Circle of Trust

A circle of trust, previously referred to as an authentication domain, is a federation of any number of service providers (and at least one identity provider) with whom principals can transact business in a secure and apparently seamless environment. To create and populate a circle of trust, you first create an entity to hold the metadata (configuration information that defines a particular identity service architecture) for each provider that will become a member of the circle of trust. Then, you configure and save the circle of trust. Finally, to add an entity (a configured provider) to the circle of trust, you edit the entity's properties.

The following tasks are associated with circles of trust:

• To Create a New Circle of Trust

• To Modify a Circle of Trust Profile

• To Add Providers to a Circle of Trust

• To Delete a Circle of Trust Profile

To Create a New Circle of Trust

Follow this procedure to create a new circle of trust. The starting point is New Circle of Trust under the Federation interface.

1. Click New to display the circle of trust attributes.

   The New circle of trust profile page is displayed.

2. Type a name for the circle of trust.

3. Type a description of the circle of trust in the Description field.

4. Type a value for the IDFF Writer Service URL.

   The IDFF Writer Service URL specifies the location of the servlet that writes the common domain cookie. Use the format http://common-domain-host :port/deployment_uri/idffwriter.

5. Type a value for the IDFF Reader Service URL.

   The IDFF Reader Service URL specifies the location of the servlet that reads the common domain cookie. Use the format http://common-domain-host :port/deployment_uri/idffreader.

6. Type a value for the SAML2 Writer Service URL.

   This specifies the location of the SAML2 Writer service that writes the cookie to the common domain. Use the format http://common-domain-host :port/deployment_uri/saml2writer.

7. Type a value for the SAML2 Reader Service URL.

   This specifies the location of the SAML2 Reader service that reads the cookie from the common domain. Use the format http://common-domain-host :port/deployment_uri/saml2reader.

8. Choose Active or Inactive.

   The default status is Active. Choosing Inactive disables communication within the circle of trust.

9. Select the Realm in which the circle of trust will be created.

10. Choose one or more of the available providers and click the Add arrow to select them.

    The list provided contains the names of entities that have been created and populated with providers. For more information, see To Add Providers to a Circle of Trust.

11. Click OK to complete the configuration.

    The new circle of trust is displayed in the Circle of Trust list.

To Modify a Circle of Trust Profile

Follow this procedure to edit the configured General attributes of an existing circle of trust, or to add providers to it. The starting point is Circle of Trust under the Federation interface.

1. Click the name of a configured circle of trust to modify its profile, or to add providers to it.

   The Edit Circle of Trust page is displayed.

2. Type new values or edit existing values for the circle of trust's General attributes:

   Name

   The static value of this attribute is the name provided when you created the circle of trust.

   Description

   The value of this attribute is a description of the circle of trust. You may modify the description already entered, if applicable.

   IDFF Writer Service URL

   This attribute specifies the location of the service that writes the common domain cookie. The URL is in the format http://common-domain-host:port/deployment_uri/idffwriter .

   IDFF Reader Service URL

   This attribute specifies the location of the service that reads the common domain cookie. The URL is in the format http://common-domain-host:port/deployment_uri//idffreader .

   SAML2 Writer URL

   This attribute specifies the location of the SAML2 Writer service that writes the cookie to the Common Domain. The URL is in the format http://common-domain-host:port/deployment_uri/saml2writer

   SAML2 Reader URL

   This attribute specifies the location of the SAML2 Writer service that writes the cookie to the Common Domain. The URL is in the format http://common-domain-host:port/deployment_uri/saml2reader

   Status

   The default status is Active. Selecting Inactive disables communication within the circle of trust.

3. Choose one or more of the available providers and click the Add arrow to select them.

   The list provided contains the names of entities that have been created and populated with providers. For more information, see To Add Providers to a Circle of Trust.

4. Click Save to complete the operation.

To Add Providers to a Circle of Trust

Identity providers and service providers must first be configured within an entity before they are available to add to a circle of trust. Once created and populated with providers, the entity (and thus the providers it contains) can be assigned to a circle of trust.

An entity will not be visible in the Available Providers list until it has been populated with providers.

1. Select one or more providers from the Available Providers list and click Add.

2. Finish your configurations and click Save to complete the operation.

To Delete a Circle of Trust Profile

A circle of trust must be empty of providers before you delete it. Follow this procedure to delete an existing circle of trust.

1. Check the box next to the name of the circle of trust you want to delete.

2. Click Delete.

   Deleting a circle of trust does not delete the providers that belong to it.