ID-FF Identity Provider Customization

The ID-FF identity provider attributes are grouped as follows:

• Common Attributes

• Communication URLs

• Communication Profiles

• Identity Provider Configuration

• Service URL

• Plug-ins

• Identity Provider Attribute Mapper

• Bootstrapping

• Auto Federation

• Authentication Context

• SAML Attributes

Common Attributes

• Provider Type

• Description

• Protocol Support Enumeration

• Signing Key

• Encryption Key

• Name Identifier Encryption

Provider Type

The static value of this attribute is the type of provider being configured: hosted or remote

Description

The value of this attribute is a description of the identity provider.

Protocol Support Enumeration

Choose the Liberty ID-FF release that is supported by this provider.

• urn:liberty:iff:2003-08 refers to the Liberty Identity Federation Framework Version 1.2.

• urn:liberty:iff:2002-12 refers to the Liberty Identity Federation Framework Version 1.1.

Signing Key

Defines the security certificate alias that is used to sign requests and responses.

Encryption Key

Defines the security certificate alias that is used for encryption for the Signing Key and Encryption Key. Certificates are stored in a Java keystore file. Each specific certificate is mapped to an alias that is used to fetch the certificate.

Name Identifier Encryption

Select the check box to enable encryption of the name identifier.

Communication URLs

• SOAP Endpoint

• Single Sign-on Service URL

• Single Logout Service

• Single Logout Return

• Federation Termination Service

• Federation Termination Return

• Name Registration Service

• Name Registration Return

SOAP Endpoint

Defines a URI to the identity provider’s SOAP message receiver. This value communicates the location of the SOAP receiver in non browser communications.

Single Sign-on Service URL

Defines a URL to which service providers can send single sign-on and federation requests.

Single Logout Service

Defines a URL to which service providers can send logout requests. Single logout synchronizes the logout functionality across all sessions authenticated by the identity provider.

Single Logout Return

Defines a URL to which the service providers can send single logout responses.

Federation Termination Service

Defines a URL to which a service provider will send federation termination requests.

Federation Termination Return

Defines a URL to which the service providers can send federation termination responses.

Name Registration Service

Defines a URL to which a service provider will send requests to specify a new name identifier to be used when communicating with the identity provider about a principal. This service can only be used after a federation session is established.

Name Registration Return

Defines a URL to which the service providers can send name registration responses.

Communication Profiles

• Federation Termination

• Single Logout

• Name Registration

• Single Sign-on/Federation

Federation Termination

Select a profile to notify other providers of a principal’s federation termination:

• HTTP Redirect

• SOAP

Single Logout

Select a profile to notify other providers of a principal’s logout:

• HTTP Redirect

• HTTP Get

• SOAP

Name Registration

Select a profile to notify other providers of a principal’s name registration:

• HTTP Redirect

• SOAP

Single Sign-on/Federation

Select a profile for sending authentication requests:

• Browser Post (specifies a browser-based HTTP POST protocol)

• Browser Artifact (specifies a non-browser SOAP-based protocol)

• LECP (specifies a Liberty-enabled Client Proxy)

  ---

  Note –

  OpenSSO Enterprise can handle requests that come from a Liberty-enabled client proxy profile, but it requires additional configuration that is beyond the scope of this manual.

  ---

Identity Provider Configuration

• Provider Alias

• Authentication Type

• Assertion Issuer

• Responds With

• Provider Status

Provider Alias

Defines the alias name for the local identity provider.

Authentication Type

Select the provider that should be used for authentication requests from a provider hosted locally:

• Remote specifies that the provider hosted locally would contact a remote identity provider upon receiving an authentication request.

• Local specifies that the provider hosted locally should contact a local identity provider upon receiving an authentication request (essentially, itself).

Assertion Issuer

Defines the name of the host that issues the assertion. This value might be the load balancer's host name if OpenSSO Enterprise is behind one.

Responds With

Specifies the type of statements the identity provider can generate. For example lib:AuthenticationStatement.

