Trusted Partners

For information on trusted partners and to see the procedure for configuring a new Trusted Partner, see the following section.

Trusted Partners: Selecting Partner Type and Profile

This attribute defines any trusted partner (remote to the server on which OpenSSO Enterprise is installed) that will be communicating with OpenSSO Enterprise.

The trusted partner site must have a prearranged trust relationship with one or more of the sites configured in the Site Identifiers attribute.

The first step in configuring a trusted partner is to determine the partner's role in the trust relationship. A trusted partner can be a source site (one that generates a single sign-on assertion) or a destination site (one that consumes a single sign-on assertion). For example, if the partner is the source site, this attribute is configured based on how it will send assertions. If the partner is the destination site, this attribute is configured based on the profile in which it will be receiving assertions. Following is the first part of the procedure for configuring a trusted partner. The starting point is the SAML screen under Federation.

To edit or duplicate the attributes of a trusted partner profile, click the appropriate button in the Actions column next to the configured trusted partner name.

1. Select the role (Destination or Source) of the partner site you are configuring by checking the appropriate profile that will be used to communicate with it.

   You may choose Web Browser Artifact Profile or Web Browser Post Profile for either Destination, Source or both, or SOAP Query for Destination only. The choices made dictate which of the attributes in the following steps need to be configured.

   ---

   Note –

   Click Edit to change the role of the partner site if you are modifying an existing trusted partner.

   ---

2. Click Next.

Trusted Partners: Configuring Trusted Partner Attributes

Following is the second part of the procedure for configuring a trusted partner. Based on the roles selected in the first part, any of the sub-attributes listed in the following sections may need to be defined.

If you reached this page by clicking Edit or Duplicate on the SAML configuration screen under Federation, modify the trusted partner profile based on the steps below and click Save to change the values. Click Save on the SAML Profile page to complete the modification.

1. Type in values for the Common Settings sub-attributes.

   Name

   Can be any string, such as an organization name.

   Source ID

   This is a 20 byte sequence (encoded using the Base64 format) that comes from the partner site. It is generally the same value as that used for the Site ID attribute when configuring the Site Identifiers attribute.

   Target

   This is the domain of the partner site (with or without a port number). If you want to contact a web page that is hosted in this domain, the redirect URL is picked up from the values defined in the Trusted Partner attribute.

   ---

   Note –

   If there are two defined entries for the same domain (one containing a port number and one without a port number), the entry with the port number takes precedence. For example, assume the following two trusted partner definitions: target=sun.com and target=sun.com:8080. If the principal is seeking http://machine.sun.com:8080/index.html, the second definition will be chosen.

   ---

   SAML URL

   The URL that points to the servlet that implements the Web Browser Artifact Profile.

   Site Attribute Mapper

   The class is used to return a list of attribute values defined as AttributeStatements elements in an Authentication Assertion. A site attribute mapper needs to be implemented from the PartnerSiteAttributeMapper interface.

   If no class is defined, no attributes will be included in the assertion.

   Name Identifier Mapper

   The class that defines how the subject of an assertion is related to an identity at the destination site. An account mapper needs to be implemented from the com.sun.identity.saml.plugins.PartnerAccountMapper interface. The default is com.sun.identity.saml.plugins.DefaultAccountMapper.

   If no class is defined, no attributes will be included in the assertion.

   Version

   The SAML version used (1.0 or 1.1) to send SAML requests. To change the version or protocol, click on the Local Site Properties button and change the Protocol and Assertion attributes as necessary.

   Signing Certificate Alias

   A certificate alias that is used to verify the signature in an assertion when it is signed by the partner and the certificate cannot be found in the KeyInfo portion of the signed assertion.

2. Type in values for the Destination sub-attributes.

   Artifact: SAML URL

   The URL that points to the servlet that implements the Web Browser Artifact Profile.

   Post: Post URL

   The URL that points to the servlet that implements the Web Browser POST Profile.

   Host List

   A list of the IP addresses, the DNS host name, or the alias of the client authentication certificate used by the partner. This is configured for all hosts within the partner site that can send requests to this authority. This list helps to ensure that the requestor is indeed the intended receiver of the artifact. If the requester is defined in this list, the interaction will continue. If the requester’s information does not match any hosts defined in the host list, the request will be rejected.

3. Type in values for the Source sub-attributes.

   Artifact: SOAP URL

   The URL to the SAML SOAP Receiver.

   Authentication Type

   Authentication types that can be used with SAML:

   • Specify None if the URL to the SAML SOAP receiver is accessed using HTTP, and the SAML SOAP receiver is not protected by HTTP basic authentication and/or SSL.

   • Specify Basic if the URL to the SAML SOAP receiver is accessed using HTTP, and the SAML SOAP receiver is protected by HTTP basic authentication.

   • Specify SSL if the URL to the SAML SOAP receiver is accessed using HTTPS, and the SAML SOAP receiver is not protected by HTTP SSL.

   • Specify SSL with Basic if the URL to the SAML SOAP receiver is accessed using HTTPS, and the SAML SOAP receiver is not protected by BASIC AUTH WITH SSL.

   ---

   Note –

   If you are protecting the SAML SOAP receiver URL with HTTP basic authentication, you do so in the web container configuration and not in the OpenSSO Enterprise configuration. You do, however, supply the HTTP basic authentication user ID and password in the OpenSSO Enterprise configuration.

   ---

   This attribute is optional. If not specified, the default is NOAUTH. If BASICAUTH or SSLWITHBASICAUTH is specified, the Trusted Partners attribute is required and should be HTTPS.

   User

   When BASICAUTH is chosen as the Authentication Type, the value of this attribute defines the user identifier of the partner being used to protect the partner’s SOAP receiver.

   User's Password

   When BASICAUTH is chosen as the Authentication Type, the value of this attribute defines the password for the user identifier of the partner being used to protect the partner’s SOAP receiver.

   User's Password (reenter)

   Reenter the password defined previously.

4. Type a value for the Post sub attribute.

   Issuer

   The creator of a generated assertion. The default syntax is hostname: port.

5. Click Finish.

6. Click Save on the SAML Profile page to complete the configuration.