Entities

An entity may be configured with metadata (configuration information that defines a particular identity service architecture) for an individual identity provider, an individual service provider, or one of each. Contrarily, an entity may be configured as an affiliation, a selected group of providers of either type. Both provider and affiliation entities can be configured using the Access Manager Console.

For general information about entities, see the Liberty Metadata Description and Discovery Specification.

Provider Entity

A provider entity holds the metadata for individual providers of either type. All identity providers and service providers (both hosted and remote) must be configured within a provider entity before they can be associated with an authentication domain, or chosen to be included in an affiliate entity. Using the attributes provided in the Access Manager Console, one individual identity provider, one individual service provider, or one of each can be defined within a provider entity.

Affiliate Entity

A configured affiliation (referenced by an affiliationID) contains a grouping of provider sites. The affiliation is formed and maintained by an affiliation owner who chooses the member providers from already configured provider entities. (An affiliation is formed without regard to the boundaries of any authentication domains which might also include the providers as members.) The affiliation enables a user to federate amongst the group of associated sites. The chosen providers may invoke services either as a member of the affiliation, or individually as a provider. If services are invoked as an affiliation member, a service provider might issue an authentication request for a user on behalf of an affiliation. When authentication is secured, the user can achieve single sign-on with all members of the affiliation.

An affiliate entity holds the metadata that defines the grouping of one or more provider entities that comprise the affiliation. It does not contain the configuration information for any providers (which is defined in a provider entity), only the configuration information for the affiliation itself.

---

Tip –

The name identifier (a single persistent randomized string) is used to achieve single sign-on between an identity provider and a group of service providers acting as a single affiliation. If there are several service providers and identity providers in the same circle of trust, use an affiliate entity to avoid having to generate different name identifiers for commonly shared services.

---

Configuring an entity using the Access Manager Console is a two-step process. First, you create a provider or affiliate entity. Then, you populate the entity with either remote or hosted provider metadata (either service or identity) or affiliation information. This process is described in the following sections.

• Creating Entities

• Configuring Provider Entities

• Configuring Affiliate Entities

• Deleting Entities

• Creating and Configuring Entities using amadmin

  ---

  Note –

  This section contains information on how entities can be created and configured in one step using the amadmin command-line interface and prepared XML files (as opposed to the manual configuration illustrated in the previous sections).

  ---

Creating Entities

This section describes the process for creating a provider entity or an affiliate entity.

To Create a Provider Entity or an Affiliate Entity

An entity can be created but it will not be available for assignment to an authentication domain until it has been populated with provider(s). Once created and populated, the entity (and thus the member providers) can be added to an authentication domain.

1. In the Access Manager Console, select the Federation tab.

2. Under Federation, select the Entities tab.

3. Select New.

   The new entity attributes are displayed.

4. Type a value for the Entity Name.

   This field specifies the uniform resource identifier (URI) of the entity and must be unique. For example, http://shivalik.sun.com or http://provider2.com:875.

5. (Optional) Enter a description of the entity in the Description field.

6. Select one of the following options to define the entity’s type.

   • Select Provider and click OK.

     The new entity is now displayed as a provider in the list of configured Entities. To configure the entity, see To Configure a Provider Entity.

   • Select Affiliate, type a value for both Affiliate Name and Affiliate Owner, and click OK.

     The Affiliate Name (or affiliationID) specifies a URI that uniquely represents the affiliate entity. For example, http://shivalik.sun.com or http://provider2.com:875. The Affiliate Owner (or providerID) is the value assigned to the Entity Name attribute of the provider entity that is forming the affiliation. After entering these values and clicking OK, the new entity is displayed as an affiliate in the list of configured Entities. To configure the entity, see To Configure an Affiliate Entity.

     ---

     Note –

     Defining a service provider as the Affiliate Owner does not automatically include it as a member of the affiliate. If an owner is also a member, the provider ID must be defined as both.

     ---

Configuring Provider Entities

After you create a provider entity, you populate it with remote or hosted provider information (either service or identity). This section contains the following procedures:

• To Configure a Provider Entity

• To Configure General Attributes for a Provider Entity

• To Configure Hosted or Remote Identity Provider Attributes for a Provider Entity

• To Configure Hosted or Remote Service Provider Attributes for a Provider Entity

To Configure a Provider Entity

When you configure a provider entity, you are populating it with remote or hosted provider information (either service or identity). You might also be defining values for attributes that were not available when the entity was initially created. Before performing this procedure, you must have completed the steps in To Create a Provider Entity or an Affiliate Entity.

1. In the Access Manager Console, select the Federation tab.

2. Under Federation, select the Entities tab.

3. Select the provider entity that you want to configure.

   Ensure that you select an entity marked as type Provider.

4. Define values for the General, Identity Provider or Service Provider attributes by choosing from the View menu.

   • To define values for General attributes, see To Configure General Attributes for a Provider Entity.

   • To define values for Identity Provider attributes, see To Configure Hosted or Remote Identity Provider Attributes for a Provider Entity.

   • To define values for Service Provider attributes, see To Configure Hosted or Remote Service Provider Attributes for a Provider Entity.

To Configure General Attributes for a Provider Entity

Before performing this procedure, you must have completed the steps in To Configure a Provider Entity.

1. Choose General from the View menu, and provide information for the Entity Common Attributes.

   Entity Common Attributes contain values that define the entity itself.

   Entity Name

   The static value of this attribute is the name that you provided when creating the entity.

   Type

   The static value of this attribute is Provider.

   Description

   The value of this optional attribute is the description that you provided when creating the entity. You can modify the description.

2. Provide information for the Entity Contact Person Profile attributes.

   Entity Contact Person Profile attributes contain values that define the administrator of the entity.

