Chapter 6 Federation Attributes for Entity Providers

This section lists and describes the attributes available in the OpenSSO Enterprise console for entity provider customization. For instructions for creating the entity providers and entity provider roles, see Creating an Entity in Sun OpenSSO Enterprise 8.0 Administration Guide

SAMLv2 Entity Provider Attributes

The SAMLv2 entity provider type is based on the OASIS Security Assertion Markup Language (SAML) version 2 specification. This entity supports various profiles (single sign-on, single logout, and so forth) when interacting with remote SAMLv2 entities. The SAMLv2 provider entity allows you to assign and configure the following roles:

• SAMLv2 Service Provider Customization

• SAMLv2 Identity Provider Customization

• SAMLv2 XACML PDP Customization

• SAMLv2 XACML PEP Customization

• SAMLv2 Attribute Authority Customization

• SAMLv2 Attribute Query Customization

• SAMLv2 Authentication Authority Customization

SAMLv2 Service Provider Customization

SAMLv2 service providers contain the following attribute groups:

• Assertion Content

• Assertion Processing

• Services

• Advanced

Assertion Content

• Request/Response Signing

• Encryption

• Certificate Aliases

• Name ID Format

• Authentication Context

• Assertion Time Skew

• Basic Authentication

Request/Response Signing

Select any checkbox to enable signing for the following SAMLv2 service prover requests or responses:

Authentication Requests Signed	All authentication requests received by this service provider must be signed.
Assertions Signed	All assertions received by this service provider must be signed.
POST Response Signed	The identity provider must sign the single sign-on Response element when POST binding is used
Artifact Response	The identity provider must sign the ArtifactResponse element.
Logout Request	The identity provider must sign the LogoutRequest element.
Logout Response	The identity provider must sign the LogoutResponse element.
Manage Name ID Request	The identity provider must sign the ManageNameIDRequst element.
Manage Name ID Response	The identity provider must sign the ManageNameIDResponse element.

Encryption

Select any checkbox to enable encryption for the following elements:

Attribute	The identity provider must encrypt all AttributeStatement elements.
Assertion	The identity provider must encrypt all Assertion elements.
NameID	The identity provider must encrypt all NameID elements.

Certificate Aliases

This attribute defines the certificate alias elements for the service provider. signing specifies the provider certificate alias used to find the correct signing certificate in the keystore. Encryption specifies the provider certificate alias used to find the correct encryption certificate in the keystore.

Name ID Format

Defines the name identifier formats supported by the service provider. Name identifiers are a way for providers to communicate with each other regarding a user. Single sign-on interactions support the following types of identifiers:

• urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

• urn:oasis:names:tc:SAML:2.0:nameid-format:transient

• urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

• urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

• urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName

• urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName

• urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos

• urn:oasis:names:tc:SAML:2.0:nameid-format:entity

The Name ID format list is an ordered list, the first Name ID has the highest priority in determining the Name ID format to use. If the user does not specify a Name ID to use when initiating single sign-on, the first one in this list is chosen and supported by the remote Identity Provider.

A persistent identifier is saved to a particular user's data store entry as the value of two attributes. A transient identifier is temporary and no data will be written to the user's persistent data store

Authentication Context

This attribute maps the SAMLv2-defined authentication context classes to the authentication level set for the user session for the service provider .

Mapper

Specifies the implementation of the SPAuthnContextMapper interface used to create the requested authentication context. The default implementation is com.sun.identity.saml2.plugins.DefaultSPAuthnContexteMapper.

Supported

Select the check box next to the authentication context class if the identity provider supports it.

Context Reference

The SAMLv2-defined authentication context classes are:

• InternetProtocol

• InternetProtocolPassword

• Kerberos

• MobileOneFactorUnregistered

• MobileTwoFactorUnregistered

• MobileOneFactorContract

• MobileTwoFactorContract

• Password

• Password-ProtectedTransport

• Previous-Session

• X509

• PGP

• SPKI

• XMLDSig

• Smartcard

• Smartcard-PKI

• Software-PKI

• Telephony

• NomadTelephony

• PersonalTelephony

• AuthenticaionTelephony

• SecureRemotePassword

• TLSClient

• Time-Sync-Token

• Unspecified

Level

Takes as a value a positive number that maps to an authentication level defined in the OpenSSO Enterprise Authentication Framework. The authentication level indicates how much to trust a method of authentication.

