Sun logo      Previous      Contents      Index      Next     

Sun ONE Identity Server 6.1 Administration Guide

Chapter 5
Federation Management

This chapter describes the Federation Management interface features of the Sun™ ONE Identity Server. The Federation Management interface provides a way to view, manage and configure the metadata pertaining to the authentication domains and providers.

The features outlined in the LIberty Alliance Project specifications 1.0 are no longer supported. As there are virtually no 1.0 deployments, this does not have a serious impact.

This chapter contains the following sections:

Overview of Authentication Domains and Providers

The Federation Management module provides an interface for creating, modifying, and deleting authentication domains, remote providers and hosted providers. The following steps demonstrate a basic Federation Management model:

  1. Create an authentication domain.
  2. Create one or more hosted providers that belong to the created authentication domain.
  3. Create one or more remote providers that belong to the created authentication domain. You must also include the metadata for the remote providers.
  4. Establish a trusted relationship between the providers. A hosted provider can choose to trust a subset of providers, either hosted or remote, that belong to the same authentication domain.

The following sections explain how to create and configure authentication domains, remote providers, and hosted providers.

Authentication Domains

This section describes how to create, modify, and delete authentication domains.

Creating An Authentication Domain

  1. Choose Authentication Domain from the View menu in the Federation Management module.
  2. Click New in the Navigation frame.

    3. The Create Authentication Domain is displayed in the Data frame.

  3. In the Create Authentication Domain window, enter the name of the Authentication Domain.
  4. Enter a value for the description of the Authentication Domain.
  5. Enter a value for the Writer Service URL.

    6. Writer Service URL specifies the location of the Writer service that writes the cookie from the Common Domain. For example, if example.com is the common domain, the URL could be:

    http://example.com:8080/liberty/WriterServlet

  6. Enter a value for the Reader Service URL.

    7. The Reader Service URL specifies the location of the service that reads the cookie from the Common Domain.

  7. Choose a status of active or inactive.

    8. The default is active. This can be changed at any time during the life of the Authentication Domain by selecting the Properties icon. Choosing inactive disables Liberty communication within authentication domain, with respect to the current installation of Identity Server.

  8. Click Create.

    9. The new Authentication Domain displays in the Navigation frame.

Modifying An Authentication Domain

  1. Click on the properties arrow next to the Authentication Domain you wish to modify.

    2. The properties of the Authentication Domain display in the Data frame.

  2. Modify the properties of the Authentication Domain.
  3. Click Save.

Deleting An Authentication Domain

Deleting an authentication domain does not delete the providers that belong to it. If providers belong to an authentication domain that has been deleted, they remain part of the authentication domain until they are explicitly removed. Additional providers can not be added to an authentication domain that has been deleted.

  1. Choose Authentication Domains from the View menu in the Federation Management module.

    2. All created Authentication Domains display in the Navigation frame.

  2. Check the box next to the name of the Authentication Domain to be deleted.
  3. Click Delete Selected.

    Note

    There is no warning message when performing a delete.

Providers

This section describes how to create, modify and delete remote and hosted providers.

Creating Remote Providers

A remote provider is an entity that receives metadata from a principal, which is an organization or an individual who interacts with the system. To create a remote provider:

  1. Choose Remote Provider from the View menu in the Federation Management module.

    2. By default, when a Provider is created, it will be a service provider. You can optionally decide to create the remote provider as an identity provider by selecting the option described in Step 15.

  2. Click New. The Create Remote Provider window is displayed.
  3. Enter a value for the Provider ID.

    4. The Provider ID should specify the URL identifier of the provider. It must be unique across all remote and hosted providers.

  4. Enter a description of the remote provider.
  5. Enter the Security Key.

    6. The Security Key defines the Security Certificate alias. The certificates are stored in the JKS keystore against an alias. This alias (the Security Key) is used to fetch the required certificate.

  6. Enter the SOAP End Point URL.

    7. This field specifies the location for the receiver of SOAP requests. This is used to communicate on the back-channel (non-browser communication) through SOAP.

  7. Enter the Single Logout Service URL.

    8. The Single Logout Service URL is used by a service provider or identity provider to send and receive logout requests.

  8. Enter the Single Logout Return URL.

    9. This specifies the URL to which logout requests are redirected after processing.

  9. Enter the Federation Termination Service URL.

    10. This field specifies the URL to which federation termination requests are sent.

  10. Enter a value for the Federation Termination Return URL.

    11. This field specifies the URL to which federation termination requests are redirected after processing.

  11. Define the Single Sign-On Service URL.

    12. This field defines the identity provider URL to which the service provider sends requests during federation and SSO. This field only needs to be defined if the Is Identity Provider option is enabled.

