ID-FF Entity Provider Attributes

The ID-FF provider entity is based on the Liberty-defined ID-FF (Liberty Identity Federation Framework) for implementing single sign-on with federated identities. The IF-FF provider entity allows you to assign and configure the following roles:

ID-FF Identity Provider Customization

The ID-FF identity provider attributes are grouped as follows:

• Common Attributes

• Communication URLs

• Communication Profiles

• Identity Provider Configuration

• Service URL

• Plug-ins

• Identity Provider Attribute Mapper

• Bootstrapping

• Auto Federation

• Authentication Context

• SAML Attributes

Common Attributes

• Provider Type

• Description

• Protocol Support Enumeration

• Signing Key

• Encryption Key

• Name Identifier Encryption

Provider Type

The static value of this attribute is the type of provider being configured: hosted or remote

Description

The value of this attribute is a description of the identity provider.

Protocol Support Enumeration

Choose the Liberty ID-FF release that is supported by this provider.

• urn:liberty:iff:2003-08 refers to the Liberty Identity Federation Framework Version 1.2.

• urn:liberty:iff:2002-12 refers to the Liberty Identity Federation Framework Version 1.1.

Signing Key

Defines the security certificate alias that is used to sign requests and responses.

Encryption Key

Defines the security certificate alias that is used for encryption for the Signing Key and Encryption Key. Certificates are stored in a Java keystore file. Each specific certificate is mapped to an alias that is used to fetch the certificate.

Name Identifier Encryption

Select the check box to enable encryption of the name identifier.

Communication URLs

• SOAP Endpoint

• Single Sign-on Service URL

• Single Logout Service

• Single Logout Return

• Federation Termination Service

• Federation Termination Return

• Name Registration Service

• Name Registration Return

SOAP Endpoint

Defines a URI to the identity provider’s SOAP message receiver. This value communicates the location of the SOAP receiver in non browser communications.

Single Sign-on Service URL

Defines a URL to which service providers can send single sign-on and federation requests.

Single Logout Service

Defines a URL to which service providers can send logout requests. Single logout synchronizes the logout functionality across all sessions authenticated by the identity provider.

Single Logout Return

Defines a URL to which the service providers can send single logout responses.

Federation Termination Service

Defines a URL to which a service provider will send federation termination requests.

Federation Termination Return

Defines a URL to which the service providers can send federation termination responses.

Name Registration Service

Defines a URL to which a service provider will send requests to specify a new name identifier to be used when communicating with the identity provider about a principal. This service can only be used after a federation session is established.

Name Registration Return

Defines a URL to which the service providers can send name registration responses.

Communication Profiles

• Federation Termination

• Single Logout

• Name Registration

• Single Sign-on/Federation

Federation Termination

Select a profile to notify other providers of a principal’s federation termination:

• HTTP Redirect

• SOAP

Single Logout

Select a profile to notify other providers of a principal’s logout:

• HTTP Redirect

• HTTP Get

• SOAP

Name Registration

Select a profile to notify other providers of a principal’s name registration:

• HTTP Redirect

• SOAP

Single Sign-on/Federation

Select a profile for sending authentication requests:

• Browser Post (specifies a browser-based HTTP POST protocol)

• Browser Artifact (specifies a non-browser SOAP-based protocol)

• LECP (specifies a Liberty-enabled Client Proxy)

  ---

  Note –

  OpenSSO Enterprise can handle requests that come from a Liberty-enabled client proxy profile, but it requires additional configuration that is beyond the scope of this manual.

  ---

Identity Provider Configuration

• Provider Alias

• Authentication Type

• Assertion Issuer

• Responds With

• Provider Status

Provider Alias

Defines the alias name for the local identity provider.

Authentication Type

Select the provider that should be used for authentication requests from a provider hosted locally:

• Remote specifies that the provider hosted locally would contact a remote identity provider upon receiving an authentication request.

• Local specifies that the provider hosted locally should contact a local identity provider upon receiving an authentication request (essentially, itself).

Assertion Issuer

Defines the name of the host that issues the assertion. This value might be the load balancer's host name if OpenSSO Enterprise is behind one.

Responds With

Specifies the type of statements the identity provider can generate. For example lib:AuthenticationStatement.

Provider Status

Defines whether the identity provider is active or inactive. Active, the default, means the identity provider can process requests and generate responses.