   First Name

   Type the given name of the entity’s contact person.

   Last Name

   Type the surname of the entity’s contact person.

   Type

   Choose the type of contact from the drop-down menu:

   • Administrative

   • Billing

   • Technical

   • Other

   Company

   Type the name of the company that employs this person.

   Liberty Principal ID

   Type a URI that points to an online instance of the contact person’s personal information profile.

   Emails

   Type one or more email addresses for the contact person in New Value and click Add.

   Telephone Numbers

   Type one or more telephone numbers for the contact person in New Value and click Add.

3. (Optional) Provide information for the Organization Profiles.

   The Organization Profiles attributes contain values that define the organizational name of the entity.

   Names

   Type the complete legal name of the entity’s organization in New Value and click Add. Use the format locale|organization-name. For example, en|organization-name.com.

   ---

   Note –

   If the Names attribute contains a value, it is required to add values to the Display Names and URL attributes.

   ---

   Display Names

   Type a name that is suitable for display in New Value and click Add. Use the format locale|organization-display-name. For example, en|organization-display-name.com.

   URL

   Type a URL that can be used to direct a principal to additional information on the entity's organization in New Value and click Add. Use the format locale|organization-URL. For example, en|http://www.organization-name.com.

4. Click Save to complete the configuration, or define additional values for the Identity Provider or Service Provider attributes by choosing from the View menu.

   • To define values for Identity Provider attributes, see To Configure Hosted or Remote Identity Provider Attributes for a Provider Entity.

   • To define values for Service Provider attributes, see To Configure Hosted or Remote Service Provider Attributes for a Provider Entity.

To Configure Hosted or Remote Identity Provider Attributes for a Provider Entity

Before performing this procedure, you must have completed the steps in To Configure a Provider Entity.

Some of the attributes below will only be visible after you have saved the initial provider configuration.

1. Choose Identity Provider from the View menu.

2. Select the type of provider that you are configuring:

   • New Hosted Provider

     A hosted provider is installed on the same server as Access Manager.

   • New Remote Provider

     A remote provider is not installed on the same server as Access Manager.

3. Provide information for the Common Attributes.

   Common Attributes contain values that generally define the identity provider.

   Provider Type

   The static value of this attribute is the type of provider being configured: hosted or remote.

   Description

   The value of this attribute is a description of the identity provider.

   Protocol Support Enumeration

   Choose the Liberty ID-FF release that is supported by this provider.

   • urn:liberty:iff:2003-08 refers to the Liberty Identity Federation Framework Version 1.2.

   • urn:liberty:iff:2002-12 refers to the Liberty Identity Federation Framework Version 1.1.

   Server Name Identifier Mapping Binding

   Name identifier mapping allows a service provider to obtain a name identifier for a principal that has federated in the namespace of a different service provider. Implementing this protocol allows the requesting service provider to communicate with the second service provider without an identity federation having been enabled. Type a URI that identifies the communication specifications in New Value and click Add.

   ---

   Note –

   Currently, the Name Identifier Mapping profile only supports SOAP. If this attribute is used, its value must be http://projectliberty.org/profiles/nim-sp-http.

   ---

   Signing Key: Key Alias

   Type the key alias that is used to sign requests and responses.

   Encryption Key: Key Alias

   Type the security certificate alias. Certificates are stored in a Java keystore file. Each specific certificate is mapped to an alias that is used to fetch the certificate.

   Encryption Key: Key Size

   Type the length for keys that are used by the web service consumer when interacting with another entity.

   ---

   Note –

   If the encryption method is DESede, the key size must be 192. If the encryption method is AES, the key size must be 128, 192 or 256.

   ---

   Encryption Key: Encryption Method

   Choose the method of encryption:

   • None

   • AES

   • DESede

   Name Identifier Encryption

   Select the check box to enable encryption of the name identifier.

4. Provide information for the Communication URLs.

   Communication URLs attributes contain locations for redirects and sending requests.

   SOAP Endpoint

   Type a URI to the identity provider’s SOAP message receiver. This value communicates the location of the SOAP receiver in non browser communications.

   Single Sign-On Service URL

   Type a URL to which service providers can send single sign-on and federation requests.

   Single Logout Service

   Type a URL to which service providers can send logout requests. Single logout synchronizes the logout functionality across all sessions authenticated by the identity provider.

   Single Logout Return

   Type a URL to which the identity provider will redirect the principal after completing a logout.

   Federation Termination Service

   Type a URL to which a service provider will send federation termination requests.

   Federation Termination Return

   Type a URL to which the identity provider will redirect the principal after completing federation termination.

   Name Registration Service

   Type a URL to which a service provider will send requests to specify a new name identifier to be used when communicating with the identity provider about a principal. This service can only be used after a federation session is established.

   Name Registration Return

   Type a URL to which the identity provider will redirect the principal after HTTP name registration has been completed.

5. Provide information for the Communication Profiles.

   Communication Profiles attributes define the transmission methods used by the identity provider.

   Federation Termination

   Select a profile to notify other providers of a principal’s federation termination:

   • HTTP Redirect

   • SOAP

   Single Logout

   Select a profile to notify other providers of a principal’s logout:

   • HTTP Redirect

   • HTTP Get

   • SOAP

   Name Registration

   Select a profile to notify other providers of a principal’s name registration:

   • HTTP Redirect

   • SOAP

   Single Sign-on/Federation

   Select a profile for sending authentication requests:

   • Browser Post (specifies a browser-based HTTP POST protocol)

   • Browser Artifact (specifies a non-browser SOAP-based protocol)

   • LECP (specifies a Liberty-enabled Client Proxy)

     ---

     Note –

     Access Manager can handle requests that come from a Liberty-enabled client proxy profile, but it requires additional configuration that is beyond the scope of this manual.