In this framework, each service provider is configured with a default authentication context (preferred method of authentication). However, the provider might like to change the assigned authentication context to one that is based on the defined authentication level. For example, provider B would like to generate a local session with an authentication level of 3 so it requests the identity provider to authenticate the user with an authentication context assigned that level. The value of this query parameter determines the authentication context to be used by the identity provider.

Comparison Type

Specifies what the resulting authentication context must be when compared to the value of this property. Accepted values include:

• exact where the authentication context statement in the assertion must be the exact match of, at least, one of the authentication contexts specified.

• minimum where the authentication context statement in the assertion must be, at least, as strong (as deemed by the identity provider) one of the authentication contexts specified.

• maximum where the authentication context statement in the assertion must be no stronger than any of the authentication contexts specified.

• better where the authentication context statement in the assertion must be stronger than any of the authentication contexts specified.

The default value is exact.

Assertion Time Skew

Assertions are valid for a period of time and not before or after. This attribute specifies a grace period (in seconds) for the notBefore value. The default value is 300. It has no relevance to the notAfter value.

Basic Authentication

Basic authentication can be enabled to protect SOAP endpoints. Any provider accessing these endpoints must have the user and password defined in the following two properties: User Name and Password.

Assertion Processing

• Attribute Mapper

• Auto Federation

• Account Mapper

• Artifact Message Encoding

• Transient User

• URL

• Default Relay State

• Adapter

Attribute Mapper

Specifies the values to define the mappings used by the default attribute mapper plug-in. The default plug-in class is com.sun.identity.saml2.plugins.DefaultSPAttributeMapper.

Mappings should be configured in the format:

SAML_Assertion_Attribute_Name=User_Profile_Attribute_Name

For example, EmailAddress=mail or Address=postaladdress. Type the mapping as a New Value and click Add.

Auto Federation

If enabled, Auto-federation automatically federates a user's different provider accounts based on a common attribute. The Attribute field specifies the attribute used to match a user's different provider accounts when auto-federation is enabled.

Account Mapper

Specifies the implementation of the AccountMapper interface used to map a remote user account to a local user account for purposes of single sign-on. The default value is com.sun.identity.saml2.plugins.DefaultSPAccountMapper, the default implementation.

Artifact Message Encoding

This attribute defines the message encoding format for artifact, either URI or FORM.

Transient User

This attribute specifies the identifier of the user to which all identity provider users will be mapped on the service provider side in cases of single sign-on using the transient name identifier.

URL

The Local Authentication URL specifies the URL of the local login page.

The Intermediate URL specifies a URL to which a user can be directed after authentication and before the original request's URL. An example might be a successful account creation page after the auto-creation of a user account.

The External Application Logout URL defines the logout URL for an external application. Once the server receives logout request from the remote partner, a request will be sent to the logout URL using back channel HTTP POST with all cookies. Optionally, a user session property could be sent as HTTP header and POST parameter if a query parameter appsessionproperty (set to the session property name) is included in the URL.

Default Relay State

After a successful SAML v2 operation (single sign-on, single logout, or federation termination), a page is displayed. This page, generally the originally requested resource, is specified in the initiating request using the RelayState element. If a RelayState is not specified, the value of this defaultRelayState property is displayed.

---

Caution –

When RelayState or defaultRelayState contains special characters (such as &), it must be URL-encoded. For example, if the value of RelayState is http://www.sun.com/apps/myapp.jsp?param1=abc&param2=xyz, it must be URL-encoded as:

http%3A%2F%2Fwww.sun.com%2Fapps%2Fmyapp.jsp%3Fparam1%3Dabc%26param2%3Dxyz

and then appended to the URL. For example, the service provider initiated single sign-on URL would be:

http://host:port/deploy-uri/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=http://www.idp.com&RelayState=http%3A%2F%2Fwww.sun.com%2Fapps%2Fmyapp.jsp%3Fparam1%3Dabc%26param2%3Dxyz

---

Adapter

Defines the implementation class for the com.sun.identity.saml2.plugins.SAML2ServiceProviderAdapter interface, used to add application-specific processing during the federation process.