Service URL

• Home Page URL

• Single Sign-on Failure Redirect URL

• Federate Page URL

• Registration Done URL

• List of COTs Page URL

• Termination URL

• Termination Done URL

• Error Page URL

• Logout Done URL

Home Page URL

Defines the URL of the home page of the identity provider.

Single Sign-on Failure Redirect URL

Defines the URL to which a principal will be redirected if single sign-on has failed.

Federate Page URL

Specifies the URL which performs the federation operation.

Registration Done URL

Defines the URL to which a principal will be directed upon successful Federation registration.

List of COTs Page URL

Defines the URL that lists all of the circle of trusts to which the provider belongs.

Termination URL

Defines the URL to which a principal is directed upon Federation termination.

Termination Done URL

Defines the URL to which a principal is redirected after federation termination is completed.

Error Page URL

Defines the URL to which a principal is directed upon an error.

Logout Done URL

Defines the URL to which a principal is directed after logout.

Plug-ins

• Name Identifier Implementation

• Attribute Statement Plug-in

• User Provider Class

Name Identifier Implementation

This field defines the class used by an identity provider to participate in name registration. Name registration is a profile by which service providers specify a principal’s name identifier that an identity provider will use when communicating with the service provider. The value is com.sun.identity.federation.services.util.FSNameIdentifierImpl.

Attribute Statement Plug-in

Specifies a plug-able class used for adding attribute statements to an assertion that is generated during the Liberty-based single sign-on process.

User Provider Class

Specifies a plug-able class used to provide user operations such as finding a user, getting user attributes, and so forth . The default value is:

com.sun.identity.federation.accountmgmt.DefaultFSUserProvider

Identity Provider Attribute Mapper

• Attribute Mapper Class

• Identity Provider Attribute Mapping

Attribute Mapper Class

The class used to map user attributes defined locally to attributes in the SAML assertion. There is no default class.

Identity Provider Attribute Mapping

Specify values to define the mappings used by the default attribute mapper plug-in. Mappings should be configured in the format:

SAML-attribute=local-attribute

For example, Email=emailaddress or Address=postaladdress. Type the mapping as a New Value and click Add.

Bootstrapping

The bootstrapping attribute is:

Generate Discovery Bootstrapping Resource Offering

Select the check box if you want a Discovery Service Resource Offering to be generated during the Liberty-based single sign-on process for bootstrapping purposes.

Auto Federation

• Auto Federation

• Auto Federation Common Attribute Name

Auto Federation

Select the check box to enable auto-federation.

Auto Federation Common Attribute Name

When creating an Auto Federation Attribute Statement, the value of this attribute will be used. The statement will contain the attribute element and this common attribute as its value.

Authentication Context

This attribute defines the identity provider's default authentication context class (method of authentication). This method will always be called when the service provider sends an authentication request. This value also specifies the authentication context used by the service provider when an unknown user tries to access a protected resource.

Supported

Select the check box next to the authentication context class if the identity provider supports it.

Context Reference

The Liberty-defined authentication context classes are:

• Mobile Contract

• Mobile Digital ID

• MobileUnregistered

• Password

• Password-ProtectedTransport

• Previous-Session

• Smartcard

• Smartcard-PKI

• Software-PKI

• Time-Sync-Token

Key

Choose the OpenSSO Enterprise authentication type to which the context is mapped.

Value

Type the OpenSSO Enterprise authentication option.

Level

Choose a priority level for cases where there are multiple contexts.

SAML Attributes

• Assertion Interval

• Cleanup Interval

• Artifact Timeout

• Assertion Limit

Assertion Interval

Type the interval of time (in seconds) that an assertion issued by the identity provider will remain valid.

Cleanup Interval

Type the interval of time (in seconds) before a cleanup is performed to expired assertions.

Artifact Timeout

Type the interval of time (in seconds) to specify the timeout for assertion artifacts.

Assertion Limit

Type a number to define how many assertions an identity provider can issue, or how many assertions that can be stored.

ID-FF Service Provider Customization

The ID-FF service provider attributes are grouped into the following sections:

• Common Attributes

• Communication URLs

• Communication Profiles

• Service Provider Configuration

• Service URL

• Plug-ins

• Service Provider Attribute Mapper

• Auto Federation

• Authentication Context

• Proxy Authentication Configuration

Common Attributes

• Provider Type

• Description

• Protocol Support Enumeration

• Signing Key

• Encryption Key

• Name Identifier Encryption

• Sign Authentication Request

Provider Type

The static value of this attribute is the type of provider being configured: hosted or remote

Description

The value of this attribute is a description of the service provider.