     ---

6. Select any of the available authentication domains to assign to the provider.

   A provider can belong to one or more authentication domains. However, a provider without a specified authentication domain can not participate in Liberty-based communications. If no authentication domains have been created, you can define this attribute later.

   ---

   Note –

   If configuring a remote identity provider, skip to step 11. If configuring a hosted identity provider, continue with step 7.

   ---

7. (Hosted Identity Provider Only) Provide mappings for the Authentication Context classes.

   This attribute maps the Liberty-defined authentication context classes to authentication methods available from the identity provider.

   Supported

   Select the check box next to the authentication context class if the identity provider supports it.

   Context Reference

   The Liberty-defined authentication context classes are:

   • Mobile Contract

   • Mobile Digital ID

   • MobileUnregistered

   • Password

   • Password-ProtectedTransport

   • Previous-Session

   • Smartcard

   • Smartcard-PKI

   • Software-PKI

   • Time-Sync-Token

   Key

   Choose the Access Manager authentication type to which the context is mapped.

   ---

   Note –

   See Authentication Types in Sun Java System Access Manager 7.1 Administration Guide for more information.

   ---

   Value

   Type the Access Manager authentication option.

   Priority

   Choose a priority level for cases where there are multiple contexts.

8. (Hosted Identity Provider Only) Select any of the available provider entities to assign as a Trusted Provider and click Add.

   This attribute tallies providers that the identity provider trusts.

9. (Hosted Identity Provider Only) Provide information for the Access Manager Configuration attributes.

   Access Manager Configuration attributes define general information regarding the instance of Access Manager being used as an identity provider.

   Provider Alias

   Type an alias name for the local identity provider.

   Authentication Type

   Select the provider that should be used for authentication requests from a provider hosted locally:

   • Remote specifies that the provider hosted locally would contact a remote identity provider upon receiving an authentication request.

   • Local specifies that the provider hosted locally should contact a local identity provider upon receiving an authentication request (essentially, itself).

   Default Authentication Context

   Select the authentication context class (method of authentication) to use if the identity provider does not receive this information as part of a service provider request. This value also specifies the authentication context used by the service provider when an unknown user tries to access a protected resource. The options are:

   • Password

   • Mobile Digital ID

   • Smartcard

   • Smartcard-PKI

   • MobileUnregistered

   • Software-PKI

   • Previous-Session

   • Mobile Contract

   • Time-Sync-Token

   • Password-ProtectedTransport

   Realm

   Type a value that points to the realm in which this provider is configured. For example, /sp.

   Liberty Version URI

   Type the URI of the version of the Liberty Alliance Project specification being used. The default value is http://projectliberty.org/specs/v1.

   Name Identifier Implementation

   This field defines the class used by a service provider to participate in name registration. Name registration is a profile by which service providers specify a principal’s name identifier that an identity provider will use when communicating with the service provider. The value is com.sun.identity.federation.services.util.FSNameIdentifierImpl.

   Home Page URL

   Type the URL of the home page of the identity provider.

   Single Sign-on Failure Redirect URL

   Type the URL to which a principal will be redirected if single sign-on has failed.

   Assertion Issuer

   Type the name of the host that issues the assertion. This value might be the load balancer's host name if Access Manager is behind one.

   Generate Discovery Bootstrapping Resource Offering

   Select the check box if you want a Discovery Service Resource Offering to be generated during the Liberty-based single sign-on process for bootstrapping purposes.

   Auto Federation

   Select the check box to enable auto-federation.

   Auto Federation Common Attribute Name

   When creating an Auto Federation Attribute Statement, the value of this attribute will be used. The statement will contain the AutoFedAttribute element and this common attribute as its value.

   Attribute Statement Plug-in

   Specify a pluggable class used for adding attribute statements to an assertion that is generated during the Liberty-based single sign-on process.

   Identity Provider Attribute Mapping

   Specify values to define the mappings used by the default attribute mapper plug-in. Mappings should be configured in the format:

   SAML-attribute=local-attribute

   For example, EmailAddress=mail or Address=postaladdress. Type the mapping as a New Value and click Add.

10. (Hosted Identity Provider Only) Provide information for the SAML Attributes.

    SAML Attributes define general information regarding SAML assertions that are sent by the identity provider.

    Assertion Interval

    Type the interval of time (in seconds) that an assertion issued by the identity provider will remain valid. A principal will remain authenticated until the assertion interval expires.

    Cleanup Interval

    Type the interval of time (in seconds) before assertions stored in the identity provider will be cleared.

    Artifact Timeout

    Type the interval of time (in seconds) to specify the timeout for assertion artifacts.

    Assertion Limit

    Type a number to define how many assertions an identity provider can issue, or how many assertions that can be stored.

    ---

    Note –

    To continue configuring a hosted identity provider, skip to step 12.

    ---

11. (Remote Identity Provider Only) Provide information for the Proxy Authentication Configuration attributes.

    Proxy Authentication Configuration attributes define values for dynamic identity provider proxying.

    Proxy Authentication

    Select the check box to enable proxy authentication for a service provider.

    Proxy Identity Providers List

    Type an identifier for an identity provider(s) that can be used for proxy authentication in New Value and click Add. The value is a URI defined as the provider's identifier.

    Maximum Number of Proxies

    Enter the maximum number of identity providers that can be used for proxy authentication.

    Use Introduction Cookie for Proxying

    Select the check box if you want introductions to be used to find the proxying identity provider.

12. (Optional) Provide information for the Organization Profiles.

