The Federation component in the Access Manager Console provides an interface for configuring, modifying, and deleting authentication domains, and identity and service providers. To create and populate an authentication domain, you first create an entity to hold the metadata for each provider that will become a member of the authentication domain. Then, you configure and save the authentication domain. Finally, to add an entity to the authentication domain, you edit the entity's properties. The following sections contain more information:
In a federation setup, all service providers and identity providers must share a synchronized clock. You can implement the synchronization by pointing to an external clock source or by ensuring that, in case of delays in receiving responses, the responses are captured without fail through adjustments of the timeouts.
In Access Manager an entity can contain configuration information for an individual identity provider, an individual service provider, or one of each. An entity can also contain configuration information for an affiliation, a group of providers of either type. Both provider and affiliation entities can be configured using the Access Manager Console.
For general information about entities, see the Liberty Metadata Description and Discovery Specification.
A provider entity holds the metadata for individual providers of either type. All identity providers and service providers must first be configured within a provider entity. After they are configured in an entity, they can be associated with an authentication domain, or chosen to be included in an affiliate entity. Using the descriptor attributes, one individual identity provider, one individual service provider, or one of each can be defined within a provider entity.
An affiliate entity holds the metadata that defines a group of one or more providers that was formed without regard to the boundaries of an authentication domain. This affiliation (referenced by an affiliationID) is formed and maintained by an affiliation owner (referenced by the providerID of the entity that defined it) who chooses the trusted providers from already configured provider entities. Members of the affiliation may invoke services either as a member of the affiliation (using the affiliationID), or individually (using their providerID). For example, when a service provider issues an authentication request on behalf of an affiliation, the AffiliationID will be used to achieve single sign-on and the identity provider will resolve federations based on the same AffiliationID. The affiliate entity itself does not contain the configuration information for any providers, only the configuration information for the entity.
The name identifier (a single persistent randomized string) is used to achieve single sign-on between an identity provider and a group of service providers acting as a single affiliation. If there are several service providers and identity providers in the same circle of trust, use an affiliate entity to avoid having to generate different name identifiers for commonly shared services.
Creating an entity is a two-step process. First, you create a provider or affiliate entity. Then, you populate the entity with remote or hosted provider information (either service or identity) or affiliation information. This process is described in the following sections:
This section describes the process for creating a provider entity or an affiliate entity.
An entity can be created but it will not be available for assignment to an authentication domain until it has been populated with provider(s). Once created and configured, the entity (and thus the providers) can be added to an authentication domain.
In the Access Manager Console, select the Federation tab.
Under Federation, select the Entities tab.
Select New.
The new entity attributes are displayed.
Type a value for the Entity Name.
This field specifies the Uniform Resource Identifier (URI) of the entity and must be unique. For example, http://shivalik.sun.com or http://provider2.com:875.
(Optional) Enter a description of the entity in the Description field.
Select one of the following options to define the entity’s type.
Select Provider and click OK.
The new entity is now displayed as a provider in the list of configured Entities. To configure the entity, see To Configure a Provider Entity.
Select Affiliate, type a value for both Affiliate Name and Affiliate Owner, and click OK.
The Affiliate Name (also referred to as the affiliation ID) specifies a URI defined by the Affiliate Owner that uniquely represents the affiliate entity, for example, http://shivalik.sun.com or http://provider2.com:875. The Affiliate Owner is the provider ID of the service provider (defined in a provider entity) that is forming the affiliation. After entering these values and clicking OK, the new entity is displayed as an affiliate in the list of configured Entities. To configure the entity, see To Configure an Affiliate Entity.
Defining a service provider as the Affiliate Owner does not automatically include it as a member of the affiliate. If an owner is also a member, the provider ID must be defined in both attributes.
After you create a provider entity, you populate it with remote or hosted provider information (either service or identity). This section contains the following procedures:
To Configure Hosted or Remote Identity Provider Attributes for a Provider Entity
To Configure Hosted or Remote Service Provider Attributes for a Provider Entity
When you configure a provider entity, you are populating it with remote or hosted provider information (either service or identity). You might also be configuring values for attributes that were not available when the entity was initially created.