Protocol Support Enumeration

Choose the Liberty ID-FF release that is supported by this provider.

• urn:liberty:iff:2003-08 refers to the Liberty Identity Federation Framework Version 1.2.

• urn:liberty:iff:2002-12 refers to the Liberty Identity Federation Framework Version 1.1.

Signing Key

Defines the security certificate alias that is used to sign requests and responses. Certificates are stored in a Java keystore file. Each specific certificate is mapped to an alias that is used to fetch the certificate

Encryption Key

Defines the security certificate alias that is used for encryption. Certificates are stored in a Java keystore file. Each specific certificate is mapped to an alias that is used to fetch the certificate.

Name Identifier Encryption

Select the check box to enable encryption of the name identifier.

Sign Authentication Request

If enabled, the service provider will sign all authentication requests.

Communication URLs

• SOAP Endpoint

• Single Logout Service

• Single Logout Return

• Federation Termination Service

• Federation Termination Return

• Name Registration Service

• Name Registration Return

• Assertion Consumer URL

• Assertion Consumer Service URL ID

• Set Assertion consumer Service URL as Default

SOAP Endpoint

Defines a URI to the service provider’s SOAP message receiver. This value communicates the location of the SOAP receiver in non browser communications.

Single Logout Service

Defines a URL to which identity providers can send logout requests. Single logout synchronizes the logout functionality across all sessions authenticated by the identity provider.

Single Logout Return

Defines a URL to which the identity providers can send single logout responses.

Federation Termination Service

Defines a URL to which an identity provider will send federation termination requests.

Federation Termination Return

Defines a URL to which the identity providers can send federation termination responses.

Name Registration Service

Defines a URL that will be used when communicating with the identity provider to specify a new name identifier for the principal. (Registration can occur only after a federation session is established.)

Name Registration Return

Defines a URL to which the identity providers can send name registration responses. (Registration can occur only after a federation session is established.)

Assertion Consumer URL

Defines the URL to which an Identity Provider can send SAML assertions.

Assertion Consumer Service URL ID

If the value of the Protocol Support Enumeration common attribute is urn:liberty:iff:2003-08, type the required ID.

Set Assertion consumer Service URL as Default

Select the check box to use the Assertion Consumer Service URL as the default value when no identifier is provided in the request.

Communication Profiles

• Federation Termination

• Single Logout

• Name Registration

• Supported SSO Profile

Federation Termination

Select a profile to notify other providers of a principal’s federation termination:

• HTTP Redirect

• SOAP

Single Logout

Select a profile to notify other providers of a principal’s logout:

• HTTP Redirect

• HTTP Get

• SOAP

Name Registration

Select a profile to notify other providers of a principal’s name registration:

• HTTP Redirect

• SOAP

Supported SSO Profile

Select a profile for sending authentication requests:

• Browser Post (specifies a browser-based HTTP POST protocol)

• Browser Artifact (specifies a non-browser SOAP-based protocol)

• WML (specifies the Wireless Markup Language protocol)

• LECP (specifies a Liberty-enabled Client Proxy)

  ---

  Note –

  OpenSSO Enterprise can handle requests that come from a Liberty-enabled client proxy profile, but it requires additional configuration that is beyond the scope of this manual.

  ---

Service Provider Configuration

• Provider Alias

• Authentication Type

• Identity Provider Forced Authentication

• Request Identity Provider to be Passive

• Name Registration After Federation

• Name ID Policy

• Affiliation Federation

• Provider Status

• Responds With

Provider Alias

Defines an alias name for the local service provider.

Authentication Type

Select the provider that should be used for authentication requests from a provider hosted locally:

• Remote specifies that the provider hosted locally would contact a remote identity provider upon receiving an authentication request.

• Local specifies that the provider hosted locally should contact a local identity provider upon receiving an authentication request (essentially, itself).

Identity Provider Forced Authentication

Select the check box to indicate that the identity provider must re-authenticate (even during a live session) when an authentication request is received. This attribute is enabled by default.

Request Identity Provider to be Passive

Select the check box to specify that the identity provider must not interact with the principal and must interact with the user.