    The Organization Profiles attributes contain values that define the organizational name of the entity.

    Names

    Type the complete legal name of the organization in New Value and click Add. Use the format locale|organization-name, for example, en|organization-name.com.

    ---

    Note –

    If the Names attribute contains a value, it is required to add values to the Display Names and URL attributes also.

    ---

    Display Names

    Type a name that is suitable for display to a principal in New Value and click Add. The value is defined in the format locale|organization-display-name, for example, en|organization-display-name.com.

    URL

    Type a URL that can be used to direct a principal to additional information on the entity in New Value and click Add. Use the format locale|organization-URL, for example, en|http://www.organization-name.com.

13. Click New Contact Person to create a contact person for the provider.

    The Contact Person attributes contain information regarding a human contact for the identity provider.

    First Name

    Type the given name of the identity provider’s contact person.

    Last Name

    Type the surname of the identity provider's contact person.

    Type

    Choose the contact's role from the drop-down menu:

    • Administrative

    • Billing

    • Technical

    • Other

    Company

    Type the name of the company that employs the contact person.

    Liberty Principal Identifier

    Type the name identifier that points to an online instance of the contact person’s personal information profile.

    Emails

    Type one or more email addresses for the contact person in New Value and click Add.

    Telephone Numbers

    Type one or more telephone numbers for the contact person in New Value and click Add.

14. Click Create to create the contact person.

15. Click Save to complete the configuration, or define values for General or Service Provider attributes by choosing from the View menu:

    • To define values for General attributes, see To Configure General Attributes for a Provider Entity.

    • To define values for Service Provider attributes, see To Configure Hosted or Remote Service Provider Attributes for a Provider Entity.

To Configure Hosted or Remote Service Provider Attributes for a Provider Entity

Before performing this procedure, you must have completed the steps in To Configure a Provider Entity.

Some of the attributes below will only be visible after you have saved the initial provider configuration.

1. Choose Service Provider from the View menu.

2. Select the type of provider that you are configuring:

   • New Hosted Provider

     A hosted provider is installed on the same server as Access Manager.

   • New Remote Provider

     A remote provider is not installed on the same server as Access Manager.

3. Provide information for the Common Attributes.

   Common Attributes contain values that generally define the service provider.

   Provider Type

   The static value of this attribute is the type of provider being configured: hosted or remote. This attribute is visible only after saving your configuration.

   Description

   The value of this attribute is a description of the service provider.

   Protocol Support Enumeration

   Select the Liberty ID-FF release that is supported by this provider.

   • urn:liberty:iff:2003-08 refers to the Liberty Identity Federation Framework Version 1.2.

   • urn:liberty:iff:2002-12 refers to the Liberty Identity Federation Framework Version 1.1.

   Server Name Identifier Mapping Binding

   Name identifier mapping allows a service provider to obtain a name identifier for a principal that has federated in the namespace of a different service provider. Implementing this protocol allows the requesting service provider to communicate with the second service provider without an identity federation having been enabled. Type a URI that identifies the communication specifications in New Value and click Add.

   ---

   Note –

   Currently, the Name Identifier Mapping profile only supports SOAP. If this attribute is used, its value must be http://projectliberty.org/profiles/nim-sp-http.

   ---

   Signing Key: Key Alias

   Type the key alias that is used to sign requests and responses.

   Encryption Key: Key Alias

   Type the security certificate alias. Certificates are stored in a Java keystore file. Each specific certificate is mapped to an alias that is used to fetch the certificate.

   Encryption Key: Key Size

   Type the length for keys that are used by the web service consumer when interacting with another entity.

   Encryption Key: Encryption Method

   Select the method of encryption:

   • None

   • AES

   • DESede

   Name Identifier Encryption

   Select the check box to enable encryption of the name identifier.

4. Provide information for the Communication URLs.

   Communication URLs attributes contain locations for redirects and sending requests.

   SOAP Endpoint

   Type a URI to the service provider’s SOAP message receiver. This value communicates the location of the SOAP receiver in non browser communications.

   Single Logout Service

   Type a URL to which identity providers can send logout requests.

   Single Logout Return

   Type a URL to which the service provider will redirect the principal after completing a logout.

   Federation Termination Service

   Type a URL to which identity providers will send federation termination requests.

   Federation Termination Return

   Type a URL to which the service provider will redirect the principal after completing federation termination.

   Name Registration Service

   Type a URL that will be used when communicating with the identity provider to specify a new name identifier for the principal. (Registration can occur only after a federation session is established.)

   Name Registration Return

   Type a URL to which the service provider will redirect the principal after HTTP name registration has been completed.

5. Provide information for the Communication Profiles.

   Communication Profiles attributes define the transmission methods used by the service provider.

   Federation Termination

   Select a profile to notify other providers of a principal’s federation termination:

   • HTTP Redirect

   • SOAP

   Single Logout

   Select a profile to notify other providers of a principal’s logout:

   • HTTP Redirect

   • HTTP Get

   • SOAP

   Name Registration

   Select a profile to notify other providers of a principal’s name registration:

   • HTTP Redirect

   • SOAP

   Single Sign-on/Federation

   Select a profile for sending authentication requests:

   • Browser Post (specifies a browser-based HTTP POST protocol)

   • Browser Artifact (specifies a non-browser SOAP-based protocol)

   • LECP (specifies a Liberty-enabled Client Proxy)

     ---

     Note –

     Access Manager can handle requests that come from a Liberty-enabled client proxy profile, but it requires additional configuration that is beyond the scope of this manual.

     ---

6. Select any of the available authentication domains to assign to the provider.

   A provider can belong to one or more authentication domains. However, a provider without a specified authentication domain cannot participate in Liberty-based communications. If no authentication domains have been created, you can define this attribute later.

