Contents    

To Create and Manage a Provider

Please see Federation Management Concepts for definitions of the topics covered in this section.

  1. Select the entity in which you want to create the provider.
  2. In the Data pane, choose either Identity Provider or Service Provider.
  3. Click New Provider.
  4. Enter information into the common provider attribute fields. The fields are as follows:
  5. Provider ID. The Provider ID should specify the URL identifier of the provider. It must be unique across all remote and hosted providers.

    Description. Enter a description of the provider.

    Provider is Hosted or Remote. If selected if the provider is to be a hosted (local) provider or a remote provider.

    Valid Until. This field allows you to enter the expiration date for the metadata pertaining to the provider. Use the following format:

    yyyy-mm-ddThh:mm:ss.SZ

    For example, 2004-12-31T12:30:00.0-0800

    Cache Duration. This field defines the duration period for the metadata to be cached and uses the xs:duration format.

    Protocol Support Enumeration. This field defines the protocol release supported by the entity. urn:liberty:iff:2003-08 refers to Identity Federation Framework (ID-FF) 1.2 and urn:liberty:iff:2002-12 refers to Federation Identity Framework (ID-FF) 1.1.

    Server Name Identifier Mapping Binding. This field defines the SAML authority binding at the identity provider to which identifier mapping queries are sent.

    Additional Meta Locations. This field specifies the location of other relevant metedata about the provider.

    Signing Key Alias. This field defines the signing certificate key alias that is used to sign the requests and responses for a hosted (local) provider. For a remote provider, this is a public key that the provider uses to verify the signatures.

    Encryption Key Alias. This field defines the security certificate alias. The certificates are stored in the JKS keystore against an alias. This alias (the security key) is used to fetch the required certificate.

    Encryption Key Size. This field constrains the length of keys used by the consumer when interacting with another entity.

    Encryption Method. This field defines the encryption preferences URI.

  6. Click Next.
  7. Enter the information for the Communication URL, Communication Profile, Service Provider (these attributes will not be displayed if the provider is an identity provider) and Proxy Authentication Configuration attributes. The fields are as follows:
  8. Communication URLs

    SOAP Endpoint URL. This field specifies the location for the receiver of SOAP requests. This is used to communicate on the back-channel (non-browser communication) through SOAP.

    Single Sign-On Service URL. The Single Sign-On Service URL is used by an identity provider to send and receive single sign-on requests.

    Single Logout Service URL. The Single Logout Service URL is used by a service provider or identity provider to send and receive logout requests.

    Single Logout Return URL. This specifies the URL to which logout requests are redirected after processing.

    Federation Termination Service URL. This field specifies the URL to which federation termination requests are sent.

    Federation Termination Return URL. This field specifies the URL to which federation termination requests are redirected after processing.

    Name Registration Service URL. This field uses the Name Registration protocol that is used by a service provider to register its own Name Identifier while communicating to an identity provider. Registration occurs only after a federation session is established. This field defines the service URL used by a service provider to register a Name Identifier with an identity provider.

    Name Registration Return URL. This field uses the Name Registration protocol that is used by a service provider to register its own Name Identifier while communicating to an identity provider. Registration occurs only after a federation session is established. The Name Registration Return URL is the URL to which the identity provider sends back the status of the registration.

    Communication Profiles

    Federation Termination Profile. You can choose SOAP or HTTP/Redirect. This field specifies if the SOAP or HTTP/Redirect profile is to be used to notify of federation termination. This can be changed at any time during the life of the provider.

    Single Logout Profile. You can choose SOAP or HTTP Redirect. This field specifies if SOAP or HTTP Redirect is to be used to notify a logout event. This can be changed at any time during the life of the provider.

    Name Registration Profile. You can choose SOAP or HTTP/Redirect. This field specifies if the SOAP or HTTP/Redirect profile is to be used for name registration. This can be changed at any time during the life of the provider.

    Relationship Termination Notification Profile. This field defines a URI describing the profiles that the entity supports for relationship termination.

    Single Sign-on/Federation Profile. This field specifies the profile used by the hosted provider for sending authentication requests. Access Manager provides the following protocols:

    • Browser Post - specifies a front-channel (http POST-based) protocol.
    • Browser Artifact - Backchannel (non-browser) SOAP-based protocol.
    • LECP - Liberty Enabled Client Proxy.
    • Service Provider

      The following attributes are only displayed for a service provider:

      Assertion Consumer URL. This field defines the provider end-point to which a provider will send SAML assertions.