In the Access Manager Console, select the Federation tab.
Under Federation, select the Entities tab.
Select the provider entity that you want to configure.
Ensure that you select an entity marked as type Provider.
Define values for the General, Identity Provider or Service Provider attributes by choosing from the View menu:
To define values for General attributes, see To Configure General Attributes for a Provider Entity.
To define values for Identity Provider attributes, see To Configure Hosted or Remote Identity Provider Attributes for a Provider Entity.
To define values for Service Provider attributes, see To Configure Hosted or Remote Service Provider Attributes for a Provider Entity.
Before performing this procedure, you must have completed the steps in To Configure a Provider Entity.
Choose General from the View menu, and provide information for the Entity Common Attributes.
Entity Common Attributes contain values that define the entity itself.
The static value of this attribute is the name that you provided when creating the entity.
The static value of this attribute is Provider.
The value of this optional attribute is the description that you provided when creating the entity. You can modify the description.
Type the expiration date for the entity metadata. Use Coordinated Universal Time (UTC) in the format yyyy-mm-ddThh:mm:ss.SZ. For example, 2004-12-31T14:30:00.0Z.
Type the maximum amount of time that the entity metadata can be cached. Use the format PnYnMnDTnHnMnS, where n is an integer variable. For example, P1Y2M4DT9H8M20S defines the cache duration as 1 year, 2 months, 4 days, 9 hours, 8 minutes, and 20 seconds.
Provide information for the Entity Contact Person Profile attributes.
Entity Contact Person Profile attributes contain values that define the administrator of the entity.
Type the given name of the entity’s contact person.
Type the surname of the entity’s contact person.
Choose the type of contact from the drop-down menu:
Administrative
Billing
Technical
Other
Type the name of the company that employs this person.
Type a URI that points to an online instance of the contact person’s personal information profile.
Type one or more email addresses for the contact person.
Type one or more telephone numbers for the contact person.
(Optional) Provide information for the Organization Profiles.
The Organization Profiles attributes contain values that define the organizational name of the entity.
Type the complete legal name of the entity’s organization. Use the format locale|organization-name. For example, en|organization-name.com.
If the Names attribute contains a value, it is required to add values to the Display Names and URL attributes.
Type a name that is suitable for display. Use the format locale|organization-display-name. For example, en|organization-display-name.com.
Type a URL that can be used to direct a principal to additional information on the entity's organization. Use the format locale|organization-URL. For example, en|http://www.organization-name.com.
Click Save to complete the configuration, or define values for Identity Provider or Service Provider attributes by choosing from the View menu:
To define values for Identity Provider attributes, see To Configure Hosted or Remote Identity Provider Attributes for a Provider Entity.
To define values for Service Provider attributes, see To Configure Hosted or Remote Service Provider Attributes for a Provider Entity.
Before performing this procedure, you must have completed the steps in To Configure a Provider Entity.
Choose Identity Provider from the View menu.
Select the type of provider that you are configuring:
New Hosted Provider
New Remote Provider
A hosted provider is installed on the same server as Access Manager. A remote provider is not installed on the same server as Access Manager.
Provide information for the Common Attributes.
Common Attributes contain values that generally define the identity provider.
The static value of this attribute is the type of provider being configured: hosted or remote. This attribute is visible only after saving your configuration.
The value of this attribute is a description of the identity provider.
Type the expiration date for the provider metadata. Use Coordinated Universal Time (UTC) and the format yyyy-mm-ddThh:mm:ss.SZ, for example, 2004-12-31T14:30:00.0Z.
Type the maximum amount of time that the provider metadata can be cached. Use the format PnYnMnDTnHnMnS, where n is an integer. For example, P1Y2M4DT9H8M20S defines the cache duration as 1 year, 2 months, 4 days, 9 hours, 8 minutes, and 20 seconds.
Choose the Liberty ID-FF release that is supported by this provider.
urn:liberty:iff:2003-08 refers to the Liberty Identity Federation Framework Version 1.2.
urn:liberty:iff:2002-12 refers to the Liberty Identity Federation Framework Version 1.1.