   ---

   Note –

   If configuring a hosted service provider, skip to step 9. If configuring a hosted service provider, continue with step 7.

   ---

7. (Hosted Service Provider Only) Provide a hierarchy for the Authentication Context classes.

   This attribute corresponds to the authentication level defined for an Access Manager authentication module. It will redirect the principal to the authentication type with an authentication level equal to the number defined.

   Context Reference

   The Liberty-defined authentication context classes are:

   • Password

   • Mobile Digital ID

   • Smartcard

   • Smartcard-PKI

   • MobileUnregistered

   • Software-PKI

   • Previous-Session

   • Mobile Contract

   • Time-Sync-Token

   • Password-ProtectedTransport

   Level

   Type a level for each authentication context class. The number can be any positive number.

8. (Hosted Service Provider Only) Select any of the available provider entities to assign as a Trusted Provider and click Add.

   This attribute tallies providers that the service provider trusts.

9. Provide information for the Service Provider attributes.

   Service Provider attributes define general information regarding the service provider.

   Assertion Consumer URL

   Type the URL to the end point that defines where a provider will send SAML assertions.

   Assertion Consumer Service URL ID

   If the value of the Protocol Support Enumeration common attribute is urn:liberty:iff:2003-08, type the required ID.

   Set Assertion Consumer Service URL as Default

   Select the check box to use the Assertion Consumer Service URL as the default value when no identifier is provided in the request.

   Sign Authentication Request

   Select the check box to make the service provider always signs authentication requests.

   Name Registration after Federation

   Select the check box to enable the service provider to participate in name registration after a principal has been federated.

   Name ID Policy

   Select the option permitting requester influence over name identifier policy at the identity provider. The options are:

   • None specifies that the identity provider will return the name identifier(s) for the principal corresponding to the federation that exists between the identity provider and the requesting service provider or affiliation group. If no such federation exists, an error will be returned.

   • One-time specifies that the identity provider will issue a temporary, one-time-use identifier for the principal after federation.

   • Federation specifies that the identity provider may start a new identity federation if one does not already exist for the principal.

   Affiliation Federation

   Select the check box to enable affiliation federation.

   ---

   Note –

   If configuring a remote service provider, skip to step 11. If configuring a hosted service provider, continue with step 10.

   ---

10. (Hosted Service Provider Only) Provide information for the Access Manager Configuration attributes.

    Access Manager Configuration attributes define general information regarding the instance of Access Manager being used as a service provider.

    Service Provider Adapter

    Defines the implementation class for the com.sun.identity.federation.plugins.FederationSPAdapter interface, used to add application-specific processing during the federation process.

    Provider Alias

    Type an alias name for the local service provider.

    Authentication Type

    Select the provider that should be used for authentication requests from a provider hosted locally:

    • Remote specifies that the provider hosted locally would contact a remote identity provider upon receiving an authentication request.

    • Local specifies that the provider hosted locally should contact a local identity provider upon receiving an authentication request (essentially, itself).

    Default Authentication Context

    This attribute defines the service provider's default authentication context class (method of authentication). This method will always be called when the service provider sends an authentication request. This value also specifies the authentication context used by the service provider when an unknown user tries to access a protected resource. The options are:

    • Password

    • Mobile Digital ID

    • Smartcard

    • Smartcard-PKI

    • MobileUnregistered

    • Software-PKI

    • Previous-Session

    • Mobile Contract

    • Time-Sync-Token

    • Password-ProtectedTransport

    Identity Provider Forced Authentication

    Select the check box to indicate that the identity provider must reauthenticate (even during a live session) when an authentication request is received. This attribute is enabled by default.

    Request Identity Provider to be Passive

    Select the check box to specify that the identity provider must not interact with the principal and must interact with the user.

    Realm

    Type a value that points to the realm in which this provider is configured, for example, /sp.

    Liberty Version URI

    Type the URI of the version of the Liberty specification being used. The default value is http://projectliberty.org/specs/v1.

    Name Identifier Implementation

    This field defines the class used by a service provider to participate in name registration. Name registration is a profile by which service providers specify a principal’s name identifier that an identity provider will use when communicating with the service provider. The value is com.sun.identity.federation.services.util.FSNameIdentifierImpl.

    Home Page URL

    Type the URL of the home page of the service provider.

    Single Sign-on Failure Redirect URL

    Type the URL to which a principal will be redirected if single sign-on has failed.

    Auto Federation

    Select the check box to enable auto-federation.

    Auto Federation Common Attribute Name

    When creating an Auto Federation Attribute Statement, the value of this attribute will be used. The statement will contain the AutoFedAttribute element and this common attribute as its value.

    Attribute Mapper Class

    The class used to map attributes in the SAML assertion to user attributes defined locally by the service provider. The default class is com.sun.identity.federation.services.FSDefaultAttributeMapper.

    Service Provider Attribute Mapping

    Specify values to define the mappings used by the default attribute mapper plug-in specified above. Mappings should be configured in the format:

    SAML-attribute=local-attribute

    For example, EmailAddress=mail or Address=postaladdress. Type the mapping as a New Value and click Add.

11. Provide information for the Proxy Authentication Configuration attributes.

    Proxy Authentication Configuration attributes define values for dynamic identity provider proxying.

    Proxy Authentication

    Select the check box to enable proxy authentication for a service provider.

    Proxy Identity Providers List

    Add a list of identity providers that can be used for proxy authentication. Type the URI defined as the provider's identifier in New Value and click Add.

    Maximum Number of Proxies

    Enter the maximum number of identity providers that can be used for proxy authentication.