  12. Enter the Name Registration Service URL.

    13. This field uses the Name Registration protocol that is used by a service provider to register its own Name Identifier while communicating to an identity provider. Registration occurs only after a federation session is established. This field defines the service URL used by a service provider to register a Name Identifier with an identity provider.

  13. Enter the Name Registration Return URL.

    14. This field uses the Name Registration protocol that is used by a service provider to register its own Name Identifier while communicating to an identity provider. Registration occurs only after a federation session is established. The Name Registration Return URL is the URL to which the identity provider sends back the status of the registration.

  14. Enter the Assertion Consumer URL.

    15. This field defines the service provider end-point to which an identity provider will send SAML assertions.

  15. Decide if the remote provider is to be defined as an identity provider. By default, all providers are service providers. If selected, the Is Identity Provider option will additionally define the remote provider as an identity provider.
  16. Click Create.

    17. The new Provider displays in the Navigation frame.

Modifying Remote Providers

Once a remote host is created, you can modify it at any time. To do so:

  1. Select Remote Providers from the View menu in the Navigation frame.
  2. Choose the provider profile you wish to modify, and click on the Edit arrow.

    3. By default the General view is displayed in the Navigation frame. Most of the fields displayed in the General view contain the data that was entered during the creation of the remote provider. The following additional field can be modified:

    Provider Succinct ID. This field uniquely identifies a service provider to an identity provider.

    The Succinct ID should be an SHA1 encoded string. The provider ID string should be used as the value to encode, as it will ensure that it is unique. To generate the SHA1 encoding, use the OpenSSL command line tool syntax:

    $ echo providerID | openssl sha1

    If you modify any of the fields, click Save to save the changes.

    Status. Active status enables the remote provider to participate in federation and SSO. Inactive status makes the remote provider unavailable, and will not respond to any requests.

  3. To modify the Service Provider fields, choose Service Provider from the View menu.

    4. The Assertion Consumer URL field contains data that was entered during the creation of the remote provider. However, there are additional fields that you can modify:

    Name Registration After Federation. If enabled, this option allows for a service provider to participate in name registration after it has been federated. Name registration is a profile by which service providers specify a principal’s name identifier that an identity provider will use when communicating to the service provider.

    Is Authentication Request Signed. This option, if enabled, specifies that the remote provider send signed authentication and federation requests. The identity provider will not process unsigned requests originated from the service provider.

    Assertion Consumer URL. This field defines the provider end-point to which an identity provider will send SAML assertions.

    Federation Termination Profile. You can choose SOAP or HTTP/Redirect. This field specifies if the SOAP or HTTP/Redirect profile is to be used to notify of federation termination. This can be changed at any time during the life of the provider.

    Single Logout Profile. You can choose SOAP or HTTP Redirect. This field specifies if SOAP or HTTP Redirect is to be used to notify a logout event. This can be changed at any time during the life of the provider.

    Name Registration Profile. You can choose SOAP or HTTP/Redirect. This field specifies if the SOAP or HTTP/Redirect profile is to be used for name registration. This can be changed at any time during the life of the provider.

  4. Click Save.
  5. If the remote provider was defined as an identity provider during creation, you can modify the following fields by selecting Identity Provider in the View menu:

    6. Is Identity Provider. This field specifies if the remote provider is to be defined as an identity provider. By default, all providers are service providers. If selected, the Is Identity Provider option will additionally define the remote provider as an identity provider.

    Name Registration During SSO. If enabled, this option allows for an identity provider to participate in name registration during SSO. Name registration is a profile by which service providers specify a principal’s name identifier that an identity provider will use when communicating to the service provider.

    Single Signon Service URL. This field defines the identity provider URL to which the service provider sends requests during federation and SSO. This field only needs to be defined if the Is Identity Provider option is enabled.

  6. Select Authentication Domains in the View menu to edit the authentication domains to which the remote provider will belong.

    7. Use the direction arrows to move a selected authentication domain into the Available list. Click Save. This will assign the provider to the authentication domain. A provider can belong to one or more authentication domains, however a provider without any authentication domains specified can not participate in Liberty communications. Click Save.

