ID-FF Service Provider Customization

The ID-FF service provider attributes are grouped into the following sections:

• Common Attributes

• Communication URLs

• Communication Profiles

• Service Provider Configuration

• Service URL

• Plug-ins

• Service Provider Attribute Mapper

• Auto Federation

• Authentication Context

• Proxy Authentication Configuration

Common Attributes

• Provider Type

• Description

• Protocol Support Enumeration

• Signing Key

• Encryption Key

• Name Identifier Encryption

• Sign Authentication Request

Provider Type

The static value of this attribute is the type of provider being configured: hosted or remote

Description

The value of this attribute is a description of the service provider.

Protocol Support Enumeration

Choose the Liberty ID-FF release that is supported by this provider.

• urn:liberty:iff:2003-08 refers to the Liberty Identity Federation Framework Version 1.2.

• urn:liberty:iff:2002-12 refers to the Liberty Identity Federation Framework Version 1.1.

Signing Key

Defines the security certificate alias that is used to sign requests and responses. Certificates are stored in a Java keystore file. Each specific certificate is mapped to an alias that is used to fetch the certificate

Encryption Key

Defines the security certificate alias that is used for encryption. Certificates are stored in a Java keystore file. Each specific certificate is mapped to an alias that is used to fetch the certificate.

Name Identifier Encryption

Select the check box to enable encryption of the name identifier.

Sign Authentication Request

If enabled, the service provider will sign all authentication requests.

Communication URLs

• SOAP Endpoint

• Single Logout Service

• Single Logout Return

• Federation Termination Service

• Federation Termination Return

• Name Registration Service

• Name Registration Return

• Assertion Consumer URL

• Assertion Consumer Service URL ID

• Set Assertion consumer Service URL as Default

SOAP Endpoint

Defines a URI to the service provider’s SOAP message receiver. This value communicates the location of the SOAP receiver in non browser communications.

Single Logout Service

Defines a URL to which identity providers can send logout requests. Single logout synchronizes the logout functionality across all sessions authenticated by the identity provider.

Single Logout Return

Defines a URL to which the identity providers can send single logout responses.

Federation Termination Service

Defines a URL to which an identity provider will send federation termination requests.

Federation Termination Return

Defines a URL to which the identity providers can send federation termination responses.

Name Registration Service

Defines a URL that will be used when communicating with the identity provider to specify a new name identifier for the principal. (Registration can occur only after a federation session is established.)

Name Registration Return

Defines a URL to which the identity providers can send name registration responses. (Registration can occur only after a federation session is established.)

Assertion Consumer URL

Defines the URL to which an Identity Provider can send SAML assertions.

Assertion Consumer Service URL ID

If the value of the Protocol Support Enumeration common attribute is urn:liberty:iff:2003-08, type the required ID.

Set Assertion consumer Service URL as Default

Select the check box to use the Assertion Consumer Service URL as the default value when no identifier is provided in the request.

Communication Profiles

• Federation Termination

• Single Logout

• Name Registration

• Supported SSO Profile

Federation Termination

Select a profile to notify other providers of a principal’s federation termination:

• HTTP Redirect

• SOAP

Single Logout

Select a profile to notify other providers of a principal’s logout:

• HTTP Redirect

• HTTP Get

• SOAP

Name Registration

Select a profile to notify other providers of a principal’s name registration:

• HTTP Redirect

• SOAP

Supported SSO Profile

Select a profile for sending authentication requests:

• Browser Post (specifies a browser-based HTTP POST protocol)

• Browser Artifact (specifies a non-browser SOAP-based protocol)

• WML (specifies the Wireless Markup Language protocol)

• LECP (specifies a Liberty-enabled Client Proxy)

  ---

  Note –

  OpenSSO Enterprise can handle requests that come from a Liberty-enabled client proxy profile, but it requires additional configuration that is beyond the scope of this manual.

  ---

Service Provider Configuration

• Provider Alias

• Authentication Type

• Identity Provider Forced Authentication

• Request Identity Provider to be Passive

• Name Registration After Federation

• Name ID Policy

• Affiliation Federation

• Provider Status

• Responds With

Provider Alias

Defines an alias name for the local service provider.

Authentication Type

Select the provider that should be used for authentication requests from a provider hosted locally:

• Remote specifies that the provider hosted locally would contact a remote identity provider upon receiving an authentication request.

• Local specifies that the provider hosted locally should contact a local identity provider upon receiving an authentication request (essentially, itself).

