The WS-Federation entity provider type is based on the WS-Federation protocol. The implementation of this protocol allows single sign-on between OpenSSO Enterprise and the Microsoft Active Directory Federation Service. The WS-Federation provider entity allows you to assign and configure the following roles:
Identity Provider
Service Provider
The following attributes are common to both Identity and Service Provider types:
This attribute defines the name the WS-Federation service provider. The default is the meta alias given at creation time.
This attribute defines the name the WS-Federation identity provider. The default is the meta alias given at creation time.
Displays the realm to which the provider belongs.
Defines a unique identifier for the identity or service provider.
Specifies the URL at which the identity or service provider is providing WS-Federation services. For example:
https://demo.example.com/OpenSSO Enterprise/WSFederationServlet/metaAlias/example
The following attributes apply to the WS-Federation Identity Provider role:
Defines the format of the name identifier component of the single sign-on response sent from the identity provider to the service provider. WS-Federation single sign-on supports the following identifier formats (default is UPN):
Common Name
UPN – User Principal Name. The syntax is username@domain, where an example of domainis example.com.
Defines the attribute in the user's profile that will be used as the name ID value. The default is uid.
When using the UPN format defined in the NameID Format attribute, this specifies whether the NameID Attribute in the user's profile includes a domain. If it does, then the NameID Attribute will be used for the UPN as it is currently defined. Otherwise, it is combined with a domain to form a UPN.
When using the UPN format, if the Name Includes Domain attribute is not selected, this specifies an attribute in the user's profile to be used as the UPN domain.
When using UPN format, if the Name Includes Domain attribute is not selected, and if a value for Domain Attribute is not specified, or if there is no value for that attribute for a particular user, then this attribute is used to constructing the UPN.
This attribute specifies the provider certificate alias used to find the assertion signing certificate in the keystore.
Specifies the claim type so the WS-Federation service can recognize the type of token that is exchanged between federation partners.
The EmailAddress claim type is used to identify a specific security principal by an email address.
The UPN claim type is used to identify a specific security principal via a User Principal Name.
The CommonName claim type is used to identify a security principal via a CN value consistent with X.500 naming conventions. The value of this claim is not necessarily unique and should not be used for authorization purposes.
This attribute specifies the implementation of the AccountMapper interface used to map a remote user account to a local user account for purposes of single sign-on. The default value is com.sun.identity.wsfed.plugins.DefaultIDPAccountMapper.
This defines the class used to map attributes in the assertion to user attributes defined locally by the identity provider. The default class is com.sun.identity.wsfederation.plugins.DefaultIDPAttributeMapper.
Specifies values to define the mappings used by the default attribute mapper plug-in. Mappings should be configured in the format:
SAML_Assertion_Attribute_Name=User_Profile_Attribute_Name
For example, EmailAddress=mail or Address=postaladdress. Type the mapping as a New Value and click Add.
Assertions are valid for a period of time and not before or after.
Effective Time specifies (in seconds) the amount of time that an assertion is valid counting from the assertion's issue time. The default value is 600 seconds.
The following attributes apply to the WS-Federation service provider role:
All assertions received by this service provider must be signed.
This attribute specifies the implementation of the AccountMapper interface used to map a remote user account to a local user account for purposes of single sign-on. The default value is com.sun.identity.wsfed.plugins.
DefaultADFSPartnerAccountMapper is the default implementation.
This defines the class used to map attributes in the assertion to user attributes defined locally by the identity provider. The default class is com.sun.identity.wsfederation.plugins.DefaultSPAttributeMapper.
Specifies values to define the mappings used by the default attribute mapper plug-in. Mappings should be configured in the format:
SAML_attr=local-attribute
For example, EmailAddress=mail or Address=postaladdress. Type the mapping as a New Value and click Add.
Assertions are valid for a period of time and not before or after.
Effective Time specifies (in seconds) the amount of time that an assertion is valid counting from the assertion's issue time. The default value is 600 seconds.
Assertions are valid for a period of time and not before or after. This attribute specifies a grace period (in seconds) for the notBefore value. The default value is 300. It has no relevance to the notAfter value.
After a successful WS-Federation operation (single sign-on, single logout, or federation termination), a page is displayed. This page, generally the originally requested resource, is specified in the initiating request using the RelayState element. If a RelayState is not specified, the value of this defaultRelayState property is displayed.
When RelayState or defaultRelayState contains special characters (such as &), it must be URL-encoded. For example, if the value of RelayState is http://www.sun.com/apps/myapp.jsp?param1=abc¶m2=xyz, it must be URL-encoded as:
http%3A%2F%2Fwww.sun.com%2Fapps%2Fmyapp.jsp%3Fparam1%3Dabc%26param2%3Dxyz
and then appended to the URL. For example, the service provider initiated single sign-on URL would be:
http://host:port/deploy-uri/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=http://www.idp.com&RelayState=http%3A%2F%2Fwww.sun.com%2Fapps%2Fmyapp.jsp%3Fparam1%3Dabc%26param2%3Dxyz
Specifies the service so that the service provider can identify the preferred identity provider. The service URL is specified as a contact endpoint by the service provider.
Specifies the identity provider selection mechanism and configuration. Either the cookie or HTTP Request header attribute can be used to locate the identity provider.