The ID-FF identity provider attributes are grouped as follows:
The static value of this attribute is the type of provider being configured: hosted or remote
The value of this attribute is a description of the identity provider.
Choose the Liberty ID-FF release that is supported by this provider.
urn:liberty:iff:2003-08 refers to the Liberty Identity Federation Framework Version 1.2.
urn:liberty:iff:2002-12 refers to the Liberty Identity Federation Framework Version 1.1.
Defines the security certificate alias that is used to sign requests and responses.
Defines the security certificate alias that is used for encryption for the Signing Key and Encryption Key. Certificates are stored in a Java keystore file. Each specific certificate is mapped to an alias that is used to fetch the certificate.
Select the check box to enable encryption of the name identifier.
Defines a URI to the identity provider’s SOAP message receiver. This value communicates the location of the SOAP receiver in non browser communications.
Defines a URL to which service providers can send single sign-on and federation requests.
Defines a URL to which service providers can send logout requests. Single logout synchronizes the logout functionality across all sessions authenticated by the identity provider.
Defines a URL to which the service providers can send single logout responses.
Defines a URL to which a service provider will send federation termination requests.
Defines a URL to which the service providers can send federation termination responses.
Defines a URL to which a service provider will send requests to specify a new name identifier to be used when communicating with the identity provider about a principal. This service can only be used after a federation session is established.
Defines a URL to which the service providers can send name registration responses.
Select a profile to notify other providers of a principal’s federation termination:
Select a profile to notify other providers of a principal’s logout:
Select a profile to notify other providers of a principal’s name registration:
Select a profile for sending authentication requests:
Browser Post (specifies a browser-based HTTP POST protocol)
Browser Artifact (specifies a non-browser SOAP-based protocol)
LECP (specifies a Liberty-enabled Client Proxy)
OpenSSO Enterprise can handle requests that come from a Liberty-enabled client proxy profile, but it requires additional configuration that is beyond the scope of this manual.
Defines the alias name for the local identity provider.
Select the provider that should be used for authentication requests from a provider hosted locally:
Remote specifies that the provider hosted locally would contact a remote identity provider upon receiving an authentication request.
Local specifies that the provider hosted locally should contact a local identity provider upon receiving an authentication request (essentially, itself).
Defines the name of the host that issues the assertion. This value might be the load balancer's host name if OpenSSO Enterprise is behind one.
Specifies the type of statements the identity provider can generate. For example lib:AuthenticationStatement.
Defines whether the identity provider is active or inactive. Active, the default, means the identity provider can process requests and generate responses.
Defines the URL of the home page of the identity provider.
Defines the URL to which a principal will be redirected if single sign-on has failed.
Specifies the URL which performs the federation operation.
Defines the URL to which a principal will be directed upon successful Federation registration.
Defines the URL that lists all of the circle of trusts to which the provider belongs.
Defines the URL to which a principal is directed upon Federation termination.
Defines the URL to which a principal is redirected after federation termination is completed.
Defines the URL to which a principal is directed upon an error.
Defines the URL to which a principal is directed after logout.
This field defines the class used by an identity provider to participate in name registration. Name registration is a profile by which service providers specify a principal’s name identifier that an identity provider will use when communicating with the service provider. The value is com.sun.identity.federation.services.util.FSNameIdentifierImpl.
Specifies a plug-able class used for adding attribute statements to an assertion that is generated during the Liberty-based single sign-on process.
Specifies a plug-able class used to provide user operations such as finding a user, getting user attributes, and so forth . The default value is:
The class used to map user attributes defined locally to attributes in the SAML assertion. There is no default class.
Specify values to define the mappings used by the default attribute mapper plug-in. Mappings should be configured in the format:
For example, Email=emailaddress or Address=postaladdress. Type the mapping as a New Value and click Add.
The bootstrapping attribute is:
Select the check box if you want a Discovery Service Resource Offering to be generated during the Liberty-based single sign-on process for bootstrapping purposes.
Select the check box to enable auto-federation.
When creating an Auto Federation Attribute Statement, the value of this attribute will be used. The statement will contain the attribute element and this common attribute as its value.
This attribute defines the identity provider's default authentication context class (method of authentication). This method will always be called when the service provider sends an authentication request. This value also specifies the authentication context used by the service provider when an unknown user tries to access a protected resource.
Select the check box next to the authentication context class if the identity provider supports it.
The Liberty-defined authentication context classes are:
Mobile Digital ID
Choose the OpenSSO Enterprise authentication type to which the context is mapped.
Type the OpenSSO Enterprise authentication option.
Choose a priority level for cases where there are multiple contexts.
Type the interval of time (in seconds) that an assertion issued by the identity provider will remain valid.
Type the interval of time (in seconds) before a cleanup is performed to expired assertions.
Type the interval of time (in seconds) to specify the timeout for assertion artifacts.
Type a number to define how many assertions an identity provider can issue, or how many assertions that can be stored.