test

Sun Java System Access Manager 7 2005Q4 Federation and SAML Administration Guide

ProcedureTo Configure a Trusted Partner

The Trusted Partners attribute can contain one or more entries. Each entry is configured based on the site's defined role. For example, if the partner is the source site, this attribute is configured based on how it will send assertions. If the partner is the destination site, this attribute is configured based on which profile it uses to receive assertions.

  1. In the Access Manager Console, click the Federation tab.

  2. Under Federation, click the SAML tab.

  3. Select New under the Trusted Partners attribute.

  4. Select the role (Destination or Source) of the partner site that you are configuring by checking the appropriate profiles used to communicate with it and click Next.

    Select Web Browser Artifact Profile or Web Browser Post Profile for either Destination, Source, or both, or SOAP Query for Source. The choices made dictate which of the attributes in the following steps need to be configured.

  5. Type values for the Common Settings subattributes based on the selected roles.

    Source ID

    This is a 20–byte sequence (encoded using the Base64 format) that comes from the partner site. It is generally the same value as that used for the Site ID attribute when configuring Site Identifiers.

    Target

    This is the domain of the partner site (with or without a port number). If you want to contact a web page that is hosted in this domain, the redirect URL is picked up from the values defined in Trusted Partners.

    Note –

    If there are two defined entries for the same domain (one containing a port number and one without a port number), the entry with the port number takes precedence. For example, assume the following two trusted partner definitions: target=sun.com and target=sun.com:8080. If the principal is seeking http://machine.sun.com:8080/index.html, the second definition will be chosen.

    Site Attribute Mapper

    The class is used to return a list of attribute values defined as AttributeStatements elements in an Authentication Assertion. A site attribute mapper needs to be implemented from one of the included interfaces:

    • com.sun.identity.saml.plugins.SiteAttributeMapper

    • com.sun.identity.saml.plugins.PartnerSiteAttributeMapper

    If no class is defined, no attributes will be included in the assertion. For more information, see SiteAttributeMapper and PartnerSiteAttributeMapper Interfaces.

    Version

    The SAML version used (1.0 or 1.1) to send SAML requests. If this parameter is not defined, the following default values (defined in AMConfig.properties) are used:

    • com.example.identity.saml.assertion.version=1.1

    • com.example.identity.saml.protocol.version=1.1

    Account Mapper

    The class that defines how the subject of an assertion is related to an identity at the destination site. The default is com.sun.identity.saml.plugins.DefaultAccountMapper. An account mapper needs to be implemented from one of the included interfaces:

    • com.sun.identity.saml.plugins.AccountMapper

    • com.sun.identity.saml.plugins.PartnerAccountMapper

    If no class is defined, no attributes will be included in the assertion. For more information, see AccountMapper and PartnerAccountMapper Interfaces.

    Certificate

    A certificate alias that is used to verify the signature in an assertion when it is signed by the partner and the certificate cannot be found in the KeyInfo portion of the signed assertion.

    Host List

    A list of the IP addresses, the DNS host name, or the Certificate name for all hosts within the partner site that can send requests to this authority. This list helps to ensure that the requestor is indeed the intended receiver of the artifact. If the requester is defined in this list, the interaction will continue. If the requester’s information does not match any hosts defined in the host list, the request will be rejected.

    Issuer

    The creator of a generated assertion. The default syntax is hostname:port.

  6. Type values for the Destination subattributes.

    Artifact: SAML URL

    The URL that points to the servlet that implements the Web Browser Artifact Profile. See Web Browser Artifact Profile.

    Post: Post URL

    The URL that points to the servlet that implements the Web Browser POST Profile. See Web Browser POST Profile.

    SOAP Query: Attribute Mapper

    The class that is used to obtain single sign-on information from a query. You need to implement an attribute mapper from the included interface. If no class is specified, the DefaultAttributeMapper will be used. For more information, see com.sun.identity.saml.plugins Package.

    SOAP Query: Action Mapper

    The class that is used to get single sign-on information and map partner actions to Access Manager authorization decisions. You need to implement an action mapper from the included interface. If no class is specified, the DefaultActionMapper will be used. For more information, see com.sun.identity.saml.plugins Package.

  7. Type values for the Source subattributes.

    Artifact: SOAP URL

    The URL to the SAML SOAP Receiver. See SAML SOAP Receiver.

    Authentication Type

    Authentication types that can be used with SAML:

    • NOAUTH

    • BASICAUTH

    • SSL

    • SSLWITHBASICAUTH

    This attribute is optional. If not specified, the default is NOAUTH. If BASICAUTH or SSLWITHBASICAUTH is specified, the Trusted Partners attribute is required and should be HTTPS. For more information, see Trusted Partners.

    User

    When Basic Authentication is chosen as the Authentication Type, the value of this attribute defines the user identifier of the partner being used to protect the partner’s SOAP receiver.

    User's Password

    When Basic Authentication is chosen as the Authentication Type, the value of this attribute defines the password for the user identifier of the partner being used to protect the partner’s SOAP receiver.

    User's Password (reenter)

    Reenter the password defined previously.

  8. Click Finish to complete the configuration.