Sun Java System Identity Server 2004Q2 Federation Management Guide |
Chapter 4
Service Configuration AttributesThis chapter provide summaries of service configuration attributes that come with Identity Server. The chapter contains the following topics:
Discovery Service AttributesThe Discovery Service attributes are global attributes. The values applied to them are applied across the Identity Server configuration and are inherited by every configured organization. (They cannot be applied directly to roles or organizations, as the goal of global attributes is to customize the Identity Server application). The Discovery Service attributes are:
Provider ID
This attribute defines the unique identifier used for this Discovery Service. For example:
http://example.com:58080/amserver/Liberty/disco
Supported Authentication Mechanisms
This attribute specifies the authentication mechanisms supported by the Discovery Service. By default, all of the mechanisms are selected. If an authentication mechanism is not selected, and a WSC sends a request using that authentication mechanism, the request will be rejected without passing it to the corresponding WSP.
Supported Directives
This attribute allows you to select the directives that are supported by the Discovery Service. If a service provider wants to insert an entry with an unsupported directive, the request will fail.
Do Policy Evaluation for DiscoveryLookup
If selected, the service will perform a policy evaluation for the DiscoveryLookup operation. By default, the option is not selected.
Do Policy Evaluation for DiscoveryUpdate
If selected, the service will perform a policy evaluation for the DiscoveryUpdate operation. By default, this option is not selected.
Class for Authorizer Plugin
This attribute defines the classname and classpath used for policy evaluation.
Class for Discovery Service Entry Handler Plugin
This attribute defines the classname and classpath used to set or retrieve DiscoEntries.
Classes For Resource ID Mapper Plugin
This attribute contains a list of entries that are used to generate the Resource ID for a resource offering configured for an organization or role. The entries contain a key/value pair (separated by “|”) in the following format:
providerID=providerID|classname_classpath
To add a new request handler, click the add button. The key and value parameters are required.
Generate Session Context Statement for Bootstrapping
This option specifies whether to generate a SessionContextStatement for bootstrapping. SessoinConxtext in the SessionContextStatement is needed by the Discovery Service to support the AuthenicateSessionContext directive. By default, this option is not selected.
Resource Offerings for Bootstrapping
This attribute defines the service’s resource offering for bootstrapping. After Single Sign-on (SSO), this resource offering and its associated credentials will be sent to the client in the SSO assertion. Only one resource offering is allowed for bootstrapping. If you have not defined a resource offering, click New. If you wish to edit an existing resource offering, click the Edit link. For more information defining a resource offering, see Managing Resource Offerings.
Liberty Personal Profile Service AttributesThe Liberty Personal Profile service attributes are global attributes. The values applied to them are applied across the Sun Java System Identity Server configuration and are inherited by every configured organization. (They can not be applied directly to roles or organizations as the goal of global attributes is to customize the Identity Server application.)
The Liberty Personal Profile Service Attributes are:
Resource ID Mapper
This attribute specifies the mutual implementation of a resourceID to the User DN.
Authorizer
This attribute defines the default implementation of the Personal Profile Service service authorization.
Attribute Mapper
This attribute defines the mapping between a Liberty Personal Profile service attribute to a user attribute. Format:
LibertyPersonalProfileAttribute=IdentityServerAttribute
For example:
AltCN=SunIdentityServerPPCommonNameAltCN
Provider ID
This attribute defines the unique identifier used for this Liberty Personal Profile Service. For example:
http://example.com:58080/amserver/Liberty/idpp
Name Scheme
This attribute defines the naming scheme that will be used for the Liberty Personal Profile Service common name. For example, you can specify first and last name, or first, middle and last name.
Namespace Prefix
This attribute specifies the namespace prefix to be used for Liberty Personal Profile Service XML protocol messages. NameSpace is used to differentiate the elements that come from different XML schemas. Namespace prefix is a prefix to the element and will be useful to define XML metadata from different XML schema namespaces.
Supported Containers
This attribute defines the list of supported Personal Profile containers. To add a container, click the Add button. Enter the key value pair in the provided fields and click OK.
PPLDAP Attribute Map List
This attribute list specifies the mapping for the Personal Profile attributes defined in the Liberty II specification to the Identity Server Personal Profile service attributes.
For example, in the mapping scheme, JobTitle=sunIdentityServerPPEmploymentIdentityJobTitle, sunIdentityServerPPEmploymentIdentityJobTitle is the Identity Server attribute that maps to the Liberty Protocol’s JobTitle attribute.
Require Query PolicyEval
If selected, this option requires a policy evaluation to be performed for Personal Profile service queries.
Require Modify PolicyEval
If selected, this option requires a policy evaluation to be performed for Personal Profile service modifications.
Extension Container Attributes
This attribute specifies the list of extension container attributes for the Personal Profile service.
Extension Attributes Namespace Prefix
This attribute defines the namespace prefix for the extensions defined in Extension Container Attributes.
SOAP Binding Service AttributesThe SOAP Binding Service attributes are global attributes. The values applied to them are carried across the Sun Java System Identity Server configuration and inherited by every configured organization. (They can not be applied directly to roles or organizations as the goal of global attributes is to customize the Identity Server application.)
The SOAP Binding Service attributes are as follows:
Request Handler List
This attribute stores information about a Web Service Provider (WSP) deployed in Identity Server. It lists entries that contain a key/value pair (separated by “|”). For example:
key=disco|class=com.example.identity.liberty.ws.disco.DiscoveryService|soa pActions=sa1 sa2 sa2
To add a new request handler, click the add button. The key and class parameters are required. The parameters are:
key. This defines the second part of the URI path for the SOAP endpoint of the WSP. The first part is defined as Liberty by the SOAP services. For example, if you define disco as the key, the SOAP endpoint for the Discovery service is:
protocol://hostname:port/deloy_uri/Liberty/disco
class. This parameter specifies the name of the implementation class for the WSP. The Liberty SOAP layer provides a handler interface to be implemented by each WSP to process the requested message and then return a response.
soapActions. This is an optional parameter that specifies supported SOAPActions. If this parameter is not specified, all SOAPActions are supported. If a Web Service Consumer (WSC) sends a request with an unsupported SOAPAction, the request will be rejected by the SOAP layer without passing it one to the corresponding WSP.
Web Service Authenticator
This attribute defines the implementation class for the WebServiceAuthenicator interface, which authenticates and generates a credential for a Web Service Consumer (WSC), based on the request.
Supported Authentication Mechanisms
This attribute specifies the authentication mechanisms supported by the SOAP endpoint. By default, all of the mechanisms are selected. If an authentication mechanism is not selected, and a WSC sends a request using that authentication mechanism, the request will be rejected by the SOAP layer without passing it to the corresponding WSP.