Services

• Meta Alias

• Single Logout Service

• Manage Name ID Service

• Assertion Artifact Consumer Service

Meta Alias

Specifies a metaAlias for the provider being configured. The metaAlias is used to locate the provider's entity identifier and the organization in which it is located. The value is a string equal to the realm or organization name coupled with a forward slash and the provider name. For example, /suncorp/travelprovider.

---

Caution –

The names used in the metaAlias must not contain a /.

---

Single Logout Service

The Single Logout Service synchronizes the logout functionality across all sessions authenticated by the service provider.

Location specifies the URL of the provider to which the request is sent. Response Location specifies the URL the expected response provider. The binding types are:

• HTTP Redirect

• POST

• SOAP

Manage Name ID Service

This services defines the URLs that will be used when communicating with the service provider to specify a new name identifier for the principal. (Registration can occur only after a federation session is established.)

Location specifies the URL of the provider to which the request is sent. Response Location specifies the URL the expected response provider. The binding types are:

• HTTP Redirect

• POST

• SOAP

Assertion Artifact Consumer Service

This service processes the responses that a service provider receives from an identity provider. When a service provider wants to authenticate a user, it sends an authentication request to an identity provider.

• HTTP-Artifact specifies a non-browser SOAP-based protocol.

• HTTP-Post specifies a browser-based HTTP POST protocol.

• PAOS defines the URL location for PAOS binding.

Location specifies the URL of the provider to which the request is sent. Index specifies the URL in the standard metadata. Defaultis the default URL to be used for the binding.

Advanced

• SP URL

• SP Logout URL

• App Secret List

• Request IDP List Finder Implementation

• Request IDP List Get Complete

• Request IDP List

• IDP Proxy

• Introduction

• Proxy Count

• IDP Proxy List

SP URL

Defines URL endpoint on Service Provider that can handle SAE (Secure Attribute Exchange) requests. If this URL is empty (not configured), SAE single sign-on will not be enabled. Normal SAMLv2 single sign-on responses will be sent to the service provider.

SP Logout URL

Defines the URL endpoint on a Service Provider that can handle SAE global logout requests.

App Secret List

This attribute defines the application security configuration. Each application must have one entry. Each entry has the following format:

url=SPAppURL|type=symmetric_orAsymmetric|secret=ampassword encoded shared secret

Request IDP List Finder Implementation

Defines the implementation class of the IDP list finder SPI. This returns a list of preferred identity providers that are trusted by the ECP.

Request IDP List Get Complete

Specifies a URI reference that can be used to retrieve the complete identity provider list if the IDPList element is not complete.

Request IDP List

Defines a list of identity providers for the ECP to contact. This is used by the default implementation of the IDP Finder (for example, com.sun.identity.saml2.plugins.ECPIDPFinder) .

IDP Proxy

Proxy Authentication Configuration attributes define values for dynamic identity provider proxying. Select the check box to enable proxy authentication for a service provider.

Introduction

Select the check box if you want introductions to be used to find the proxying identity provider.

Proxy Count

Enter the maximum number of identity providers that can be used for proxy authentication.

IDP Proxy List

Add a list of identity providers that can be used for proxy authentication. Type the URI defined as the provider's identifier in New Value and click Add.

SAMLv2 Identity Provider Customization

SAMLv2 identity providers contain the following attribute groups:

• Assertion Content

• Assertion Processing

• Local Configuration

• Services

• Advanced

Assertion Content

• Request/Response Signing

• Encryption

• Certificate Aliases

• Name ID Format

• Name ID Value Map

• Authentication Context

• Assertion Time

• Basic Authentication

• Assertion Cache

• Bootstrapping

Request/Response Signing

Setting the following flags indicate to the identity provider how the service provider signs specific messages:

Authentication Request	All authentication requests received by this identity provider must be signed.
Artifact Resolve	The service provider must sign the ArtifactResolve element.
Logout Request	The service provider must sign the LogoutRequest element.
Logout Response	The service provider must sign the LogoutResponse element.
Manage Name ID Request	The service provider must sign the ManageNameIDRequst element.
Manage Name ID Response	The service provider must sign the ManageNameIDResponse element.

Encryption

Select the checkbox to enable encryption for the following elements:

NameID

The service provider must encrypt all NameID elements.

