The ID-FF service provider attributes are grouped into the following sections:
The static value of this attribute is the type of provider being configured: hosted or remote
The value of this attribute is a description of the service provider.
Choose the Liberty ID-FF release that is supported by this provider.
urn:liberty:iff:2003-08 refers to the Liberty Identity Federation Framework Version 1.2.
urn:liberty:iff:2002-12 refers to the Liberty Identity Federation Framework Version 1.1.
Defines the security certificate alias that is used to sign requests and responses. Certificates are stored in a Java keystore file. Each specific certificate is mapped to an alias that is used to fetch the certificate
Defines the security certificate alias that is used for encryption. Certificates are stored in a Java keystore file. Each specific certificate is mapped to an alias that is used to fetch the certificate.
Select the check box to enable encryption of the name identifier.
If enabled, the service provider will sign all authentication requests.
Defines a URI to the service provider’s SOAP message receiver. This value communicates the location of the SOAP receiver in non browser communications.
Defines a URL to which identity providers can send logout requests. Single logout synchronizes the logout functionality across all sessions authenticated by the identity provider.
Defines a URL to which the identity providers can send single logout responses.
Defines a URL to which an identity provider will send federation termination requests.
Defines a URL to which the identity providers can send federation termination responses.
Defines a URL that will be used when communicating with the identity provider to specify a new name identifier for the principal. (Registration can occur only after a federation session is established.)
Defines a URL to which the identity providers can send name registration responses. (Registration can occur only after a federation session is established.)
Defines the URL to which an Identity Provider can send SAML assertions.
If the value of the Protocol Support Enumeration common attribute is urn:liberty:iff:2003-08, type the required ID.
Select the check box to use the Assertion Consumer Service URL as the default value when no identifier is provided in the request.
Select a profile to notify other providers of a principal’s federation termination:
HTTP Redirect
SOAP
Select a profile to notify other providers of a principal’s logout:
HTTP Redirect
HTTP Get
SOAP
Select a profile to notify other providers of a principal’s name registration:
HTTP Redirect
SOAP
Select a profile for sending authentication requests:
Browser Post (specifies a browser-based HTTP POST protocol)
Browser Artifact (specifies a non-browser SOAP-based protocol)
WML (specifies the Wireless Markup Language protocol)
LECP (specifies a Liberty-enabled Client Proxy)
OpenSSO Enterprise can handle requests that come from a Liberty-enabled client proxy profile, but it requires additional configuration that is beyond the scope of this manual.
Defines an alias name for the local service provider.
Select the provider that should be used for authentication requests from a provider hosted locally:
Remote specifies that the provider hosted locally would contact a remote identity provider upon receiving an authentication request.
Local specifies that the provider hosted locally should contact a local identity provider upon receiving an authentication request (essentially, itself).
Select the check box to indicate that the identity provider must re-authenticate (even during a live session) when an authentication request is received. This attribute is enabled by default.
Select the check box to specify that the identity provider must not interact with the principal and must interact with the user.
This option, if enabled, allows for a service provider to participate in name registration after it has been federated.
An enumeration permitting requester influence over name identifier policy at the identity provider.
Select the check box to enable affiliation federation.
Defines whether the service provider is active or inactive. Active, the default, means the service provider can process requests and generate responses.
Specifies the type of statements the service provider can generate. For example , lib:AuthenticationStatement.
Defines the URL that lists all of the circle of trusts to which the provider belongs.
Specifies the URL which performs the federation operation.
Defines the URL of the home page of the identity provider.
Defines the URL to which a principal will be redirected if single sign-on has failed.
Defines the URL to which a principal is redirected after federation termination is completed.
Defines the URL to which a principal is directed upon an error.
Defines the URL to which a principal is directed after logout.
Defines the implementation class for the com.sun.identity.federation.plugins.FSSPAdapter interface. The default value is:
com.sun.identity.federation.plugins.FSDefaultSPAdapter
Defines a list of environment properties to be used by the service provider adapter SPI implementation class.
Specifies a plug-able class used to provide user operations such as finding a user, getting user attributes, and so forth. . The default value is:
com.sun.identity.federation.accountmgmt.DefaultFSUserProvider
This field defines the class used by a service provider to participate in name registration. Name registration is a profile by which service providers specify a principal’s name identifier that an identity provider will use when communicating with the service provider. The value is com.sun.identity.federation.services.util.FSNameIdentifierImpl.
The class used to map user attributes defined locally to attributes in the SAML assertion. There is no default class.
Specify values to define the mappings used by the default attribute mapper plug-in specified above. Mappings should be configured in the format:
SAML-attribute=local-attribute
For example, Email=emailaddress or Address=postaladdress. Type the mapping as a New Value and click Add.
Select the check box to enable auto-federation.
Defines the user's common LDAP attribute name such as telephonenumber. For creating an Auto Federation Attribute Statement. When creating an Auto Federation Attribute Statement, the value of this attribute will be used. The statement will contain the attribute element and this common attribute as its value.
This attribute defines the service provider's default authentication context class (method of authentication). This method will always be called when the service provider sends an authentication request. This value also specifies the authentication context used by the service provider when an unknown user tries to access a protected resource. The options are:
Select the check box next to the authentication context class if the service provider supports it.
The Liberty-defined authentication context classes are:
Mobile Contract
Mobile Digital ID
MobileUnregistered
Password
Password-ProtectedTransport
Previous-Session
Smartcard
Smartcard-PKI
Software-PKI
Time-Sync-Token
Choose a priority level for cases where there are multiple contexts.
Proxy Authentication Configuration attributes define values for dynamic provider proxying.
Select the check box to enable proxy authentication for a service provider.
Type an identifier for an identity provider(s) that can be used for proxy authentication in New Value and click Add. The value is a URI defined as the provider's identifier.
Enter the maximum number of identity providers that can be used for proxy authentication.
Select the check box if you want introduction cookies to be used to find the proxying identity provider.