To Configure Hosted or Remote Identity Provider Attributes for a Provider Entity (Sun Java System Access Manager 7 2005Q4 Federation and SAML Administration Guide)

Sun Java System Access Manager 7 2005Q4 Federation and SAML Administration Guide

To Configure Hosted or Remote Identity Provider Attributes for a Provider Entity

Before performing this procedure, you must have completed the steps in To Configure a Provider Entity.

Choose Identity Provider from the View menu.

Select the type of provider that you are configuring:
- New Hosted Provider
- New Remote Provider
A hosted provider is installed on the same server as Access Manager. A remote provider is not installed on the same server as Access Manager.

Provide information for the Common Attributes.

Common Attributes contain values that generally define the identity provider.
Provider Type

The static value of this attribute is the type of provider being configured: hosted or remote. This attribute is visible only after saving your configuration.

Description

The value of this attribute is a description of the identity provider.

Valid Until

Type the expiration date for the provider metadata. Use Coordinated Universal Time (UTC) and the format yyyy-mm-ddThh:mm:ss.SZ, for example, 2004-12-31T14:30:00.0Z.

Cache Duration

Type the maximum amount of time that the provider metadata can be cached. Use the format PnYnMnDTnHnMnS, where n is an integer. For example, P1Y2M4DT9H8M20S defines the cache duration as 1 year, 2 months, 4 days, 9 hours, 8 minutes, and 20 seconds.

Protocol Support Enumeration
Choose the Liberty ID-FF release that is supported by this provider.
- urn:liberty:iff:2003-08 refers to the Liberty Identity Federation Framework Version 1.2.
- urn:liberty:iff:2002-12 refers to the Liberty Identity Federation Framework Version 1.1.
Server Name Identifier Mapping Binding

Name identifier mapping allows a service provider to obtain a name identifier for a principal that has federated in the namespace of a different service provider. Implementing this protocol allows the requesting service provider to communicate with the second service provider without an identity federation having been enabled. Type a URI that identifies the communication specifications.

Note –
Currently, the Name Identifier Mapping profile only supports SOAP. If this attribute is used, its value must be http://projectliberty.org/profiles/nim-sp-http.

Additional Meta Locations

Type a URL that points to other relevant metadata concerning the provider.

Signing Key: Key Alias

Type the key alias that is used to sign requests and responses.

Encryption Key: Key Alias

Type the security certificate alias. Certificates are stored in a Java keystore file. Each specific certificate is mapped to an alias that is used to fetch the certificate.

Encryption Key: Key Size

Type the length for keys that are used by the web service consumer when interacting with another entity.

Note –
If the encryption method is DESede, the key size must be 192. If the encryption method is AES, the key size must be 128, 192 or 256.

Encryption Key: Encryption Method
Choose the method of encryption:
- None
- AES
- DESede
Name Identifier Encryption

Select the check box to enable encryption of the name identifier.

Provide information for the Communication URLs.

Communication URLs attributes contain locations for redirects and sending requests.

SOAP Endpoint

Type a URI to the identity provider’s SOAP message receiver. This value communicates the location of the SOAP receiver in non browser communications.

Single Sign-On Service URL

Type a URL to which service providers can send single sign-on and federation requests.

Single Logout Service

Type a URL to which service providers can send logout requests. Single logout synchronizes the logout functionality across all sessions authenticated by the identity provider.

Single Logout Return

Type a URL to which the identity provider will redirect the principal after completing a logout.

Federation Termination Service

Type a URL to which a service provider will send federation termination requests.

Federation Termination Return

Type a URL to which the identity provider will redirect the principal after completing federation termination.

Name Registration Service

Type a URL to which a service provider will send requests to specify a new name identifier to be used when communicating with the identity provider about a principal. This service can only be used after a federation session is established.

Name Registration Return

Type a URL to which the identity provider will redirect the principal after HTTP name registration has been completed.

Provide information for the Communication Profiles.

Communication Profiles attributes define the transmission methods used by the identity provider.
Federation Termination
Select a profile to notify other providers of a principal’s federation termination:
- HTTP Redirect
- SOAP
Single Logout
Select a profile to notify other providers of a principal’s logout:
- HTTP Redirect
- HTTP Get
- SOAP
Name Registration
Select a profile to notify other providers of a principal’s name registration:
- HTTP Redirect
- SOAP
Single Sign-on/Federation
Select a profile for sending authentication requests:
- Browser Post (specifies a browser-based HTTP POST protocol)
- Browser Artifact (specifies a non-browser SOAP-based protocol)
- LECP (specifies a Liberty-enabled Client Proxy)
  
  Note –
  Access Manager can handle requests that come from a Liberty-enabled client proxy profile, but it requires additional configuration that is beyond the scope of this manual.

Select any of the available authentication domains to assign to the provider.

A provider can belong to one or more authentication domains. However, a provider without a specified authentication domain can not participate in Liberty-based communications. If no authentication domains have been created, you can define this attribute later.

Note –
To continue configuring a remote identity provider, skip to step 11.

(Hosted Identity Provider Only) Provide mappings for the Authentication Context classes.

This attribute maps the Liberty-defined authentication context classes to authentication methods available at the identity provider.
Supported

Select the check box next to the authentication context class if the identity provider supports it.

Context Reference
The Liberty-defined authentication context classes are:
- Password
- Mobile Digital ID
- Smartcard
- Smartcard-PKI
- MobileUnregistered
- Software-PKI
- Previous-Session
- Mobile Contract
- Time-Sync-Token
- Password-ProtectedTransport
Key

Choose the Access Manager authentication type to which the context is mapped.

Value

Type the Access Manager authentication option.