Name identifier mapping allows a service provider to obtain a name identifier for a principal that has federated in the namespace of a different service provider. Implementing this protocol allows the requesting service provider to communicate with the second service provider without an identity federation having been enabled. Type a URI that identifies the communication specifications.
Currently, the Name Identifier Mapping profile only supports SOAP. If this attribute is used, its value must be http://projectliberty.org/profiles/nim-sp-http.
Type a URL that points to other relevant metadata concerning the provider.
Type the key alias that is used to sign requests and responses.
Type the security certificate alias. Certificates are stored in a Java keystore file. Each specific certificate is mapped to an alias that is used to fetch the certificate.
Type the length for keys that are used by the web service consumer when interacting with another entity.
If the encryption method is DESede, the key size must be 192. If the encryption method is AES, the key size must be 128, 192 or 256.
Choose the method of encryption:
None
AES
DESede
Select the check box to enable encryption of the name identifier.
Provide information for the Communication URLs.
Communication URLs attributes contain locations for redirects and sending requests.
Type a URI to the identity provider’s SOAP message receiver. This value communicates the location of the SOAP receiver in non browser communications.
Type a URL to which service providers can send single sign-on and federation requests.
Type a URL to which service providers can send logout requests. Single logout synchronizes the logout functionality across all sessions authenticated by the identity provider.
Type a URL to which the identity provider will redirect the principal after completing a logout.
Type a URL to which a service provider will send federation termination requests.
Type a URL to which the identity provider will redirect the principal after completing federation termination.
Type a URL to which a service provider will send requests to specify a new name identifier to be used when communicating with the identity provider about a principal. This service can only be used after a federation session is established.
Type a URL to which the identity provider will redirect the principal after HTTP name registration has been completed.
Provide information for the Communication Profiles.
Communication Profiles attributes define the transmission methods used by the identity provider.
Select a profile to notify other providers of a principal’s federation termination:
HTTP Redirect
SOAP
Select a profile to notify other providers of a principal’s logout:
HTTP Redirect
HTTP Get
SOAP
Select a profile to notify other providers of a principal’s name registration:
HTTP Redirect
SOAP
Select a profile for sending authentication requests:
Browser Post (specifies a browser-based HTTP POST protocol)
Browser Artifact (specifies a non-browser SOAP-based protocol)
LECP (specifies a Liberty-enabled Client Proxy)
Access Manager can handle requests that come from a Liberty-enabled client proxy profile, but it requires additional configuration that is beyond the scope of this manual.
Select any of the available authentication domains to assign to the provider.
A provider can belong to one or more authentication domains. However, a provider without a specified authentication domain can not participate in Liberty-based communications. If no authentication domains have been created, you can define this attribute later.
To continue configuring a remote identity provider, skip to step 11.
(Hosted Identity Provider Only) Provide mappings for the Authentication Context classes.
This attribute maps the Liberty-defined authentication context classes to authentication methods available at the identity provider.
Select the check box next to the authentication context class if the identity provider supports it.
The Liberty-defined authentication context classes are:
Password
Mobile Digital ID
Smartcard
Smartcard-PKI
MobileUnregistered
Software-PKI
Previous-Session
Mobile Contract
Time-Sync-Token
Password-ProtectedTransport
Choose the Access Manager authentication type to which the context is mapped.
Type the Access Manager authentication option.
Choose a priority level for cases where there are multiple contexts.
(Hosted Identity Provider Only) Select any of the available provider entities to assign as a Trusted Provider and click Add.
This attribute tallies providers that the identity provider trusts. It is visible after the provider configuration has been saved.
(Hosted Identity Provider Only) Provide information for the Access Manager Configuration attributes.
Access Manager Configuration attributes define general information regarding the instance of Access Manager being used as an identity provider.
Type the URL of the local identity provider.
Type an alias name for the local identity provider.
Select the provider that should be used for authentication requests from a provider hosted locally:
Remote specifies that the provider hosted locally would contact a remote identity provider upon receiving an authentication request.
Local specifies that the provider hosted locally should contact a local identity provider upon receiving an authentication request (essentially, itself).