Name Registration After Federation

This option, if enabled, allows for a service provider to participate in name registration after it has been federated.

Name ID Policy

An enumeration permitting requester influence over name identifier policy at the identity provider.

Affiliation Federation

Select the check box to enable affiliation federation.

Provider Status

Defines whether the service provider is active or inactive. Active, the default, means the service provider can process requests and generate responses.

Responds With

Specifies the type of statements the service provider can generate. For example , lib:AuthenticationStatement.

Service URL

• List of COTs Page URL

• Federate Page URL

• Home Page URL

• Single Sign-on Failure Redirect URL

• Termination Done URL

• Error Page URL

• Logout Done URL

List of COTs Page URL

Defines the URL that lists all of the circle of trusts to which the provider belongs.

Federate Page URL

Specifies the URL which performs the federation operation.

Home Page URL

Defines the URL of the home page of the identity provider.

Single Sign-on Failure Redirect URL

Defines the URL to which a principal will be redirected if single sign-on has failed.

Termination Done URL

Defines the URL to which a principal is redirected after federation termination is completed.

Error Page URL

Defines the URL to which a principal is directed upon an error.

Logout Done URL

Defines the URL to which a principal is directed after logout.

Plug-ins

• Service Provider Adapter

• Federation SP Adapter Env

• User Provider Class

• Name Identifier Implementation

Service Provider Adapter

Defines the implementation class for the com.sun.identity.federation.plugins.FSSPAdapter interface. The default value is:

com.sun.identity.federation.plugins.FSDefaultSPAdapter

Federation SP Adapter Env

Defines a list of environment properties to be used by the service provider adapter SPI implementation class.

User Provider Class

Specifies a plug-able class used to provide user operations such as finding a user, getting user attributes, and so forth. . The default value is:

com.sun.identity.federation.accountmgmt.DefaultFSUserProvider

Name Identifier Implementation

This field defines the class used by a service provider to participate in name registration. Name registration is a profile by which service providers specify a principal’s name identifier that an identity provider will use when communicating with the service provider. The value is com.sun.identity.federation.services.util.FSNameIdentifierImpl.

Service Provider Attribute Mapper

• Attribute Mapper Class

• Service Provider Attribute Mapping

Attribute Mapper Class

The class used to map user attributes defined locally to attributes in the SAML assertion. There is no default class.

Service Provider Attribute Mapping

Specify values to define the mappings used by the default attribute mapper plug-in specified above. Mappings should be configured in the format:

SAML-attribute=local-attribute

For example, Email=emailaddress or Address=postaladdress. Type the mapping as a New Value and click Add.

Auto Federation

• Auto Federation

• Auto Federation Common Attribute Name

Auto Federation

Select the check box to enable auto-federation.

Auto Federation Common Attribute Name

Defines the user's common LDAP attribute name such as telephonenumber. For creating an Auto Federation Attribute Statement. When creating an Auto Federation Attribute Statement, the value of this attribute will be used. The statement will contain the attribute element and this common attribute as its value.

Authentication Context

This attribute defines the service provider's default authentication context class (method of authentication). This method will always be called when the service provider sends an authentication request. This value also specifies the authentication context used by the service provider when an unknown user tries to access a protected resource. The options are:

Supported

Select the check box next to the authentication context class if the service provider supports it.

Context Reference

The Liberty-defined authentication context classes are:

• Mobile Contract

• Mobile Digital ID

• MobileUnregistered

• Password

• Password-ProtectedTransport

• Previous-Session

• Smartcard

• Smartcard-PKI

• Software-PKI

• Time-Sync-Token

Level

Choose a priority level for cases where there are multiple contexts.

Proxy Authentication Configuration

• Proxy Authentication

• Proxy Identity Providers List

• Maximum Number of Proxies

• Use Introduction Cookie for Proxying

Proxy Authentication Configuration attributes define values for dynamic provider proxying.

Proxy Authentication

Select the check box to enable proxy authentication for a service provider.

Proxy Identity Providers List

Type an identifier for an identity provider(s) that can be used for proxy authentication in New Value and click Add. The value is a URI defined as the provider's identifier.

Maximum Number of Proxies

Enter the maximum number of identity providers that can be used for proxy authentication.

Use Introduction Cookie for Proxying

Select the check box if you want introduction cookies to be used to find the proxying identity provider.