Creating Hosted Providers

A hosted provider is an entity that creates, maintains, and manages identity information for principals and provides principal authentication to other service providers within an authentication domain. To create a hosted provider:

  1. Choose Hosted Provider from the View menu in the Federation Management module.

    2. By default, when a Provider is created, it will be a service provider. You can optionally decide to create the remote provider as an identity provider by selecting the option described in Step 6.

  2. Click New. The Create Hosted Provider window is displayed.
  3. Enter a value for the Provider ID.

    4. The Provider ID specifies the URL identifier of the provider. It must be unique across all remote and hosted providers.

  4. Enter a description for the hosted provider.
  5. Enter the Alias for the provider.

    6. For each of the hosted providers, the alias provided in this field is added to a string called metaAlias. This string is then added to the automatically populated URLs for the hosted providers. These URLs are called metadata URLs. In the following examples, sunAlias is the alias for the provider:

    Federation Termination Service URL

    http://www.example.com:58080/amserver/ProcessTermination/metaAlias/sunA lias

    SOAP Endpoint URL

    http://www.example.com:58080/amserver/SOAPReceiver/metaAlias/sunAlias

  6. Decide if the remote provider is to be defined as an identity provider. By default, all providers are service providers. If selected, the Is Identity Provider option will additionally define the remote provider as an identity provider.
  7. Enter the Security Key.

    8. The Security Key defines the Security Certificate alias. The certificates are stored in the JKS keystore against an alias. This alias (the Security Key) is used to fetch the required certificate.

  8. Enter the Provider URL.

    9. This field specifies the URL from which the metadata will be sent.

  9. Decide if the hosted provider is to be defined as an identity provider. By default, all providers are service providers. If selected, the Is Identity Provider option will additionally define the hosted provider as an identity provider.
  10. Click Create.

    11. The new provider is displayed in the Navigation frame.

Modifying Hosted Providers

  1. Choose the provider profile you wish to modify, and click on the Edit arrow.

    2. By default the General view is displayed in the Navigation frame. Most of the fields displayed in the General view contain the data that was entered during the creation of the hosted provider. The following additional fields can be modified:

    SOAP End Point URL.This field specifies the location for the receiver of SOAP requests. This is used to communicate on the back-channel (non-browser communication) through SOAP.

    Single Logout Service URL. The Single Logout Service URL is used by a service provider or identity provider to send and receive logout requests.

    Single Logout Return URL. This specifies the URL to which logout requests are redirected after processing.

    Federation Termination Service URL. This field specifies the URL to which federation termination requests are sent.

    Federation Termination Return URL. This field specifies the URL to which federation termination requests are redirected after processing.

    Name Registration Service URL. This field uses the Name Registration protocol that is used by a service provider to register its own Name Identifier while communicating to an identity provider. Registration occurs only after a federation session is established. This field defines the service URL used by a service provider to register a Name Identifier with an identity provider.

    Name Registration Return URL. This field uses the Name Registration protocol that is used by a service provider to register its own Name Identifier while communicating to an identity provider. Registration occurs only after a federation session is established. The Name Registration Return URL is the URL to which the identity provider sends back the status of the registration.

    If you modify any of the fields, click Save.

  2. To modify the Service Provider fields, choose Service Provider from the View menu.

    3. The Assertion Consumer URL field contains data that was entered during the creation of the remote provider. You can modify the following additional fields:

    Name Registration After Federation. If enabled, this option allows for a service provider to participate in name registration after it has been federated. Name registration is a profile by which service providers specify a principal’s name identifier that an identity provider will use when communicating to the service provider.

    Is Authentication Request Signed. This option, if enabled, specifies that the hosted provider send signed authentication and federation requests. The identity provider will not process unsigned requests originated from the service provider.

    Federation Termination Profile. You can choose SOAP or HTTP/Redirect. This field specifies if the SOAP or HTTP/Redirect profile is to be used to notify of federation termination. This can be changed at any time during the life of the provider.

    Single Logout Profile. You can choose SOAP or HTTP Redirect. This field specifies if SOAP or HTTP Redirect is to be used to notify a logout event. This can be changed at any time during the life of the provider.

    Name Registration Profile. You can choose SOAP or HTTP/Redirect. This field specifies if the SOAP or HTTP/Redirect profile is to be used for name registration. This can be changed at any time during the life of the provider.

    Authentication Context. This field allows you to specify an authentication level for the authentication context to be used.

    If you modified any of the fields, click Save.

  3. If the hosted provider was defined as an identity provider during creation, you can modify the fields by selecting Identity Provider in the View menu. Most of the data contained in these fields were entered at creation. You can modify the following fields:

    4. Is Identity Provider. This field specifies if the remote provider is to be defined as an identity provider. By default, all providers are service providers. If selected, the Is Identity Provider option will additionally define the remote provider as an identity provider.