Certificate Aliases

This attribute defines the certificate alias elements for the identity provider. Signing specifies the provider certificate alias used to find the correct signing certificate in the keystore. Encryption specifies the provider certificate alias used to find the correct encryption certificate in the keystore.

Name ID Format

Defines the name identifier formats supported by the identity provider. Name identifiers are a way for providers to communicate with each other regarding a user. Single sign-on interactions support the following types of identifiers:

• urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

• urn:oasis:names:tc:SAML:2.0:nameid-format:transient

• urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

• urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

• urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName

• urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName

• urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos

• urn:oasis:names:tc:SAML:2.0:nameid-format:entity

The Name ID format list is an ordered list and the first Name ID has the highest priority in determining the Name ID format to use. If the user does not specify a Name ID to use when initiating single sign-on, the first one in this list is chosen and supported by the remote Identity Provider.

A persistent identifier is saved to a particular user's data store entry as the value of two attributes. A transient identifier is temporary and no data will be written to the user's persistent data store

Name ID Value Map

This attribute specifies mapping between the NameID Format attribute and a user profile attribute. If the defined Name ID format is used in protocol, the profile attribute value will be used as NameID value for the format in the Subject. The syntax of each entry is:

NameID Format=User profile attribute

For example:

urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress=mail

To add new NameID format, the NameID Value Map attribute needs to be updated with a corresponding entry. The exceptions are persistent, transient and unspecified. For persistent and transient, the NameID value will be generated randomly. For this attribute, unspecified is optional. If it is specified, the NameID value will be the value of the user profile attribute. If it is not specified, an random number will be generated.

Authentication Context

This attribute maps the SAMLv2-defined authentication context classes to authentication methods available from the identity provider.

Mapper

Specifies the implementation of the IDPAuthnContextMapper interface used to create the requested authentication context. The default implementation is com.sun.identity.saml2.plugins.DefaultIDPAttributeMapper.

Default Authentication Context

Specifies the default authentication context type used by the identity provider if the service provider does not send an authentication context request.

Supported

Select the check box next to the authentication context class if the identity provider supports it.

Context Reference

The SAMLv2-defined authentication context classes are:

• InternetProtocol

• InternetProtocolPassword

• Kerberos

• MobileOneFactorUnregistered

• MobileTwoFactorUnregistered

• MobileOneFactorContract

• MobileTwoFactorContract

• Password

• Password-ProtectedTransport

• Previous-Session

• X509

• PGP

• SPKI

• XMLDSig

• Smartcard

• Smartcard-PKI

• Software-PKI

• Telephony

• NomadTelephony

• PersonalTelephony

• AuthenticaionTelephony

• SecureRemotePassword

• TLSClient

• Time-Sync-Token

• Unspecified

Key

Choose the OpenSSO Enterprise authentication type to which the context is mapped.

Value

Type the OpenSSO Enterprise authentication option.

Level

Takes as a value a positive number that maps to an authentication level defined in the OpenSSO Enterprise Authentication Framework. The authentication level indicates how much to trust a method of authentication.

In this framework, each identity provider is configured with a default authentication context (preferred method of authentication). However, the provider might like to change the assigned authentication context to one that is based on the defined authentication level. For example, provider B would like to generate a local session with an authentication level of 3 so it requests the identity provider to authenticate the user with an authentication context assigned that level. The value of this query parameter determines the authentication context to be used by the identity provider.

Assertion Time

Assertions are valid for a period of time and not before or after. This attribute specifies a grace period (in seconds) for the Not Before Time Skew value. The default value is 600. It has no relevance to the notAfter value.

Effective Time specifies (in seconds) the amount of time that an assertion is valid counting from the assertion's issue time. The default value is 600 seconds.

Basic Authentication

Basic authentication can be enabled to protect SOAP endpoints. Any provider accessing these endpoints must have the user and password defined in the following two properties: User Name and Password.

Assertion Cache

If enabled, this allows the identity provider to cache assertions to be retrieved later.

Bootstrapping

Select the check box if you want a Discovery Service Resource Offering to be generated during the Liberty-based single sign-on process for bootstrapping purposes.