Priority

Choose a priority level for cases where there are multiple contexts.

(Hosted Identity Provider Only) Select any of the available provider entities to assign as a Trusted Provider and click Add.

This attribute tallies providers that the identity provider trusts. It is visible after the provider configuration has been saved.

(Hosted Identity Provider Only) Provide information for the Access Manager Configuration attributes.

Access Manager Configuration attributes define general information regarding the instance of Access Manager being used as an identity provider.
Provider URL

Type the URL of the local identity provider.

Provider Alias

Type an alias name for the local identity provider.

Authentication Type
Select the provider that should be used for authentication requests from a provider hosted locally:
- Remote specifies that the provider hosted locally would contact a remote identity provider upon receiving an authentication request.
- Local specifies that the provider hosted locally should contact a local identity provider upon receiving an authentication request (essentially, itself).
Default Authentication Context
Select the authentication context class (method of authentication) to use if the identity provider does not receive this information as part of a service provider request. This value also specifies the authentication context used by the service provider when an unknown user tries to access a protected resource. The options are as follows:
- Password
- Mobile Digital ID
- Smartcard
- Smartcard-PKI
- MobileUnregistered
- Software-PKI
- Previous-Session
- Mobile Contract
- Time-Sync-Token
- Password-ProtectedTransport
Identity Provider Forced Authentication

Select the check box to indicate that the identity provider must reauthenticate (even during a live session) when an authentication request is received. This attribute is enabled by default.

Request Identity Provider to be Passive

Select the check box to specify that the identity provider must not interact with the principal and must interact with the user.

Realm

Type a value that points to the realm in which this provider is configured. For example, /sp.

Liberty Version URI

Type the URI of the version of the Liberty Alliance Project specification being used. The default value is http://projectliberty.org/specs/v1.

Name Identifier Implementation

This field defines the class used by a service provider to participate in name registration. Name registration is a profile by which service providers specify a principal’s name identifier that an identity provider will use when communicating with the service provider. The value is com.sun.identity.federation.services.util.FSNameIdentifierImpl.

Home Page URL

Type the URL of the home page of the identity provider.

Single Sign-on Failure Redirect URL

Type the URL to which a principal will be redirected if single sign-on has failed.

Assertion Issuer

Type the name of the host that issues the assertion. This value might be the load balancer's host name if Access Manager is behind one.

Generate Discovery Bootstrapping Resource Offering

Select the check box if you want a Discovery Service Resource Offering to be generated during the Liberty-based single sign-on process for bootstrapping purposes.

Auto Federation

Select the check box to enable auto-federation.

Auto Federation Common Attribute Name

When creating an Auto Federation Attribute Statement, the value of this attribute will be used. The statement will contain the AutoFedAttribute element and this common attribute as its value.

Attribute Statement Plugin

Specify a pluggable class used for adding attribute statements to an assertion that is generated during the Liberty-based single sign-on process.

(Hosted Identity Provider Only) Provide information for the SAML Attributes.

SAML Attributes define general information regarding SAML assertions that are sent by the identity provider.

Assertion Interval

Type the interval of time (in seconds) that an assertion issued by the identity provider will remain valid. A principal will remain authenticated until the assertion interval expires.

Cleanup Interval

Type the interval of time (in seconds) before assertions stored in the identity provider will be cleared.

Artifact Timeout

Type the interval of time (in seconds) to specify the timeout for assertion artifacts.

Assertion Limit

Type a number to define how many assertions an identity provider can issue, or how many assertions that can be stored.

Note –
To continue configuring a hosted identity provider, skip to step 12.

(Remote Identity Provider Only) Provide information for the Proxy Authentication Configuration attributes.

Proxy Authentication Configuration attributes define values for dynamic identity provider proxying.

Enable Proxy Authentication

Select the check box to enable proxy authentication for a service provider.

Proxy Identity Providers List

Add a list of identity providers that can be used for proxy authentication. The value is a URI defined as the provider's identifier.

Maximum Number of Proxies

Enter the maximum number of identity providers that can be used for proxy authentication.

Use Introduction Cookie for Proxying

Select the check box if you want introductions to be used to find the proxying identity provider.

Provide information for the Organization Profiles.

The optional Organization Profiles attributes contain values that define the organizational name of the entity.

Names

Type the complete legal name of the organization. Use the format locale|organization-name, for example, en|organization-name.com.

Note –
If the Names attribute contains a value, it is required to add values to the Display Names and URL attributes also.

Display Names

Type a name that is suitable for display to a principal. The value is defined in the format locale|organization-display-name, for example, en|organization-display-name.com.

URL

Type a URL that can be used to direct a principal to additional information on the entity. Use the format locale|organization-URL, for example, en|http://www.organization-name.com.

Click New Contact Person to create a contact person for the provider.

The Contact Person attributes contain information regarding a human contact for the identity provider.
First Name

Type the given name of the identity provider’s contact person.

Last Name

Type the surname of the identity provider's contact person.

Type
Choose the contact's role from the drop-down menu:
- Administrative
- Billing
- Technical
- Other
Company

Type the name of the company that employs the contact person.

Liberty Principal Identifier

Type the name identifier that points to an online instance of the contact person’s personal information profile.

Emails

Type one or more email addresses for the contact person.

Telephone Numbers

Type one or more telephone numbers for the contact person.

Click Create to create the contact person.

Click Save to complete the configuration, or define values for General or Service Provider attributes by choosing from the View menu:
- To define values for General attributes, see To Configure General Attributes for a Provider Entity.
- To define values for Service Provider attributes, see To Configure Hosted or Remote Service Provider Attributes for a Provider Entity.