Select the authentication context class (method of authentication) to use if the identity provider does not receive this information as part of a service provider request. This value also specifies the authentication context used by the service provider when an unknown user tries to access a protected resource. The options are as follows:
Password
Mobile Digital ID
Smartcard
Smartcard-PKI
MobileUnregistered
Software-PKI
Previous-Session
Mobile Contract
Time-Sync-Token
Password-ProtectedTransport
Select the check box to indicate that the identity provider must reauthenticate (even during a live session) when an authentication request is received. This attribute is enabled by default.
Select the check box to specify that the identity provider must not interact with the principal and must interact with the user.
Type a value that points to the realm in which this provider is configured. For example, /sp.
Type the URI of the version of the Liberty Alliance Project specification being used. The default value is http://projectliberty.org/specs/v1.
This field defines the class used by a service provider to participate in name registration. Name registration is a profile by which service providers specify a principal’s name identifier that an identity provider will use when communicating with the service provider. The value is com.sun.identity.federation.services.util.FSNameIdentifierImpl.
Type the URL of the home page of the identity provider.
Type the URL to which a principal will be redirected if single sign-on has failed.
Type the name of the host that issues the assertion. This value might be the load balancer's host name if Access Manager is behind one.
Select the check box if you want a Discovery Service Resource Offering to be generated during the Liberty-based single sign-on process for bootstrapping purposes.
Select the check box to enable auto-federation.
When creating an Auto Federation Attribute Statement, the value of this attribute will be used. The statement will contain the AutoFedAttribute element and this common attribute as its value.
Specify a pluggable class used for adding attribute statements to an assertion that is generated during the Liberty-based single sign-on process.
(Hosted Identity Provider Only) Provide information for the SAML Attributes.
SAML Attributes define general information regarding SAML assertions that are sent by the identity provider.
Type the interval of time (in seconds) that an assertion issued by the identity provider will remain valid. A principal will remain authenticated until the assertion interval expires.
Type the interval of time (in seconds) before assertions stored in the identity provider will be cleared.
Type the interval of time (in seconds) to specify the timeout for assertion artifacts.
Type a number to define how many assertions an identity provider can issue, or how many assertions that can be stored.
To continue configuring a hosted identity provider, skip to step 12.
(Remote Identity Provider Only) Provide information for the Proxy Authentication Configuration attributes.
Proxy Authentication Configuration attributes define values for dynamic identity provider proxying.
Select the check box to enable proxy authentication for a service provider.
Add a list of identity providers that can be used for proxy authentication. The value is a URI defined as the provider's identifier.
Enter the maximum number of identity providers that can be used for proxy authentication.
Select the check box if you want introductions to be used to find the proxying identity provider.
Provide information for the Organization Profiles.
The optional Organization Profiles attributes contain values that define the organizational name of the entity.
Type the complete legal name of the organization. Use the format locale|organization-name, for example, en|organization-name.com.
If the Names attribute contains a value, it is required to add values to the Display Names and URL attributes also.
Type a name that is suitable for display to a principal. The value is defined in the format locale|organization-display-name, for example, en|organization-display-name.com.
Type a URL that can be used to direct a principal to additional information on the entity. Use the format locale|organization-URL, for example, en|http://www.organization-name.com.
Click New Contact Person to create a contact person for the provider.
The Contact Person attributes contain information regarding a human contact for the identity provider.
Type the given name of the identity provider’s contact person.
Type the surname of the identity provider's contact person.
Choose the contact's role from the drop-down menu:
Administrative
Billing
Technical
Other
Type the name of the company that employs the contact person.
Type the name identifier that points to an online instance of the contact person’s personal information profile.
Type one or more email addresses for the contact person.
Type one or more telephone numbers for the contact person.
Click Create to create the contact person.
Click Save to complete the configuration, or define values for General or Service Provider attributes by choosing from the View menu:
To define values for General attributes, see To Configure General Attributes for a Provider Entity.
To define values for Service Provider attributes, see To Configure Hosted or Remote Service Provider Attributes for a Provider Entity.
Before performing this procedure, you must have completed the steps in To Configure a Provider Entity.
Choose Service Provider from the View menu.