Assertion Processing

• Attribute Mapper

• Account Mapper

Attribute Mapper

Specifies the values to define the mappings used by the default attribute mapper plug-in. The default plug-in class is com.sun.identity.saml2.plugins.DefaultIDPAttributeMapper.

Mappings should be configured in the format:

SAML-attribute=local-attribute

For example, EmailAddress=mail or Address=postaladdress. Type the mapping as a New Value and click Add.

Account Mapper

Specifies the implementation of the AccountMapper interface used to map a remote user account to a local user account for purposes of single sign-on. The default value is com.sun.identity.saml2.plugins.DefaultIDPAccountMapper, the default implementation.

Local Configuration

These attribute contains configuration specific to the OpenSSO Enterprise instance.

Auth URL

Defines the Authentication URL to which the identity provider will redirect for authentication.

External Application Logout URL

The External Application Logout URL defines the logout URL for an external application. Once the server receives logout request from the remote partner, a request will be sent to the logout URL using back channel HTTP POST with all cookies. Optionally, a user session property could be sent as HTTP header and POST parameter if a query parameter appsessionproperty (set to the session property name) is included in the URL.

Services

• Meta Alias

• Artifact Resolution Service

• Single Logout Service

• Manage Name ID Service

• Single Sign-On Service

Meta Alias

Specifies a metaAlias for the provider being configured. The metaAlias is used to locate the provider's entity identifier and the organization in which it is located. The value is a string equal to the realm or organization name coupled with a forward slash and the provider name. For example, /suncorp/travelprovider.

---

Caution –

The names used in the metaAlias must not contain a /.

---

Artifact Resolution Service

Defines the endpoint(s) that support the Artifact Resolution profile. Location specifies the URL of the provider to which the request is sent. Index specifies a unique integer value to the endpoint so that it can be referenced in a protocol message.

Single Logout Service

The Single Logout Service synchronizes the logout functionality across all sessions authenticated by the identity provider.

Location specifies the URL of the provider to which the request is sent. Response Location specifies the URL of the provider to which the response is sent. The binding types are:

• HTTP Redirect

• POST

• SOAP

Manage Name ID Service

This services defines the URLs that will be used when communicating with the service provider to specify a new name identifier for the principal. (Registration can occur only after a federation session is established.)

Location specifies the URL of the provider to which the request is sent. Response Location specifies the URL of the provider to which the response is sent. . The binding types are:

• HTTP Redirect

• POST

• SOAP

Single Sign-On Service

Defines the endpoint(s) that support the profiles of the Authentication Request protocol. All identity providers must support at least one such endpoint.

Location specifies the URL of the provider to which the request is sent. The binding types are:

• HTTP Redirect

• POST

• SOAP

Advanced

• IDP URL

• App Secret List

• IDP Mapper Session

IDP URL

Defines the URL endpoint on Identity Provider that can handle SAE (Secure Attribute Exchange) requests.

App Secret List

Defines the application security configuration. Each application must one entry. Each entry has the following format:

url=IDPAppURL|type=symmetric_orAsymmetric|secret=ampassword encoded shared secret OR or pubkeyalias=idp app signing cert

IDP Mapper Session

Defines an implementation class for the session mapper SPI. The mapper finds a valid session from HTTP servlet request on the identity provider with an ECP profile.

SAMLv2 XACML PDP Customization

XACML PDP contains the following attributes for customization:

• Protocol Support Enumeration

• Signing Key Alias

• Encryption Key Alias

• Basic Authorization

• Authorization Decision Query Signed

• Authorization Service

Protocol Support Enumeration

Displays the XACML PDP release that is supported by this provider.

urn:liberty:iff:2003-08 refers to Liberty Identity Federation Framework Version 1.2.

urn:liberty:iff:2002-12 refers to Liberty Identity Federation Framework Version 1.1.

Signing Key Alias

Defines the key alias that is used to sign requests and responses.

Encryption Key Alias

Defines the key alias to XACML encryption.

Basic Authorization

Basic authorization can be enabled to protect SOAP endpoints. Any provider accessing these endpoints must have the user and password defined in the following two properties: User Name and Password.

Authorization Decision Query Signed

When enabled, this attribute enforces that all queries be signed for the XACML authorization decision.

Authorization Service

This attribute defines the type (binding) of the authorization request, and the URL endpoint for receiving the request. By default, the binding type is SOAP.

