses the Name Registration protocol that is used by a service provider to register its own Name Identifier while communicating to an identity provider. Registration occurs only after a federation session is established. This field defines the service URL used by a service provider to register a Name Identifier with an identity provider.
Name Registration Return URL. This field uses the Name Registration protocol that is used by a service provider to register its own Name Identifier while communicating to an identity provider. Registration occurs only after a federation session is established. The Name Registration Return URL is the URL to which the identity provider sends back the status of the registration.
Communication Profiles
Federation Termination Profile. You can choose SOAP or HTTP/Redirect. This field specifies if the SOAP or HTTP/Redirect profile is to be used to notify of federation termination. This can be changed at any time during the life of the provider.
Single Logout Profile. You can choose SOAP or HTTP Redirect. This field specifies if SOAP or HTTP Redirect is to be used to notify a logout event. This can be changed at any time during the life of the provider.
Name Registration Profile. You can choose SOAP or HTTP/Redirect. This field specifies if the SOAP or HTTP/Redirect profile is to be used for name registration. This can be changed at any time during the life of the provider.
Relationship Termination Notification Profile. This field defines a URI describing the profiles that the entity supports for relationship termination.
Single Sign-on/Federation Profile. This field specifies the profile used by the hosted provider for sending authentication requests. Access Manager provides the following protocols:
Authentication Domains
Use the direction arrows to move a selected authentication domain into the Available list. Click Save. This will assign the provider to the authentication domain. A provider can belong to one or more authentication domains, however a provider without any authentication domains specified can not participate in Liberty communications. Click Save.
Service Provider
The following attributes are only displayed for a service provider:
Assertion Consumer URL. This field defines the provider end-point to which a provider will send SAML assertions.
Assertion Consumer Service URL ID. This ID is required if Protocol Support Enum is urn:liberty:iff:2002-12.
Set Assertion Consumer Service URL as Default. This option sets the Assertion Consumer URL as the default.
Sign Authentication Request. This option, if enabled, specifies that the provider send signed authentication and federation requests. The identity provider will not process unsigned requests originated from the service provider.
Name Registration After Federation. If enabled, this option allows for a service provider to participate in name registration after it has been federated. Name registration is a profile by which service providers specify a principal’s name identifier that an identity provider will use when communicating to the service provider.
Name ID Policy. This attribute value is part of the authentication request. It determines the name identifier format that is being generated by the identity provider. For example, if the Name ID Policy value is federated, the name identifier format is urn:liberty:iff:2003:federated.
Enable Identifier Encryption. This attribute accepts a variable to indicate the encryption of the name identifier during Name ID mapping.
Access Manager Configuration
The following attributes are only displayed if the provider is a Hosted (local) provider.
Provider URL. This field defines the URL of the local provider.
Alias. This field allows you to enter an alias name for the local provider.
Authentication Type. Remote/Local - This field specifies if the hosted provider should contact an identity provider for authentication upon receiving an authentication request (Remote), or if authentication should be done by the hosted provider itself (Local).
Default Authentication Context. This field specifies the authentication context to be used if the identity provider does not receive it as part of a service provider request. It also specifies the authentication context used by the service provider when an unknown user tries to access a protected resource. The default values are:
- Previous-Session
- Time-Sync-Token
- Smartcard
- MobileUnregistered
- Smartcard-PKI
- MobileContract
- Password
- Password-ProtectedTransport
- MobileDigitalID
- Software-PKI
Force Authentication at Identity Provider. This option indicates if the identity provider must reauthenticate (even during a live session) when an authentication request is received.
Request Identity Provider to be Passive. If selected, this option specifies that the identity provider must not interact with the principal and must interact with the user
Organization DN. This field specifies the storage location of the DN of the organization if each hosted provider chooses to manage users across different organizations leading to a hosted model.
Liberty Version URI. This field specifies the version of the Liberty specification.
Name Identifier Implementation. This field allows the option for a service provider to participate in name registration. Name registration is a profile by which service providers specify a principal’s name identifier that an identity provider will use when communicating to the service provider.
Provider Home Page URL. This field specifies the home page of the provider.
Single Sign-on Failure Redirect URL. This field specifies the home page of the provider.
SAML Attributes
The following attributes are only displayed if the provider is a Hosted (local) provider.
Assertion Interval. This field specifies the validity interval for the assertion issued by an identity provider. A principal will remain authenticated by the identity provider until the assertion interval expires.
Cleanup Interval. This field specifies the interval of time to clear assertions that are stored in the identity provider.
Artifact Timeout. This field specifies the timeout of a identity provider for assertion artifacts.
Assertion Limit. This field specifies the number of assertions that an identity provider can issue, or the number of assertions that can be stored.
Proxy Authentication Configuration
The following attributes are not displayed for Hosted (local) identity providers.
Enable Proxy Authentication. If selected, this attribute enables proxy authentication for a service provider.
Proxy Identity Providers List. This attribute displays the list of identity providers that can be proxied for authentication.
Maximum Number of Proxies. This attribute specifies the maximum number of identity provider proxies.
Use Introduction Cookie for Proxying. If enabled, introductions will be used to find the proxying identity provider.
Organization
Provider Contact Persons
Click the New button to add a contact person and modify the following fields:
First Name. The first name of the contact person.
Last Name. The last name of the contact person.
Type. The contact type. This can be one of the following:
- Technical
- Administrative
- Billing
- Other
Company. The contact person’s company name.
Liberty Principal Identifier. The name identifier that points to an online instance of the contact person’s personal information profile (PIP).
Email. The email address of the contact person.
Telephone. The telephone number of the contact person.
Contents |