Select the type of provider that you are configuring:
New Hosted Provider
New Remote Provider
A hosted provider is installed on the same server as Access Manager. A remote provider is not installed on the same server as Access Manager.
Provide information for the Common Attributes.
Common Attributes contain values that generally define the service provider.
The static value of this attribute is the type of provider being configured: hosted or remote. This attribute is visible only after saving your configuration.
The value of this attribute is a description of the service provider.
Type the expiration date for the provider metadata. Use Coordinated Universal Time (UTC) and the format yyyy-mm-ddThh:mm:ss.SZ, for example, 2004-12-31T14:30:00.0Z.
Type the maximum amount of time that the provider metadata can be cached. Use the format PnYnMnDTnHnMnS, where n is an integer. For example, P1Y2M4DT9H8M20S defines the cache duration as 1 year, 2 months, 4 days, 9 hours, 8 minutes, and 20 seconds.
Select the Liberty ID-FF release that is supported by this provider.
urn:liberty:iff:2003-08 refers to the Liberty Identity Federation Framework Version 1.2.
urn:liberty:iff:2002-12 refers to the Liberty Identity Federation Framework Version 1.1.
Name identifier mapping allows a service provider to obtain a name identifier for a principal that has federated in the namespace of a different service provider. Implementing this protocol allows the requesting service provider to communicate with the second service provider without an identity federation having been enabled. The value of this attribute is a URI that identifies the communication specifications.
Currently, the Name Identifier Mapping profile only supports SOAP. If this attribute is used, its value must be http://projectliberty.org/profiles/nim-sp-http.
Type a URL that points to other relevant metadata concerning the provider.
Type the key alias that is used to sign requests and responses.
Type the security certificate alias. Certificates are stored in a Java keystore file. Each specific certificate is mapped to an alias that is used to fetch the certificate.
Type the length for keys that are used by the web service consumer when interacting with another entity.
Select the method of encryption:
None
AES
DESede
Select the check box to enable encryption of the name identifier.
Provide information for the Communication URLs.
Communication URLs attributes contain locations for redirects and sending requests.
Type a URI to the service provider’s SOAP message receiver. This value communicates the location of the SOAP receiver in non browser communications.
Type a URL to which identity providers can send logout requests.
Type a URL to which the service provider will redirect the principal after completing a logout.
Type a URL to which identity providers will send federation termination requests.
Type a URL to which the service provider will redirect the principal after completing federation termination.
Type a URL that will be used when communicating with the identity provider to specify a new name identifier for the principal. (Registration can occur only after a federation session is established.)
Type a URL to which the service provider will redirect the principal after HTTP name registration has been completed.
Provide information for the Communication Profiles.
Communication Profiles attributes define the transmission methods used by the service provider.
Select a profile to notify other providers of a principal’s federation termination:
HTTP Redirect
SOAP
Select a profile to notify other providers of a principal’s logout:
HTTP Redirect
HTTP Get
SOAP
Select a profile to notify other providers of a principal’s name registration:
HTTP Redirect
SOAP
Select a profile for sending authentication requests:
Browser Post (specifies a browser-based HTTP POST protocol)
Browser Artifact (specifies a non-browser SOAP-based protocol)
LECP (specifies a Liberty-enabled Client Proxy)
Access Manager can handle requests that come from a Liberty-enabled client proxy profile, but it requires additional configuration that is beyond the scope of this manual.
Select any of the available authentication domains to assign to the provider.
A provider can belong to one or more authentication domains. However, a provider without a specified authentication domain cannot participate in Liberty-based communications. If no authentication domains have been created, you can define this attribute later.
To continue configuring a remote service provider, skip to step 9.
(Hosted Service Provider Only) Provide a hierarchy for the Authentication Context classes.
This attribute corresponds to the authentication level defined for an Access Manager authentication module. It will redirect the principal to the authentication type with an authentication level equal to the number defined.
The Liberty-defined authentication context classes are:
Password
Mobile Digital ID
Smartcard
Smartcard-PKI
MobileUnregistered
Software-PKI
Previous-Session
Mobile Contract
Time-Sync-Token
Password-ProtectedTransport
Type a level for each authentication context class. The number can be any positive number.