SAMLv2 XACML PEP Customization

XACML PEP contains the following attributes for customization:

• Protocol Support Enumeration

• Signing Key Alias

• Encryption Key Alias

• Basic Authorization

• Authorization Decision Response Signed

• Assertion Encrypted

Protocol Support Enumeration

Displays the XACML PEP release that is supported by this provider.

Signing Key Alias

Defines the key alias that is used to sign requests and responses.

Encryption Key Alias

Defines the key alias to XACML encryption.

Basic Authorization

Basic authorization can be enabled to protect SOAP endpoints. Any provider accessing these endpoints must have the user and password defined in the following two properties: User Name and Password.

Authorization Decision Response Signed

When enabled, this attribute enforces that all responses be signed for the XACML authorization decision.

Assertion Encrypted

When enabled, this attribute enforces that all assertions are to be encrypted.

SAMLv2 Attribute Authority Customization

SAMLv2 Attribute Authority contains the following attributes for customization:

• Signing and Encryption

• Attribute Service

• AssertionID Request

• Attribute Profile

• Cert Alias

• Subject Data Store

Signing and Encryption

Key Size

The length for keys used by the Attribute Authority entity when interacting with another entity.

Algorithm

The encryption algorithm used to interact with another entity.

Attribute Service

This attribute defines the URL endpoints that will receive attribute query requests. Location specifies the URL of the provider to which the request is sent. Mapper defines the SPI that finds the attribute mapping authority to return a list of attributes that will be included in a response. The SAMLv2–defined attribute query profiles are:

• Basic

• X509

AssertionID Request

Defines the URLs to which the AssertionIDs are sent from a client to an identity provider in order to retrieve the corresponding assertion. Location specifies the URL of the provider to which the request is sent. Mapper defines the SPI that finds the AssertionID mapping authority to return a list of attributes that will be included in a response. The bindings are:

• SOAP

• URI

Attribute Profile

Defines the type of SAMLv2–defined supported attribute profile. Basic is the default type.

Cert Alias

Defines the certificate alias elements. Signing specifies the provider certificate alias used to find the correct signing certificate in the keystore. Encryption specifies the provider certificate alias used to find the correct encryption certificate in the keystore.

Subject Data Store

Specifies the data store attribute name which contains the X509 subject DN. It is used to find a user whose attribute value matches the X. 509 subject DN. This field is used in the Attribute Query Profile for X. 509 subject only.

SAMLv2 Attribute Query Customization

SAMLv2 Attribute Query contains the following attributes for customization:

• NameID Format

• Cert Alias

NameID Format

Defines the name identifier formats supported by the attribute query provider. Name identifiers are a way for providers to communicate with each other regarding a user. Single sign-on interactions support three types of identifiers:

• An X509SubjectName defines the subject name of the X509 encryption type.

• A persistent identifier is saved to a particular user's data store entry as the value of two attributes.

• A transient identifier is temporary and no data will be written to the user's persistent data store.

Cert Alias

This attribute defines the certificate alias elements for the provider. signing specifies the provider certificate alias used to find the correct signing certificate in the keystore. Encryption specifies the provider certificate alias used to find the correct encryption certificate in the keystore.

SAMLv2 Authentication Authority Customization

SAMLv2 Authentication Authority contains the following attributes for customization:

• Signing and Encryption

• Authn Query Service

• AssertionID Request

• Cert Alias

Signing and Encryption

Key Size

The length for keys used by the Attribute Authority entity when interacting with another entity.

Algorithm

The encryption algorithm used to interact with another entity.

Authn Query Service

This attribute defines the URL to which authentication queries are sent.

AssertionID Request

Defines the URLs to which the AssertionIDs are sent from a client to an identity provider in order to retrieve the corresponding assertion. Location specifies the URL of the provider to which the request is sent. The AssertionID request types are:

• SOAP

• URI

Cert Alias

This attribute defines the certificate alias elements for the provider. signing specifies the provider certificate alias used to find the correct signing certificate in the keystore. Encryption specifies the provider certificate alias used to find the correct encryption certificate in the keystore.