    Use Introduction Cookie for Proxying

    Select the check box if you want introductions to be used to find the proxying identity provider.

12. (Optional) Provide information for the Organization Profiles.

    The Organization Profiles attributes contain values that define the organizational name of the entity.

    Names

    Type the complete legal name of the entity’s organization in New Value and click Add. Use the format locale|organization-name, for example, en|organization-name.com.

    ---

    Note –

    If the Names attribute contains a value, it is required to add values to the Display Names and URL attributes.

    ---

    Display Names

    Type a name that is suitable for display in New Value and click Add. Use the format locale|organization-display-name, for example, en|organization-display-name.com.

    URL

    Type a URL that can be used to direct a principal to additional information on the entity's organization in New Value and click Add. Use the format locale|organization-URL, for example, en|http://www.organization-name.com.

13. Click New Contact Person to create a contact person for the provider.

    The Contact Person attributes contain information regarding a human contact for the identity provider.

    First Name

    Type the given name of the identity provider’s contact person.

    Last Name

    Type the surname of the identity provider's contact person.

    Type

    Choose the contact's role from the drop-down menu:

    • Administrative

    • Billing

    • Technical

    • Other

    Company

    Type the name of the company that employs the contact person.

    Liberty Principal Identifier

    Type the name identifier that points to an online instance of the contact person’s personal information profile.

    Emails

    Type one or more email addresses for the contact person in New Value and click Add.

    Telephone Numbers

    Type one or more telephone numbers for the contact person in New Value and click Add.

14. Click Create to create the contact person.

15. Click Save to complete the configuration, or define values for General or Identity Provider attributes by choosing from the View menu:

    • To define values for General attributes, see To Configure General Attributes for a Provider Entity.

    • To define values for Identity Provider attributes, see To Configure Hosted or Remote Identity Provider Attributes for a Provider Entity.

Configuring Affiliate Entities

After you create an affiliate entity, you populate it with affiliation information. This section contains the following procedures:

• To Configure an Affiliate Entity

• To Configure General Attributes for an Affiliate Entity

• To Configure Affiliate Attributes for an Affiliate Entity

To Configure an Affiliate Entity

Before performing this procedure, you must have completed the steps in To Create a Provider Entity or an Affiliate Entity.

1. In the Access Manager Console, select the Federation tab.

2. Under Federation, select the Entities tab.

3. Select the entity that you want to configure.

   Ensure that you select an entity marked as type Affiliate.

4. Define values for the General or Affiliate attribute groupings by choosing from the View menu:

   • To define values for General attributes, see To Configure General Attributes for an Affiliate Entity

   • To define values for Affiliate attributes, see To Configure Affiliate Attributes for an Affiliate Entity

To Configure General Attributes for an Affiliate Entity

Before performing this procedure, you must have completed the steps in To Configure an Affiliate Entity.

1. Choose General from the View menu, and provide information for the Entity Common Attributes.

   Entity Common Attributes contain values that define the entity.

   Entity Name

   The static value of this attribute is the name that you provided when creating the entity.

   Type

   The static value of this attribute is Affiliate.

   Description

   The value of this optional attribute is the description that you provided when creating the entity. You can modify the description.

2. Provide information for the Entity Contact Person Profile attributes.

   Entity Contact Person Profile attributes contain values that define the administrator of the entity.

   First Name

   Type the given name of the entity’s contact person.

   Last Name

   Type the surname of the entity’s contact person.

   Type

   Choose the type of contact from the drop-down menu:

   • Administrative

   • Billing

   • Technical

   • Other

   Company

   Type the name of the company that employs this person.

   Liberty Principal ID

   Type a URI that points to an online instance of the contact person’s personal information profile.

   Emails

   Type one or more email addresses for the contact person in New Value and click Add.

   Telephone Numbers

   Type one or more telephone numbers for the contact person in New Value and click Add.

3. (Optional) Provide information for the Organization Profiles.

   The Organization Profiles attributes contain values that define the organizational name of the entity.

   Names

   Type the complete legal name of the organization in New Value and click Add. Use the format locale|organization-name, for example, en|organization-name.com.

   ---

   Note –

   If the Names attribute contains a value, it is required to add values to the Display Names and URL attributes also.

   ---

   Display Names

   Type a name that is suitable for display to a principal in New Value and click Add. The value is defined in the format locale|organization-display-name. For example, en|organization-display-name.com.

   URL

   Type a URL that can be used to direct a principal to additional information on the entity in New Value and click Add. Use the format locale|organization-URL, for example, en|http://www.organization-name.com.

4. Click Save to complete the configuration, or choose Affiliate from the View menu to configure the Affiliate attributes.

   To define values for Affiliate attributes, see To Configure Affiliate Attributes for an Affiliate Entity.

To Configure Affiliate Attributes for an Affiliate Entity

Before performing this procedure, you must have completed the steps in To Configure an Affiliate Entity.

1. Select any of the available provider entities to add to the affiliation.

   A provider must be a member of an authentication domain as, without a specified authentication domain, it cannot participate in Liberty-based communications. The provider can belong to one or more affiliations. Also, be sure that the selected provider has the Affiliation Federation attribute enabled and the Protocol Support Enumeration attribute set to urn:liberty:iff:2003-08 to enable the Liberty ID-FF version 1.2.

2. Choose Affiliate from the View menu and provide information for the Common Attributes.

   Common Attributes contain values that generally define the affiliation.

   Name

   The value of this attribute is the name of the affiliation.

   Owner

   The value of this attribute is the owner of the affiliation.

   Signing Key: Key Alias

   Type the key alias that is used to sign requests and responses.