Provider Status

Defines whether the identity provider is active or inactive. Active, the default, means the identity provider can process requests and generate responses.

Service URL

• Home Page URL

• Single Sign-on Failure Redirect URL

• Federate Page URL

• Registration Done URL

• List of COTs Page URL

• Termination URL

• Termination Done URL

• Error Page URL

• Logout Done URL

Home Page URL

Defines the URL of the home page of the identity provider.

Single Sign-on Failure Redirect URL

Defines the URL to which a principal will be redirected if single sign-on has failed.

Federate Page URL

Specifies the URL which performs the federation operation.

Registration Done URL

Defines the URL to which a principal will be directed upon successful Federation registration.

List of COTs Page URL

Defines the URL that lists all of the circle of trusts to which the provider belongs.

Termination URL

Defines the URL to which a principal is directed upon Federation termination.

Termination Done URL

Defines the URL to which a principal is redirected after federation termination is completed.

Error Page URL

Defines the URL to which a principal is directed upon an error.

Logout Done URL

Defines the URL to which a principal is directed after logout.

Plug-ins

• Name Identifier Implementation

• Attribute Statement Plug-in

• User Provider Class

Name Identifier Implementation

This field defines the class used by an identity provider to participate in name registration. Name registration is a profile by which service providers specify a principal’s name identifier that an identity provider will use when communicating with the service provider. The value is com.sun.identity.federation.services.util.FSNameIdentifierImpl.

Attribute Statement Plug-in

Specifies a plug-able class used for adding attribute statements to an assertion that is generated during the Liberty-based single sign-on process.

User Provider Class

Specifies a plug-able class used to provide user operations such as finding a user, getting user attributes, and so forth . The default value is:

com.sun.identity.federation.accountmgmt.DefaultFSUserProvider

Identity Provider Attribute Mapper

• Attribute Mapper Class

• Identity Provider Attribute Mapping

Attribute Mapper Class

The class used to map user attributes defined locally to attributes in the SAML assertion. There is no default class.

Identity Provider Attribute Mapping

Specify values to define the mappings used by the default attribute mapper plug-in. Mappings should be configured in the format:

SAML-attribute=local-attribute

For example, Email=emailaddress or Address=postaladdress. Type the mapping as a New Value and click Add.

Bootstrapping

The bootstrapping attribute is:

Generate Discovery Bootstrapping Resource Offering

Select the check box if you want a Discovery Service Resource Offering to be generated during the Liberty-based single sign-on process for bootstrapping purposes.

Auto Federation

• Auto Federation

• Auto Federation Common Attribute Name

Auto Federation

Select the check box to enable auto-federation.

Auto Federation Common Attribute Name

When creating an Auto Federation Attribute Statement, the value of this attribute will be used. The statement will contain the attribute element and this common attribute as its value.

Authentication Context

This attribute defines the identity provider's default authentication context class (method of authentication). This method will always be called when the service provider sends an authentication request. This value also specifies the authentication context used by the service provider when an unknown user tries to access a protected resource.

Supported

Select the check box next to the authentication context class if the identity provider supports it.

Context Reference

The Liberty-defined authentication context classes are:

• Mobile Contract

• Mobile Digital ID

• MobileUnregistered

• Password

• Password-ProtectedTransport

• Previous-Session

• Smartcard

• Smartcard-PKI

• Software-PKI

• Time-Sync-Token

Key

Choose the OpenSSO Enterprise authentication type to which the context is mapped.

Value

Type the OpenSSO Enterprise authentication option.

Level

Choose a priority level for cases where there are multiple contexts.

SAML Attributes

• Assertion Interval

• Cleanup Interval

• Artifact Timeout

• Assertion Limit

Assertion Interval

Type the interval of time (in seconds) that an assertion issued by the identity provider will remain valid.

Cleanup Interval

Type the interval of time (in seconds) before a cleanup is performed to expired assertions.

Artifact Timeout

Type the interval of time (in seconds) to specify the timeout for assertion artifacts.

Assertion Limit

Type a number to define how many assertions an identity provider can issue, or how many assertions that can be stored.