ID-FF Entity Provider Attributes

The ID-FF provider entity is based on the Liberty-defined ID-FF (Liberty Identity Federation Framework) for implementing single sign-on with federated identities. The IF-FF provider entity allows you to assign and configure the following roles:

ID-FF Identity Provider Customization

The ID-FF identity provider attributes are grouped as follows:

• Common Attributes

• Communication URLs

• Communication Profiles

• Identity Provider Configuration

• Service URL

• Plug-ins

• Identity Provider Attribute Mapper

• Bootstrapping

• Auto Federation

• Authentication Context

• SAML Attributes

Common Attributes

• Provider Type

• Description

• Protocol Support Enumeration

• Signing Key

• Encryption Key

• Name Identifier Encryption

Provider Type

The static value of this attribute is the type of provider being configured: hosted or remote

Description

The value of this attribute is a description of the identity provider.

Protocol Support Enumeration

Choose the Liberty ID-FF release that is supported by this provider.

• urn:liberty:iff:2003-08 refers to the Liberty Identity Federation Framework Version 1.2.

• urn:liberty:iff:2002-12 refers to the Liberty Identity Federation Framework Version 1.1.

Signing Key

Defines the security certificate alias that is used to sign requests and responses.

Encryption Key

Defines the security certificate alias that is used for encryption for the Signing Key and Encryption Key. Certificates are stored in a Java keystore file. Each specific certificate is mapped to an alias that is used to fetch the certificate.

Name Identifier Encryption

Select the check box to enable encryption of the name identifier.

Communication URLs

• SOAP Endpoint

• Single Sign-on Service URL

• Single Logout Service

• Single Logout Return

• Federation Termination Service

• Federation Termination Return

• Name Registration Service

• Name Registration Return

SOAP Endpoint

Defines a URI to the identity provider’s SOAP message receiver. This value communicates the location of the SOAP receiver in non browser communications.

Single Sign-on Service URL

Defines a URL to which service providers can send single sign-on and federation requests.

Single Logout Service

Defines a URL to which service providers can send logout requests. Single logout synchronizes the logout functionality across all sessions authenticated by the identity provider.

Single Logout Return

Defines a URL to which the service providers can send single logout responses.

Federation Termination Service

Defines a URL to which a service provider will send federation termination requests.

Federation Termination Return

Defines a URL to which the service providers can send federation termination responses.

Name Registration Service

Defines a URL to which a service provider will send requests to specify a new name identifier to be used when communicating with the identity provider about a principal. This service can only be used after a federation session is established.

Name Registration Return

Defines a URL to which the service providers can send name registration responses.

Communication Profiles

• Federation Termination

• Single Logout

• Name Registration

• Single Sign-on/Federation

Federation Termination

Select a profile to notify other providers of a principal’s federation termination:

• HTTP Redirect

• SOAP

Single Logout

Select a profile to notify other providers of a principal’s logout:

• HTTP Redirect

• HTTP Get

• SOAP

Name Registration

Select a profile to notify other providers of a principal’s name registration:

• HTTP Redirect

• SOAP

Single Sign-on/Federation

Select a profile for sending authentication requests:

• Browser Post (specifies a browser-based HTTP POST protocol)

• Browser Artifact (specifies a non-browser SOAP-based protocol)

• LECP (specifies a Liberty-enabled Client Proxy)

  ---

  Note –

  OpenSSO Enterprise can handle requests that come from a Liberty-enabled client proxy profile, but it requires additional configuration that is beyond the scope of this manual.

  ---

Identity Provider Configuration

• Provider Alias

• Authentication Type

• Assertion Issuer

• Responds With

• Provider Status

Provider Alias

Defines the alias name for the local identity provider.

Authentication Type

Select the provider that should be used for authentication requests from a provider hosted locally:

• Remote specifies that the provider hosted locally would contact a remote identity provider upon receiving an authentication request.

• Local specifies that the provider hosted locally should contact a local identity provider upon receiving an authentication request (essentially, itself).

Assertion Issuer

Defines the name of the host that issues the assertion. This value might be the load balancer's host name if OpenSSO Enterprise is behind one.

Responds With

Specifies the type of statements the identity provider can generate. For example lib:AuthenticationStatement.

Provider Status

Defines whether the identity provider is active or inactive. Active, the default, means the identity provider can process requests and generate responses.