      Assertion Consumer Service URL ID. This ID is required if Protocol Support Enum is urn:liberty:iff:2002-12.

      Set Assertion Consumer Service URL as Default. This option sets the Assertion Consumer URL as the default.

      Sign Authentication Request. This option, if enabled, specifies that the provider send signed authentication and federation requests. The identity provider will not process unsigned requests originated from the service provider.

      Name Registration After Federation. If enabled, this option allows for a service provider to participate in name registration after it has been federated. Name registration is a profile by which service providers specify a principal’s name identifier that an identity provider will use when communicating to the service provider.

      Name ID Policy. This attribute value is part of the authentication request. It determines the name identifier format that is being generated by the identity provider. For example, if the Name ID Policy value is federated, the name identifier format is urn:liberty:iff:2003:federated.

      Enable Affiliation Federation. If enabled, this attribute allows federations to be created based on affiliation IDs.

      Access Manager Configuration

      The following attributes are only displayed if the provider is a Hosted (local) provider.

      Provider URL. This field defines the URL of the local provider.

      Alias. This field allows you to enter an alias name for the local provider.

      Authentication Type. Remote/Local - This field specifies if the hosted provider should contact an identity provider for authentication upon receiving an authentication request (Remote), or if authentication should be done by the hosted provider itself (Local).

      Default Authentication Context. This field specifies the authentication context to be used if the identity provider does not receive it as part of a service provider request. It also specifies the authentication context used by the service provider when an unknown user tries to access a protected resource. The default values are:

    • Previous-Session
    • Time-Sync-Token
    • Smartcard
    • MobileUnregistered
    • Smartcard-PKI
    • MobileContract
    • Password
    • Password-ProtectedTransport
    • MobileDigitalID
    • Software-PKI
    • Force Authentication at Identity Provider. This option indicates if the identity provider must reauthenticate (even during a live session) when an authentication request is received.

      Request Identity Provider to be Passive. If selected, this option specifies that the identity provider must not interact with the principal and must interact with the user

      Organization DN. This field specifies the storage location of the DN of the organization if each hosted provider chooses to manage users across different organizations leading to a hosted model.

      Liberty Version URI. This field specifies the version of the Liberty specification.

      Name Identifier Implementation. This field allows the option for a service provider to participate in name registration. Name registration is a profile by which service providers specify a principal’s name identifier that an identity provider will use when communicating to the service provider.

      Provider Home Page URL. This field specifies the home page of the provider.

      Single Sign-on Failure Redirect URL. This field specifies the home page of the provider.

      Enable Identifier Encryption. This attribute accepts a variable to indicate the encryption of the name identifier during Name ID mapping.

      Generate Discovery Bootstrapping Resource Offering. When this option is enabled, bootstrapping discovery service resource offering data is generated during the ID-FF1.2 single sign-on process for hosted (local) identity providers. However, bootstrapping discovery service resource offering data is not always required (for example, a non-Web Service Federation deployment). Disabling this option will not generate the data and will improve Access Manager performance. This option is enabled by default.

      SAML Attributes

      The following attributes are only displayed if the provider is a Hosted (local) provider.

      Assertion Interval. This field specifies the validity interval for the assertion issued by an identity provider. A principal will remain authenticated by the identity provider until the assertion interval expires.

      Cleanup Interval. This field specifies the interval of time to clear assertions that are stored in the identity provider.

      Artifact Timeout. This field specifies the timeout of a identity provider for assertion artifacts.

      Assertion Limit. This field specifies the number of assertions that an identity provider can issue, or the number of assertions that can be stored.

      Proxy Authentication Configuration

      The following attributes are not displayed for Hosted (local) identity providers.

      Enable Proxy Authentication. If selected, this attribute enables proxy authentication for a service provider.

      Proxy Identity Providers List. This attribute displays the list of identity providers that can be proxied for authentication.

      Maximum Number of Proxies. This attribute specifies the maximum number of identity provider proxies.

      Use Introduction Cookie for Proxying. If enabled, introductions will be used to find the proxying identity provider.

  9. Click Next.
  10. Enter the values for the organization and contact person. For more information, see To Add a Contact Person and Organization.

  11. Click Next.
  12. Select the authentication domains to which the provider will belong.
  13. Use the direction arrows to move a selected authentication domain into the Available list. Click Save. This will assign the provider to the authentication domain. A provider can belong to one or more authentication domains, however a provider without any authentication domains specified can not participate in Liberty communications. Click Save.

  14. Click Finish.

Contents