Trusted Partners: Configuring Trusted Partner Attributes (Sun OpenSSO Enterprise 8.0 Administration Guide)

Sun OpenSSO Enterprise 8.0 Administration Guide

Trusted Partners: Configuring Trusted Partner Attributes

Following is the second part of the procedure for configuring a trusted partner. Based on the roles selected in the first part, any of the sub-attributes listed in the following sections may need to be defined.

Note –

If you reached this page by clicking Edit or Duplicate on the SAML configuration screen under Federation, modify the trusted partner profile based on the steps below and click Save to change the values. Click Save on the SAML Profile page to complete the modification.

Type in values for the Common Settings sub-attributes.

Name

Can be any string, such as an organization name.

Source ID

This is a 20 byte sequence (encoded using the Base64 format) that comes from the partner site. It is generally the same value as that used for the Site ID attribute when configuring the Site Identifiers attribute.

Target

This is the domain of the partner site (with or without a port number). If you want to contact a web page that is hosted in this domain, the redirect URL is picked up from the values defined in the Trusted Partner attribute.

Note –
If there are two defined entries for the same domain (one containing a port number and one without a port number), the entry with the port number takes precedence. For example, assume the following two trusted partner definitions: target=sun.com and target=sun.com:8080. If the principal is seeking http://machine.sun.com:8080/index.html, the second definition will be chosen.

SAML URL

The URL that points to the servlet that implements the Web Browser Artifact Profile.

Site Attribute Mapper

The class is used to return a list of attribute values defined as AttributeStatements elements in an Authentication Assertion. A site attribute mapper needs to be implemented from the PartnerSiteAttributeMapper interface.

If no class is defined, no attributes will be included in the assertion.

Name Identifier Mapper

The class that defines how the subject of an assertion is related to an identity at the destination site. An account mapper needs to be implemented from the com.sun.identity.saml.plugins.PartnerAccountMapper interface. The default is com.sun.identity.saml.plugins.DefaultAccountMapper.

If no class is defined, no attributes will be included in the assertion.

Version

The SAML version used (1.0 or 1.1) to send SAML requests. To change the version or protocol, click on the Local Site Properties button and change the Protocol and Assertion attributes as necessary.

Signing Certificate Alias

A certificate alias that is used to verify the signature in an assertion when it is signed by the partner and the certificate cannot be found in the KeyInfo portion of the signed assertion.

Type in values for the Destination sub-attributes.

Artifact: SAML URL

The URL that points to the servlet that implements the Web Browser Artifact Profile.

Post: Post URL

The URL that points to the servlet that implements the Web Browser POST Profile.

Host List

A list of the IP addresses, the DNS host name, or the alias of the client authentication certificate used by the partner. This is configured for all hosts within the partner site that can send requests to this authority. This list helps to ensure that the requestor is indeed the intended receiver of the artifact. If the requester is defined in this list, the interaction will continue. If the requester’s information does not match any hosts defined in the host list, the request will be rejected.

Type in values for the Source sub-attributes.
Artifact: SOAP URL

The URL to the SAML SOAP Receiver.

Authentication Type
Authentication types that can be used with SAML:
- Specify None if the URL to the SAML SOAP receiver is accessed using HTTP, and the SAML SOAP receiver is not protected by HTTP basic authentication and/or SSL.
- Specify Basic if the URL to the SAML SOAP receiver is accessed using HTTP, and the SAML SOAP receiver is protected by HTTP basic authentication.
- Specify SSL if the URL to the SAML SOAP receiver is accessed using HTTPS, and the SAML SOAP receiver is not protected by HTTP SSL.
- Specify SSL with Basic if the URL to the SAML SOAP receiver is accessed using HTTPS, and the SAML SOAP receiver is not protected by BASIC AUTH WITH SSL.
Note –
If you are protecting the SAML SOAP receiver URL with HTTP basic authentication, you do so in the web container configuration and not in the OpenSSO Enterprise configuration. You do, however, supply the HTTP basic authentication user ID and password in the OpenSSO Enterprise configuration.

This attribute is optional. If not specified, the default is NOAUTH. If BASICAUTH or SSLWITHBASICAUTH is specified, the Trusted Partners attribute is required and should be HTTPS.
User

When BASICAUTH is chosen as the Authentication Type, the value of this attribute defines the user identifier of the partner being used to protect the partner’s SOAP receiver.

User's Password

When BASICAUTH is chosen as the Authentication Type, the value of this attribute defines the password for the user identifier of the partner being used to protect the partner’s SOAP receiver.

User's Password (reenter)

Reenter the password defined previously.

Type a value for the Post sub attribute.

Issuer

The creator of a generated assertion. The default syntax is hostname: port.

Click Finish.

Click Save on the SAML Profile page to complete the configuration.