(Hosted Service Provider Only) Select any of the available provider entities to assign as a Trusted Provider and click Add.
This attribute tallies providers that the service provider trusts.
Provide information for the Service Provider attributes.
Service Provider attributes define general information regarding the service provider.
Type the URL to the end point that defines where a provider will send SAML assertions.
If the value of the Protocol Support Enumeration common attribute is urn:liberty:iff:2003-08, type the required ID.
Select the check box to use the Assertion Consumer Service URL as the default value when no identifier is provided in the request.
Select the check box to make the service provider always signs authentication requests.
Select the check box to enable the service provider to participate in name registration after a principal has been federated.
Select the option permitting requester influence over name identifier policy at the identity provider. The options are:
None specifies that the identity provider will return the name identifier(s) for the principal corresponding to the federation that exists between the identity provider and the requesting service provider or affiliation group. If no such federation exists, an error will be returned.
One-time specifies that the identity provider will issue a temporary, one-time-use identifier for the principal after federation.
Federation specifies that the identity provider may start a new identity federation if one does not already exist for the principal.
Select the check box to enable affiliation federation.
To continue configuring a remote identity provider, skip to step 11.
(Hosted Service Provider Only) Provide information for the Access Manager Configuration attributes.
Access Manager Configuration attributes define general information regarding the instance of Access Manager being used as a service provider.
Type the URL of the local service provider.
Type an alias name for the local service provider.
Select the provider that should be used for authentication requests from a provider hosted locally:
Remote specifies that the provider hosted locally would contact a remote identity provider upon receiving an authentication request.
Local specifies that the provider hosted locally should contact a local identity provider upon receiving an authentication request (essentially, itself).
This attribute defines the service provider's default authentication context class (method of authentication). This method will always be called when the service provider sends an authentication request. This value also specifies the authentication context used by the service provider when an unknown user tries to access a protected resource. The options are:
Password
Mobile Digital ID
Smartcard
Smartcard-PKI
MobileUnregistered
Software-PKI
Previous-Session
Mobile Contract
Time-Sync-Token
Password-ProtectedTransport
Select the check box to indicate that the identity provider must reauthenticate (even during a live session) when an authentication request is received. This attribute is enabled by default.
Select the check box to specify that the identity provider must not interact with the principal and must interact with the user.
Type a value that points to the realm in which this provider is configured, for example, /sp.
Type the URI of the version of the Liberty specification being used. The default value is http://projectliberty.org/specs/v1.
This field defines the class used by a service provider to participate in name registration. Name registration is a profile by which service providers specify a principal’s name identifier that an identity provider will use when communicating with the service provider. The value is com.sun.identity.federation.services.util.FSNameIdentifierImpl.
Type the URL of the home page of the service provider.
Type the URL to which a principal will be redirected if single sign-on has failed.
Select the check box to enable auto-federation.
When creating an Auto Federation Attribute Statement, the value of this attribute will be used. The statement will contain the AutoFedAttribute element and this common attribute as its value.
Specify a pluggable class used for adding attribute statements to an assertion that is generated during the Liberty-based single sign-on process.
Provide information for the Proxy Authentication Configuration attributes.
Proxy Authentication Configuration attributes define values for dynamic identity provider proxying.
Select the check box to enable proxy authentication for a service provider.
Add a list of identity providers that can be used for proxy authentication. The value is a URI defined as the provider's identifier.
Enter the maximum number of identity providers that can be used for proxy authentication.
Select the check box if you want introductions to be used to find the proxying identity provider.
To continue configuring a remote identity provider, skip to step 13.
(Hosted Service Provider Only) Provide information for the SAML Attributes.
SAML Attributes define general information regarding SAML assertions sent by the identity provider.
Type the interval of time (in seconds) that an assertion issued by the identity provider will remain valid. A principal will remain authenticated until the assertion interval expires.
Type the interval of time (in seconds) before assertions stored in the identity provider will be cleared.
Type the interval of time (in seconds) to specify the timeout for assertion artifacts.
Type a number to define how many assertions an identity provider can issue, or how many assertions can be stored.
Provide information for the Organization Profiles.
The optional Organization Profiles attributes contain values that define the organizational name of the entity.
