Contents    

To Create and Manage a Provider

Please see Federation Management Concepts for definitions of the topics covered in this section.

  1. Select Provider from the View menu in the Navigation pane.
  2. Click the New Provider button to display the first page of the New Provider Wizard.
  3. Select the provider type and enter information into the common provider attribute fields. The fields are as follows:
  4. Provider ID. The Provider ID should specify the URL identifier of the provider. It must be unique across all remote and hosted providers.

    Description. Enter a description of the provider.

    Provider is of Type Identity. Decide if the provider is to be defined as an identity provider. By default, all providers are service providers. If selected, the Identity Provider option will additionally define the provider as an identity provider.

    Provider is Hosted (Local). If selected, the provider is a hosted provider. By default (not selected), the provider is a remote provider.

    Valid Until. This field allows you to enter the expiration date for the metadata pertaining to the provider. Use the following format:

    yyyy-mm-dd hh:mm:ss.SZ

    For example, 2004-12-31 12:30:00.0-0800

    Cache Duration. This field defines the duration period for the metadata to be cached and uses the xs:duration format.

    Protocol Support Enum. This field defines the protocol release supported by the entity. urn:liberty:iff:2003-08 refers to Identity Federation Framework (ID-FF) 1.2 and urn:liberty:iff:2002-12 refers to Federation Identity Framework (ID-FF) 1.1.

    Security Key. The Security Key defines the Security Certificate alias. The certificates are stored in the JKS keystore against an alias. This alias (the Security Key) is used to fetch the required certificate.

    Key Use. This field defines allowed key usage. You can choose encryption or signing.

    Key Size. This field constrains the length of keys used by the consumer when interacting with another entity.

    Encryption Method. This field defines the encryption preferences URI.

    Server Name Identifier Mapping Binding. This field defines the SAML authority binding at the identity provider to which identifier mapping queries are sent.

    Additional Meta Locations. This field specifies the location of other relevant metedata about the provider.

  5. Click Next.
  6. Enter the information for the communications and service provider attributes. The fields are as follows:
  7. Communication URLs

    SOAP Endpoint URL. This field specifies the location for the receiver of SOAP requests. This is used to communicate on the back-channel (non-browser communication) through SOAP.

    Single Logout Service URL. The Single Logout Service URL is used by a service provider or identity provider to send and receive logout requests.

    Single Logout Return URL. This specifies the URL to which logout requests are redirected after processing.

    Federation Termination Service URL. This field specifies the URL to which federation termination requests are sent.

    Federation Termination Return URL. This field specifies the URL to which federation termination requests are redirected after processing.

    Name Registration Service URL. This field uses the Name Registration protocol that is used by a service provider to register its own Name Identifier while communicating to an identity provider. Registration occurs only after a federation session is established. This field defines the service URL used by a service provider to register a Name Identifier with an identity provider.

    Name Registration Return URL. This field uses the Name Registration protocol that is used by a service provider to register its own Name Identifier while communicating to an identity provider. Registration occurs only after a federation session is established. The Name Registration Return URL is the URL to which the identity provider sends back the status of the registration.

    Communication Profiles

    Federation Termination Profile. You can choose SOAP or HTTP/Redirect. This field specifies if the SOAP or HTTP/Redirect profile is to be used to notify of federation termination. This can be changed at any time during the life of the provider.

    Single Logout Profile. You can choose SOAP or HTTP Redirect. This field specifies if SOAP or HTTP Redirect is to be used to notify a logout event. This can be changed at any time during the life of the provider.

    Name Registration Profile. You can choose SOAP or HTTP/Redirect. This field specifies if the SOAP or HTTP/Redirect profile is to be used for name registration. This can be changed at any time during the life of the provider.

    Server Relationship Term Notification URL. This field defines a URI describing the profiles that the entity supports for relationship termination.

    Single Sign-on/Federation Profile. This field specifies the profile used by the hosted provider for sending authentication requests. Identity Server provides the following protocols:

    • Browser Post - specifies a front-channel (http POST-based) protocol.
    • Browser Artifact - Backchannel (non-browser) SOAP-based protocol.
    • LECP - Liberty Enabled Client Proxy.
    • Assertion Consumer URL. This field defines the provider end-point to which a provider will send SAML assertions.

      Assertion Consumer URL ID. This ID is required if Protocol Support Enum is urn:liberty:iff:2002-12.

      Set Assertion Consumer Service URL as Default. This option sets the Assertion Consumer URL as the default.

      Sign Authentication Request. This option, if enabled, specifies that the provider send signed authentication and federation requests. The identity provider will not process unsigned requests originated from the service provider.

      Name Registration After Federation. If enabled, this option allows for a service provider to participate in name registration after it has been federated. Name registration is a profile by which service providers specify a principal’s name identifier that an identity provider will use when communicating to the service provider.

  8. If the provider you are creating is a local provider, enter data for the Identity Server Configuration. If the provider is not local, skip this step. The fields are:
  9. Provider URL. This field defines the URL of the local provider.

    Alias. This field allows you to enter an alias name for the local provider.

    Authentication Type. Remote/Local - This field specifies if the hosted provider should contact an identity provider for authentication upon receiving an authentication request (Remote), or if authentication should be done by the hosted provider itself (Local).

    Default Authentication Context. This field specifies the authentication context to be used if the identity provider does not receive it as part of a service provider request. It also specifies the authentication context used by the service provider when an unknown user tries to access a protected resource. The default values are:

    • Previous-Session
    • Time-Sync-Token
    • Smartcard
    • MobileUnregistered
    • Smartcard-PKI
    • MobileContract
    • Password
    • Password-ProtectedTransport
    • MobileDigitalID
    • Software-PKI
    • Force Authentication at Identity Provider. This option indicates if the identity provider must reauthenticate (even during a live session) when an authentication request is received.

      Request Identity Provider to be Passive. If selected, this option specifies that the identity provider must not interact with the principal and must interact with the user

      Organization DN. This field specifies the storage location of the DN of the organization if each hosted provider chooses to manage users across different organizations leading to a hosted model.

      Liberty Version URI. This field specifies the version of the Liberty specification.

      Name Identifier Implementation. This field allows the option for a service provider to participate in name registration. Name registration is a profile by which service providers specify a principal’s name identifier that an identity provider will use when communicating to the service provider.

      Provider Home Page URL. This field specifies the home page of the provider.

      Single Sign-on Failure Redirect URL. This field specifies the home page of the provider.

      Assertion Interval. This field specifies the validity interval for the assertion issued by an identity provider. A principal will remain authenticated by the identity provider until the assertion interval expires.

      Cleanup Interval. This field specifies the interval of time to clear assertions that are stored in the identity provider.

      Artifact Timeout. This field specifies the timeout of a identity provider for assertion artifacts.

      Assertion Limit. This field specifies the number of assertions that an identity provider can issue, or the number of assertions that can be stored.

  10. Click Next.
  11. Enter the values for the organization and contact person. For more information, see To Add a Contact Person and Organization.

  12. Click Next.
  13. Select the authentication domains to which the provider will belong.
  14. Use the direction arrows to move a selected authentication domain into the Available list. Click Save. This will assign the provider to the authentication domain. A provider can belong to one or more authentication domains, however a provider without any authentication domains specified can not participate in Liberty communications. Click Save.

  15. Click Finish.

Contents