    Name Registration During SSO. If enabled, this option allows for an identity provider to participate in name registration during SSO. Name registration is a profile by which service providers specify a principal’s name identifier that an identity provider will use when communicating to the service provider.

    Single Signon Service URL. This field defines the identity provider URL to which the service provider sends requests during federation and SSO. This field only needs to be defined if the Is Identity Provider option is enabled.

    Supported. Specifies if the identity provider supports the authentication context. The identity provider should support at least one authentication context.

    Context Reference. Defines the name of the authentication context. There are ten contexts defined in the Liberty protocol.

    Key. The query string sent to the /UI/Login (the Identity Server authentication servlet) will contain a key-value pair identifying the authentication mechanisms to be used. The possible key values are:

    • Module
    • Level
    • Role
    • Service
    • User

      • Value. Defines the value of the key-value pair for the authentication mechanism.

      Priority. Indicates the ordering determined by the identity provider for the Liberty-defined authentication contexts. If the identity provider does not support the authentication context requested by the service provider during the authentication request, it can use any other authentication context which is either at the same or higher priority level.

      Click Save to save the changes.

  4. Select Authentication Domains in the View menu to edit the authentication domains to which the remote provider will belong.

    5. Use the direction arrows to move a selected authentication domain into the Available list. Click Save. This will assign the provider to the authentication domain. A provider can belong to one or more authentication domains, however a provider without any authentication domains specified can not participate in Liberty communications.

  5. Choose Trusted Providers from the View menu.

    6. The remote provider will only accept request originated from this set of providers. The requests from other providers will be ignored. To create the list of trusted providers, select the providers from the Available field and use the Add button to add them to the Selected field. (You can remove providers by using the Remove button.) Click Save.

  6. Choose Identity Server Configuration Attributes.

    7. The fields are as follows:

    Authentication Type. Remote/Local - Specifies if the hosted provider should contact an identity provider for authentication upon receiving an authentication request (Remote), or if authentication should be done by the hosted provider itself (Local).

    Single Signon/ Federation Profile. Specifies the profile used by the hosted provider for sending authentication requests. Identity Server provides the following protocols:

    • Browser Post - specifies a front-channel (http POST-based) protocol.
    • Browser Artifact - Backchannel (non-browser) SOAP-based protocol.

      • Default Authentication Context. Specifies the authentication context to be used if the identity provider does not receive it as part of a service provider request. It also specifies the authentication context used by the service provider when an unknown user tries to access a protected resource. The default values are:

    • Previous-Session
    • Time-Sync-Token
    • Smartcard
    • MobileUnregistered
    • Smartcard-PKI
    • MobileContract
    • Password
    • Password-ProtectedTransport
    • MobileDigitalID
    • Software-PKI

      • Forced Authentication at Identity Provider. Indicates if the identity provider must reauthenticate (even during a live session) when an authentication request is received.

      Request Identity Provider To Be Passive. If selected, this specifies that the identity provider must not interact with the principal and must interact with the user.

      Organization DN. Specifies the storage location of the DN of the organization if each hosted provider chooses to manage users across different organizations leading to a hosted model.

      Liberty Version URI. Specifies the version of the Liberty specification.

      Name Identifier Implementation. Allows the option for a service provider to participate in name registration. Name registration is a profile by which service providers specify a principal’s name identifier that an identity provider will use when communicating to the service provider.

      Provider Home Page URL. Specifies the home page of the provider.

      Single Signon Failure Redirect URL. Specifies the redirect URL for failed SSO.

      Assertion Interval. Specifies the validity interval for the assertion issued by an identity provider. A principal will remain authenticated by the identity provider until the assertion interval expires.

      Cleanup Interval. Specifies the interval of time to clear assertions that are stored in the identity provider.

      Artifact Timeout. Specifies the timeout of an identity provider for assertion artifacts.

      Assertion Limit. Specifies the number of assertions an identity provider can issue, or that can be stored.

  7. Click Save.

Deleting Providers

  1. Choose Provider from the View menu in Federation Management.

    2. All created Providers display in the Navigation frame.

  2. Check the boxes of the Providers you want to delete.
  3. Click Delete Selected.

    Note

    There is no warning message when performing a delete.



Previous      Contents      Index      Next     

Copyright 2003 Sun Microsystems, Inc. All rights reserved.