   Encryption Key: Key Alias

   Type the security certificate alias. Certificates are stored in a JKS keystore file. Each specific certificate is mapped to an alias that is used to fetch the certificate.

   Encryption Key: Key Size

   Type the length for keys used by the web service consumer when interacting with another entity.

   Encryption Key: Encryption Method

   Select the method of encryption:

   • None

   • AES

   • DESede

3. Click Save to complete the configuration.

4. Click OK to complete the configuration, or choose General from the View menu to configure the General attributes.

   To define values for General attributes, see To Configure General Attributes for an Affiliate Entity.

Deleting Entities

If an entity is to be deleted from the console, it first needs to be manually removed from the Trusted Providers list (if the provider is hosted) or the Available Providers list (if part of an affiliation).

To Delete a Provider or Affiliate Entity

1. In the Access Manager Console, click the Federation tab.

2. Under Federation, select the Entities tab.

3. Select the check box next to the entity that you want to delete.

   No warning message is displayed when performing a delete.

4. Click Delete.

Creating and Configuring Entities using amadmin

The previous sections detailed how to create and configure entities using the Access Manager console. But entities can also be created and configured in one step using the amadmin command-line interface and prepared XML files. Rather than filling in provider attribute values manually, you would create an XML file containing the provider attributes and corresponding values and import it using amadmin. Alternatively, you can modify the sample provider metadata XML files included with Access Manager. See sample1 Directory for information.

The format of the XML file used as input is based on the sms.dtd, located in /AccessManager-base/SUNWam/dtd. Alterations to the DTD files may hinder the operation of Access Manager.

There are two types of provider metadata (formatted in XML files) that can be used as input to amadmin:

• Standard metadata properties are defined in the Liberty ID-FF specification.

• Extended metadata properties are proprietary and used by features specific to Access Manager.

amadmin uses different options to load the different types of metadata XML files. Information on how to use amadmin can be found in Using amadmin for Federation Management in Sun Java System Access Manager 7.1 Administration Reference. Information regarding the attributes and possible values can be found in the online help of the Access Manager console or in the following sections:

• Creating Entities

• Configuring Provider Entities

• Configuring Affiliate Entities

Following are instructions to load the provider metadata:

• Loading Standard Metadata Using amadmin

• Loading Proprietary Metadata Using amadmin

Loading Standard Metadata Using amadmin

To load metadata compliant with the Liberty ID-FF use the following command:

amadmin --runasdn userdn --password password --import metadata_filename

This option is usually used to load provider metadata sent from a trusted partner in an XML file compliant with the Liberty ID-FF. Here is an example of a service provider metadata XML file compliant with the Liberty ID-FF.

Example 3–1 Service Provider Standard Metadata XML File for amadmin

<!--
  Copyright (c) 2005 Sun Microsystems, Inc. All rights reserved
  Use is subject to license terms.
-->