Type the complete legal name of the entity’s organization. Use the format locale|organization-name, for example, en|organization-name.com.
If the Names attribute contains a value, it is required to add values to the Display Names and URL attributes.
Type a name that is suitable for display. Use the format locale|organization-display-name, for example, en|organization-display-name.com.
Type a URL that can be used to direct a principal to additional information on the entity's organization. Use the format locale|organization-URL, for example, en|http://www.organization-name.com.
Click New Contact Person to create a contact person for the provider.
The Contact Person attributes contain information regarding a human contact for the identity provider.
Type the given name of the identity provider’s contact person.
Type the surname of the identity provider's contact person.
Choose the contact's role from the drop-down menu:
Administrative
Billing
Technical
Other
Type the name of the company that employs the contact person.
Type the name identifier that points to an online instance of the contact person’s personal information profile.
Type one or more email addresses for the contact person.
Type one or more telephone numbers for the contact person.
Click Create to create the contact person.
Click Save to complete the configuration, or define values for General or Identity Provider attributes by choosing from the View menu:
To define values for General attributes, see To Configure General Attributes for a Provider Entity.
To define values for Identity Provider attributes, see To Configure Hosted or Remote Identity Provider Attributes for a Provider Entity.
After you create an affiliate entity, you populate it with affiliation information. This section contains the following procedures:
In the Access Manager Console, select the Federation tab.
Under Federation, select the Entities tab.
Select the provider entity that you want to configure.
Ensure that you select an entity marked as type Affiliate.
Define values for the General or Affiliate attribute groupings by choosing from the View menu:
To define values for General attributes, see To Configure General Attributes for an Affiliate Entity
To define values for Affiliate attributes, see To Configure Affiliate Attributes for an Affiliate Entity
Before performing this procedure, you must have completed the steps in To Configure an Affiliate Entity.
Choose General from the View menu, and provide information for the Entity Common Attributes.
Entity Common Attributes contain values that define the entity.
The static value of this attribute is the name that you provided when creating the entity.
The static value of this attribute is Provider.
The value of this optional attribute is the description that you provided when creating the entity. You can modify the description.
Type the expiration date for the entity metadata. Use Coordinated Universal Time (UTC) in the format yyyy-mm-ddThh:mm:ss.SZ, for example, 2004-12-31T14:30:00.0Z.
Type the maximum amount of time that the entity metadata can be cached. Use the format PnYnMnDTnHnMnS, where n is an integer variable. For example, P1Y2M4DT9H8M20S defines the cache duration as 1 year, 2 months, 4 days, 9 hours, 8 minutes, and 20 seconds.
Provide information for the Entity Contact Person Profile attributes.
Entity Contact Person Profile attributes contain values that define the administrator of the entity.
Type the given name of the entity’s contact person.
Type the surname of the entity’s contact person.
Choose the type of contact from the drop-down menu:
Administrative
Billing
Technical
Other
Type the name of the company that employs this person.
Type a URI that points to an online instance of the contact person’s personal information profile.
Type one or more email addresses for the contact person.
Type one or more telephone numbers for the contact person.
Provide information for the Organization Profiles.
The optional Organization Profiles attributes contain values that define the organizational name of the entity.
Type the complete legal name of the organization. Use the format locale|organization-name, for example, en|organization-name.com.
If the Names attribute contains a value, it is required to add values to the Display Names and URL attributes also.
Type a name that is suitable for display to a principal. The value is defined in the format locale|organization-display-name. For example, en|organization-display-name.com.
Type a URL that can be used to direct a principal to additional information on the entity. Use the format locale|organization-URL, for example, en|http://www.organization-name.com.
Click Save to complete the configuration, or choose Affiliate from the View menu to configure the Affiliate attributes.
To define values for Affiliate attributes, see To Configure Affiliate Attributes for an Affiliate Entity.
Before performing this procedure, you must have completed the steps in To Configure an Affiliate Entity.
Choose Affiliate from the View menu and provide information for the Common Attributes.
Common Attributes contain values that generally define the affiliation.
The value of this attribute is the name of the affiliation.
The value of this attribute is the owner of the affiliation.