Identity Provider Forced Authentication

Select the check box to indicate that the identity provider must re-authenticate (even during a live session) when an authentication request is received. This attribute is enabled by default.

Request Identity Provider to be Passive

Select the check box to specify that the identity provider must not interact with the principal and must interact with the user.

Name Registration After Federation

This option, if enabled, allows for a service provider to participate in name registration after it has been federated.

Name ID Policy

An enumeration permitting requester influence over name identifier policy at the identity provider.

Affiliation Federation

Select the check box to enable affiliation federation.

Provider Status

Defines whether the service provider is active or inactive. Active, the default, means the service provider can process requests and generate responses.

Responds With

Specifies the type of statements the service provider can generate. For example , lib:AuthenticationStatement.

Service URL

• List of COTs Page URL

• Federate Page URL

• Home Page URL

• Single Sign-on Failure Redirect URL

• Termination Done URL

• Error Page URL

• Logout Done URL

List of COTs Page URL

Defines the URL that lists all of the circle of trusts to which the provider belongs.

Federate Page URL

Specifies the URL which performs the federation operation.

Home Page URL

Defines the URL of the home page of the identity provider.

Single Sign-on Failure Redirect URL

Defines the URL to which a principal will be redirected if single sign-on has failed.

Termination Done URL

Defines the URL to which a principal is redirected after federation termination is completed.

Error Page URL

Defines the URL to which a principal is directed upon an error.

Logout Done URL

Defines the URL to which a principal is directed after logout.

Plug-ins

• Service Provider Adapter

• Federation SP Adapter Env

• User Provider Class

• Name Identifier Implementation

Service Provider Adapter

Defines the implementation class for the com.sun.identity.federation.plugins.FSSPAdapter interface. The default value is:

com.sun.identity.federation.plugins.FSDefaultSPAdapter

Federation SP Adapter Env

Defines a list of environment properties to be used by the service provider adapter SPI implementation class.

User Provider Class

Specifies a plug-able class used to provide user operations such as finding a user, getting user attributes, and so forth. . The default value is:

com.sun.identity.federation.accountmgmt.DefaultFSUserProvider

Name Identifier Implementation

This field defines the class used by a service provider to participate in name registration. Name registration is a profile by which service providers specify a principal’s name identifier that an identity provider will use when communicating with the service provider. The value is com.sun.identity.federation.services.util.FSNameIdentifierImpl.

Service Provider Attribute Mapper

• Attribute Mapper Class

• Service Provider Attribute Mapping

Attribute Mapper Class

The class used to map user attributes defined locally to attributes in the SAML assertion. There is no default class.

Service Provider Attribute Mapping

Specify values to define the mappings used by the default attribute mapper plug-in specified above. Mappings should be configured in the format:

SAML-attribute=local-attribute

For example, Email=emailaddress or Address=postaladdress. Type the mapping as a New Value and click Add.

Auto Federation

• Auto Federation

• Auto Federation Common Attribute Name

Auto Federation

Select the check box to enable auto-federation.

Auto Federation Common Attribute Name

Defines the user's common LDAP attribute name such as telephonenumber. For creating an Auto Federation Attribute Statement. When creating an Auto Federation Attribute Statement, the value of this attribute will be used. The statement will contain the attribute element and this common attribute as its value.

Authentication Context

This attribute defines the service provider's default authentication context class (method of authentication). This method will always be called when the service provider sends an authentication request. This value also specifies the authentication context used by the service provider when an unknown user tries to access a protected resource. The options are:

Supported

Select the check box next to the authentication context class if the service provider supports it.

Context Reference

The Liberty-defined authentication context classes are:

• Mobile Contract

• Mobile Digital ID

• MobileUnregistered

• Password

• Password-ProtectedTransport

• Previous-Session

• Smartcard

• Smartcard-PKI

• Software-PKI

• Time-Sync-Token

Level

Choose a priority level for cases where there are multiple contexts.

Proxy Authentication Configuration

• Proxy Authentication

• Proxy Identity Providers List

• Maximum Number of Proxies

• Use Introduction Cookie for Proxying

Proxy Authentication Configuration attributes define values for dynamic provider proxying.

Proxy Authentication

Select the check box to enable proxy authentication for a service provider.

Proxy Identity Providers List

Type an identifier for an identity provider(s) that can be used for proxy authentication in New Value and click Add. The value is a URI defined as the provider's identifier.

Maximum Number of Proxies

Enter the maximum number of identity providers that can be used for proxy authentication.

Use Introduction Cookie for Proxying

Select the check box if you want introduction cookies to be used to find the proxying identity provider.