Configuring Federation

To configure for federation, create a circle of trust and populate it with entity types using the following high-level procedure.

1. Decide whether the instance of OpenSSO Enterprise you are configuring will act as an identity provider, a service provider, or both, and create standard and extended metadata XML files containing the specific protocols, profiles, endpoints, and security mechanisms being used by the instance.

   • Standard metadata properties are defined in the Liberty ID-FF and SAMLv2 specification.

   • Extended metadata properties are proprietary and used by features specific to OpenSSO Enterprise.

2. Create an entity to hold the metadata for every identity and service provider that will become a member of the circle of trust (including the instance of OpenSSO Enterprise for which you previously created metadata).

   The metadata for other entities may come from the providers themselves. See Creating an Entity.

3. Configure a circle of trust to denote the group of entities that have joined together to exchange authentication information for purposes of federation.

   See Circle of Trust.

4. Add the appropriate entities to the circle of trust by configuring both the entity's metadata (to add the authentication domain of the circle of trust) and the circle of trust's properties (to add the entity).

Information on an entity provider's properties are located in Chapter 6, Federation Attributes for Entity Providers, in Sun OpenSSO Enterprise 8.0 Administration Reference. Information on a circle of trust's properties can be found in To Modify a Circle of Trust Profile.

In a federation setup, all service providers and identity providers must share a synchronized clock. You can implement the synchronization by pointing to an external clock source or by ensuring that, in case of delays in receiving responses, the responses are captured without fail through adjustments of the time outs.