Creating an Entity

An entity holds the metadata for individual identity and service providers. (Metadata contains the specific protocols, profiles, endpoints, and security mechanisms being used by the entity.) OpenSSO Enterprise allows you create an entity for communication using either the SAML v2, the Liberty ID-FF, and the WS-Federation specifications. Within each entity type, you can assign roles by configuring the attributes to perform the specific function. The following sections describe the entity types and the roles you can assign.

• SAMLv2 Entity

• SAMLv2 Hosted Affiliation Customization

• ID-FF Entity Provider

• WS-Federation Entity Provider

SAMLv2 Entity

The SAMLv2 entity type is based on the SAML v2 specification. This entity supports various profiles (including single sign-on and single logout) and allows you to assign and configure the following roles:

• Identity Provider

• Service Provider

• XACML PEP

• XACML PDP

• Attribute Authority

• Attribute Query

• Authentication Authority

• Hosted Affiliation

To Create a SAMLv2 Entity Provider

Use these steps to create a hosted entity provider based on the SAMLv2 protocol. You can assign one, more than one, or all of the provider roles to the entity, but all of the roles that you define will belong to the same entity provider.

1. Log in as an administrator.

2. Go to the Federation tab in the console and click New in the Entity Provider table.

3. When prompted, select SAMLv2 as the entity provider.

4. Select the Realm to which the entity provider will belong.

5. Type a name in the Entity Identifier field.

6. Enter values for the following attributes under the role category to which the entity provider will be assigned.

   Entering data in the Meta Alias field will automatically create and assign the entity provider role to the entity provider upon completion.

   Meta Alias

   Specifies a metaAlias for the provider role being configured. The metaAlias is used to locate the provider's entity identifier and the organization in which it is located. The value is a string equal to the realm or organization name coupled with a forward slash and the provider name. For example, /suncorp/travelprovider.

   ---

   Caution –

   The names used in the metaAlias must not contain a /.

   ---

   Signing Certificate Alias

   Specifies the provider certificate alias used to find the correct signing certificate in the keystore.

   Encryption Certificate alias

   Specifies the provider certificate alias used to find the correct encryption certificate in the keystore.

   Owner ID (Hosted Affiliation only)

   An identifier for the owner of the affiliation.

   Affiliation Members (Hosted Affiliation only)

   A provider must be a member of a circle of trust, or it cannot participate in SAMLv2-based communications. The provider can belong to one or more affiliations. The selected provider must have the Affiliation Federation attribute enabled. Enter the meta alias of the provider in the New Value field and click Add.

7. Click Create.

   The entity provider, its assigned provider roles, and location will be displayed in the Entity Providers table. To customize the entity providers' roles behavior, click the name of the entity provider from the list and choose the tab that corresponds to the role you wish to customize. See Chapter 6, Federation Attributes for Entity Providers, in Sun OpenSSO Enterprise 8.0 Administration Reference for definitions attributes for provider customization.

SAMLv2 Hosted Affiliation Customization

A Hosted Affiliation contains a grouping of service providers. The affiliation is formed and maintained by an affiliation owner who chooses the member providers from already configured provider entities. The affiliation enables a user to federate amongst the group of associated sites. The chosen providers may invoke services either as a member of the affiliation, or individually as a provider. If services are invoked as an affiliation member, a service provider might issue an authentication request for a user on behalf of an affiliation. When authentication is secured, the user can achieve single sign-on with all members of the affiliation.

A hosted affiliation provider holds the metadata that defines the grouping of one or more provider entities that comprise the affiliation. It does not contain the configuration information for any providers (which is defined in a provider entity), only the configuration information for the affiliation itself. If there are several service providers and identity providers in the same circle of trust, use an affiliate entity to avoid having to generate different name identifiers for commonly shared services. Hosted Affiliation contains the following attributes for customization:

• Meta Alias

• Members

• Cert Alias

Meta Alias

Specifies a metaAlias for the provider being configured. The metaAlias is used to locate the provider's entity identifier and the organization in which it is located. The value is a string equal to the realm or organization name (dependent on whether the SAML v2 Plug-in for Federation Services is installed in OpenSSO Enterprise) coupled with a forward slash and the provider name. For example, /suncorp/travelprovider.

The names used in the metaAlias must not contain a /.