Type the expiration date for the affiliation metadata. Use Coordinated Universal Time (UTC) and the format yyyy-mm-ddThh:mm:ss.SZ, for example, 2004-12-31T14:30:00.0Z.
Type the maximum amount of time affiliation metadata can be cached. Use the format PnYnMnDTnHnMnS, where n is an integer. For example, P1Y2M4DT9H8M20S defines the cache duration as 1 year, 2 months, 4 days, 9 hours, 8 minutes, and 20 seconds.
Type the key alias that is used to sign requests and responses.
Type the security certificate alias. Certificates are stored in a JKS keystore file. Each specific certificate is mapped to an alias that is used to fetch the certificate.
Type the length for keys used by the web service consumer when interacting with another entity.
Select the method of encryption:
None
AES
DESede
Select any of the available provider entities to assign as members of the affiliation.
A provider can belong to one or more affiliations. However, a provider without a specified authentication domain cannot participate in Liberty-based communications. Also, be sure that the service provider entity being assigned to the affiliate entity has enabled affiliation federation.
Click Save to complete the configuration.
Click OK to complete the configuration, or choose General from the View menu to configure the General attributes.
To define values for General attributes, see To Configure General Attributes for an Affiliate Entity.
If an entity is to be deleted from the console, it first needs to be manually removed from the Trusted Providers list (if the provider is hosted) or the Available Providers list (if part of an affiliation).
In the Access Manager Console, click the Federation tab.
Under Federation, select the Entities tab.
Select the check box next to the entity that you want to delete.
No warning message is displayed when performing a delete.
Click Delete.
An authentication domain is a federation of any number of service providers (and at least one identity provider) with whom principals can transact business in a secure and apparently seamless environment. (The members of the domain must have previously established a circle of trust based on the Liberty Alliance Project architecture and operational agreements.)
An authentication domain is not a domain in the domain name system (DNS) sense of the word.
The following procedures describe how to create, configure, and delete authentication domains using the Access Manager Console.
In the Access Manager Console, click the Federation tab.
Under Federation, select the Authentication Domains tab.
Select New.
The New Authentication Domain attributes are displayed.
Type a name for the authentication domain.
(Optional) Type a description of the authentication domain in the Description field.
(Optional) Type a value for the Writer Service URL.
The Writer Service URL specifies the location of the service that writes the common domain cookie. Use the format http://common-domain-host:port/common/writer. For more information about the Common Domain Services, see Chapter 4, Common Domain Services.
(Optional) Type a value for the Reader Service URL.
The Reader Service URL specifies the location of the service that reads the common domain cookie. Use the format http://common-domain-host:port/common/transfer. For more information about the Common Domain Services, see Chapter 4, Common Domain Services.
Select Active or Inactive.
The default status is Active. Selecting Inactive disables communication within the authentication domain.
Click OK.
The new authentication domain is now displayed in the list of configured Authentication Domains.
In the Access Manager Console, click the Federation tab.
Under Federation, select the Authentication Domains tab.
All created Authentication Domains are displayed.
Click the name of the authentication domain that you want to modify.
The General and Providers properties for the authentication domain are displayed.
(Optional) Enter or modify a description of the authentication domain in the Description field.
(Optional) Enter or modify the value for the Writer Service URL.
The Writer Service URL specifies the location of the service that writes the common domain cookie. Use the format http://common-domain-host:port/common/writer. For more information on the Common Domain Services, see Chapter 4, Common Domain Services.
(Optional) Enter or modify the value for the Reader Service URL.
The Reader Service URL specifies the location of the service that reads the common domain cookie. Use the format http://common-domain-host:port/common/transfer. For more information on the Common Domain Services, see Chapter 4, Common Domain Services.
Select Active or Inactive.
The default status is Active. Selecting Inactive disables communication within the authentication domain.
Click Add to populate the authentication domain with providers.
The Trusted Providers page is displayed.
Choose from the list of Available Providers and click Add.
Click OK to save the providers to the authentication domain.
The authentication domain's attribute page is displayed.
Click Save to complete the configuration.
Deleting an authentication domain does not delete the providers that belong to it although it will impact the trusted relationship.