<EntityDescriptor meta:providerID="http://sp10.com" meta:cacheDuration="360" 
xmlns:meta="urn:liberty:metadata:2003-08" xmlns="urn:liberty:metadata:2003-08">
  <SPDescriptor cacheDuration="180" xmlns:meta="urn:liberty:metadata:2003-08" 
   aaa="aaa" protocolSupportEnumeration="urn:liberty:iff:2003-08">
   <KeyDescriptor use="signing">
    <EncryptionMethod>http://something/encrypt</EncryptionMethod>
     <KeySize>4567</KeySize>
     <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
     <ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
     <ds:X509Certificate xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      MIIC1DCCApICBD8poYwwCwYHKoZIzjgEAwUAMFAxCzAJBgNVBAYTAlVTMQwwCgYDVQQKEwNTdW4x
      IDAeBgNVBAsTF1NVTiBPTkUgSWRlbnRpdHkgU2VydmVyMREwDwYDVQQDEwhzdW4tdW5peDAeFw0w
      MzA3MzEyMzA5MDBaFw0wNDAxMjcyMzA5MDBaMFAxCzAJBgNVBAYTAlVTMQwwCgYDVQQKEwNTdW4x
      IDAeBgNVBAsTF1NVTiBPTkUgSWRlbnRpdHkgU2VydmVyMREwDwYDVQQDEwhzdW4tdW5peDCCAbcw
      ggEsBgcqhkjOOAQBMIIBHwKBgQD9f1OBHXUSKVLfSpwu7OTn9hG3UjzvRADDHj+AtlEmaUVdQCJR
      +1k9jVj6v8X1ujD2y5tVbNeBO4AdNG/yZmC3a5lQpaSfn+gEexAiwk+7qdf+t8Yb+DtX58aophUP
      BPuD9tPFHsMCNVQTWhaRMvZ1864rYdcq7/IiAxmd0UgBxwIVAJdgUI8VIwvMspK5gqLrhAvwWBz1
      AoGBAPfhoIXWmz3ey7yrXDa4V7l5lK+7+jrqgvlXTAs9B4JnUVlXjrrUWU/mcQcQgYC0SRZxI+hM
      KBYTt88JMozIpuE8FnqLVHyNKOCjrh4rs6Z1kW6jfwv6ITVi8ftiegEkO8yk8b6oUZCJqIPf4Vrl
      nwaSi2ZegHtVJWQBTDv+z0kqA4GEAAKBgCNS1il+RQAQGcQ87GBFde8kf8R6ZVuaDDajFYE4/LNT
      Kr1dhEcPCtvL+iUFi44LzJf8Wxh+eA5K1mjIdxOo/UdwTpNQSqiRrm4Pq0wFG+hPnUTYLTtENkVX
      IIvfeoVDkXnF/2/i1Iu6ttZckimOPHfLzQUL4ldL4QiaYuCQF6NfMAsGByqGSM44BAMFAAMvADAs
      AhQ6yueX7YlD7IlJhJ8D4l6xYqwopwIUHzX82qCzF+VzIUhi0JG7slSpyis=
     </ds:X509Certificate>
     </ds:X509Data>
     </ds:KeyInfo>
   </KeyDescriptor>
   <SingleLogoutServiceURL>http://www.sun.com/slo"</SingleLogoutServiceURL>
   <SingleLogoutServiceReturnURL>http://www.sun.com/sloservice
    </SingleLogoutServiceReturnURL>
   <FederationTerminationServiceURL>http://www.sun.com/fts
    </FederationTerminationServiceURL>
   <FederationTerminationServiceReturnURL>http://www.sun.com/ftsr
    </FederationTerminationServiceReturnURL>
   <FederationTerminationNotificationProtocolProfile>http://projectliberty.org/profiles/
    fedterm-sp-http</FederationTerminationNotificationProtocolProfile>
   <SingleLogoutProtocolProfile>http://projectliberty.org/profiles/slo-sp-http
    </SingleLogoutProtocolProfile>
   <RegisterNameIdentifierProtocolProfile>http://projectliberty.org/profiles/
    rni-sp-http</RegisterNameIdentifierProtocolProfile>
   <RegisterNameIdentifierServiceURL>http://www.sun2.com/risu
    </RegisterNameIdentifierServiceURL>
   <RegisterNameIdentifierServiceReturnURL>http://www.sun2.com/rstu
    </RegisterNameIdentifierServiceReturnURL>
   <RelationshipTerminationNotificationProtocolProfile>http://projectliberty.org/
    profiles/rel-term-soap</RelationshipTerminationNotificationProtocolProfile>
   <NameIdentifierMappingBinding AuthorityKind="ppp:AuthorizationDecisionQuery" 
    Location="http://eng.sun.com" Binding="http://www.sun.com" 
    xmlns:ppp="urn:oasis:names:tc:SAML:1.0:protocol"></NameIdentifierMappingBinding>
   <AdditionalMetaLocation namespace="abc">http://www.aol.com</AdditionalMetaLocation>
   <AdditionalMetaLocation namespace="efd">http://www.netscape.com</AdditionalMetaLocation>
   <AssertionConsumerServiceURL id="jh899" isDefault="true">
    http://www.iplanet.com/assertionurl</AssertionConsumerServiceURL>
   <AuthnRequestsSigned>true</AuthnRequestsSigned>
  </SPDescriptor>
  <ContactPerson xmlns:meta="urn:liberty:metadata:2003-08" contactType="technical" 
   meta:libertyPrincipalIdentifier="myid">
  <Company>SUn Microsystems</Company>
  <GivenName>Joe</GivenName>
  <SurName>Smith</SurName>
  <EmailAddress>joe@sun.com</EmailAddress> 
  <EmailAddress>smith@sun.com</EmailAddress>
  <TelephoneNumber>45859995</TelephoneNumber>
  </ContactPerson>	
  <Organization xmlns:xml="http://www.w3.org/XML/1998/namespace">
  <OrganizationName xml:lang="en">sun com</OrganizationName>
  <OrganizationName xml:lang="en">sun micro com</OrganizationName>
  <OrganizationDisplayName xml:lang="en">sun.com</OrganizationDisplayName>
  <OrganizationURL xml:lang="en">http://www.sun.com/liberty</OrganizationURL>
  </Organization>
</EntityDescriptor>

Loading Proprietary Metadata Using amadmin

Access Manager provides proprietary attributes that are not a specific part of the Liberty ID-FF. To load Access Manager proprietary metadata use the following command:

amadmin --runasdn userdn --password password --data proprietary_metadata_filename

After loading the metadata, the --export option can be used to export metadata compliant with the Liberty ID-FF. This file can then be exchanged with trusted partners. Here is an example of an identity provider metadata XML file for proprietary attributes.

Example 3–2 Identity Provider Proprietary Metadata XML File for amadmin

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE Requests PUBLIC "-//iPlanet//Sun Java System Access Manager 2005Q4 Admin CLI 
DTD//EN"    "jar://com/iplanet/am/admin/cli/amAdmin.dtd">
<Requests>
   <OrganizationRequests DN="dc=companyA,dc=com">
      <CreateHostedProvider id="http://sp.companyA.com" role="SP" 
       defaultUrlPrefix="http://sp.companyA.com:80">
          <AttributeValuePair>
              <Attribute name="iplanet-am-provider-name"/>
              <Value>sp</Value>
          </AttributeValuePair>
          <AttributeValuePair>
              <Attribute name="iplanet-am-provider-alias"/>
              <Value>sp.companyA.com</Value>
          </AttributeValuePair>
          <AttributeValuePair>
              <Attribute name="iplanet-am-list-of-authenticationdomains"/>
              <Value>samplecot</Value>
          </AttributeValuePair>
          <AttributeValuePair>
              <Attribute name="iplanet-am-certificate-alias"/>
              <Value>cert_alias</Value>
          </AttributeValuePair>
          <AttributeValuePair>
              <Attribute name="iplanet-am-trusted-providers"/>
              <Value>http://idp.companyB.com</Value>
              <Value>http://idp.companyC.com</Value>
          </AttributeValuePair>
          <SPAuthContextInfo AuthContext="Password" AuthLevel="1"/>
          <AttributeValuePair>
              <Attribute name="iplanet-am-provider-homepage-url"/>
              <Value>http://sp.companyA.com:80/idff/index.jsp</Value>
          </AttributeValuePair>
      </CreateHostedProvider>
  </OrganizationRequests>
</Requests>