Members

A provider must be a member of a circle of trust, or it cannot participate in Liberty-based communications. The provider can belong to one or more affiliations. Enter the entity ID of the provider in the New Value field and click Add.

Cert Alias

This attribute defines the certificate alias elements for the provider. Signing specifies the provider certificate alias used to find the correct signing certificate in the keystore. Encryption specifies the provider certificate alias used to find the correct encryption certificate in the keystore.

ID-FF Entity Provider

The ID-FF provider entity is based on the Liberty Alliance Project Identity Federation Framework for implementing single sign-on with federated identities. The ID-FF provider entity allows you to assign and configure the following roles:

• Identity Provider

• Service Provider

To Create an ID-FF Entity Provider

Use these steps to create an entity provider based on the ID-FF protocol for Federation Services. You can assign the identity provider or service provider (or both) role to the entity, but multiple roles will belong to the same entity provider.

1. Log in as an administrator.

2. Go to the Federation tab in the console and click New in the Entity Provider table.

3. When prompted, select ID-FF as the entity provider.

4. Select the Realm to which the entity provider will belong.

5. Type a name in the Entity Identifier field.

6. Choose the entity provider role you wish to assign to the entity provider.

   Entering data in the Meta Alias field will automatically create and assign the entity provider role to the entity provider upon completion.

7. Enter values for the following attributes for one or more roles:

   Meta Alias

   Specifies a metaAlias for the provider role being configured. The metaAlias is used to locate the provider's entity identifier and the organization in which it is located. The value is a string equal to the realm or organization name coupled with a forward slash and the provider name. For example, /suncorp/travelprovider.

   ---

   Caution –

   The names used in the metaAlias must not contain a /.

   ---

   Signing Certificate Alias

   Specifies the provider certificate alias used to find the correct signing certificate in the keystore.

   Encryption Certificate alias

   Specifies the provider certificate alias used to find the correct encryption certificate in the keystore.

8. Click Create.

   The entity provider, its assigned provider roles, and location will be displayed in the Entity Providers list.

9. To customize the entity providers' roles behavior, click on the name of the entity provider and choose the tab that corresponds to the role you wish to customize. See Chapter 6, Federation Attributes for Entity Providers, in Sun OpenSSO Enterprise 8.0 Administration Reference for definitions attributes for provider customization.

WS-Federation Entity Provider

The WS-Federation entity provider type is based on the WS-Federation protocol. The implementation of this protocol allows single sign-on between OpenSSO Enterprise and the Microsoft Active Directory Federation Service. The WS-Federation provider entity allows you to assign and configure the following roles:

• Identity Provider

• Service Provider

To Create a WS-Federation Entity Provider

Use these steps to create to create an entity provider based on the WS-Federation protocol for Federation Services. You can assign the identity provider or service provider (or both) role to the entity, but multiple roles will belong to the same entity provider.

1. Log in as an administrator.

2. Go to the Federation tab in the console and click New in the Entity Provider table.

3. When prompted, select WS-FED as the entity provider.

4. Select the Realm to which the entity provider will belong.

5. Type a name in the Entity Identifier field.

6. Choose the entity provider role you wish to assign to the entity provider.

   Entering data in the Meta Alias field will automatically create and assign the entity provider role to the entity provider upon completion.

7. Enter values for the following attributes for one or more roles:

   Meta Alias

   Specifies a metaAlias for the provider role being configured. The metaAlias is used to locate the provider's entity identifier and the organization in which it is located. The value is a string equal to the realm or organization name coupled with a forward slash and the provider name. For example, /suncorp/travelprovider.

   ---

   Caution –

   The names used in the metaAlias must not contain a /.

   ---

   Signing Certificate Alias

   Specifies the provider certificate alias used to find the correct signing certificate in the keystore.

   Encryption Certificate alias

   Specifies the provider certificate alias used to find the correct encryption certificate in the keystore.

8. Click Create.

   The entity provider, its assigned provider roles, and location will be displayed in the Entity Providers list.

9. To customize the entity providers' roles behavior, click on the name of the entity provider and choose the tab that corresponds to the role you wish to customize. See Chapter 6, Federation Attributes for Entity Providers, in Sun OpenSSO Enterprise 8.0 Administration Reference for definitions attributes for provider customization.