Service URL

• Home Page URL

• Single Sign-on Failure Redirect URL

• Federate Page URL

• Registration Done URL

• List of COTs Page URL

• Termination URL

• Termination Done URL

• Error Page URL

• Logout Done URL

Home Page URL

Defines the URL of the home page of the identity provider.

Single Sign-on Failure Redirect URL

Defines the URL to which a principal will be redirected if single sign-on has failed.

Federate Page URL

Specifies the URL which performs the federation operation.

Registration Done URL

Defines the URL to which a principal will be directed upon successful Federation registration.

List of COTs Page URL

Defines the URL that lists all of the circle of trusts to which the provider belongs.

Termination URL

Defines the URL to which a principal is directed upon Federation termination.

Termination Done URL

Defines the URL to which a principal is redirected after federation termination is completed.

Error Page URL

Defines the URL to which a principal is directed upon an error.

Logout Done URL

Defines the URL to which a principal is directed after logout.

Plug-ins

• Name Identifier Implementation

• Attribute Statement Plug-in

• User Provider Class

Name Identifier Implementation

This field defines the class used by an identity provider to participate in name registration. Name registration is a profile by which service providers specify a principal’s name identifier that an identity provider will use when communicating with the service provider. The value is com.sun.identity.federation.services.util.FSNameIdentifierImpl.

Attribute Statement Plug-in

Specifies a plug-able class used for adding attribute statements to an assertion that is generated during the Liberty-based single sign-on process.

User Provider Class

Specifies a plug-able class used to provide user operations such as finding a user, getting user attributes, and so forth . The default value is:

com.sun.identity.federation.accountmgmt.DefaultFSUserProvider

Identity Provider Attribute Mapper

• Attribute Mapper Class

• Identity Provider Attribute Mapping

Attribute Mapper Class

The class used to map user attributes defined locally to attributes in the SAML assertion. There is no default class.

Identity Provider Attribute Mapping

Specify values to define the mappings used by the default attribute mapper plug-in. Mappings should be configured in the format:

SAML-attribute=local-attribute

For example, Email=emailaddress or Address=postaladdress. Type the mapping as a New Value and click Add.

Bootstrapping

The bootstrapping attribute is:

Generate Discovery Bootstrapping Resource Offering

Select the check box if you want a Discovery Service Resource Offering to be generated during the Liberty-based single sign-on process for bootstrapping purposes.

Auto Federation

• Auto Federation

• Auto Federation Common Attribute Name

Auto Federation

Select the check box to enable auto-federation.

Auto Federation Common Attribute Name

When creating an Auto Federation Attribute Statement, the value of this attribute will be used. The statement will contain the attribute element and this common attribute as its value.

Authentication Context

This attribute defines the identity provider's default authentication context class (method of authentication). This method will always be called when the service provider sends an authentication request. This value also specifies the authentication context used by the service provider when an unknown user tries to access a protected resource.

Supported

Select the check box next to the authentication context class if the identity provider supports it.

Context Reference

The Liberty-defined authentication context classes are:

• Mobile Contract

• Mobile Digital ID

• MobileUnregistered

• Password

• Password-ProtectedTransport

• Previous-Session

• Smartcard

• Smartcard-PKI

• Software-PKI

• Time-Sync-Token

Key

Choose the OpenSSO Enterprise authentication type to which the context is mapped.

Value

Type the OpenSSO Enterprise authentication option.

Level

Choose a priority level for cases where there are multiple contexts.

SAML Attributes

• Assertion Interval

• Cleanup Interval

• Artifact Timeout

• Assertion Limit

Assertion Interval

Type the interval of time (in seconds) that an assertion issued by the identity provider will remain valid.

Cleanup Interval

Type the interval of time (in seconds) before a cleanup is performed to expired assertions.

Artifact Timeout

Type the interval of time (in seconds) to specify the timeout for assertion artifacts.

Assertion Limit

Type a number to define how many assertions an identity provider can issue, or how many assertions that can be stored.

ID-FF Service Provider Customization

The ID-FF service provider attributes are grouped into the following sections:

• Common Attributes

• Communication URLs

• Communication Profiles

• Service Provider Configuration

• Service URL

• Plug-ins

• Service Provider Attribute Mapper

• Auto Federation

• Authentication Context

• Proxy Authentication Configuration

Common Attributes

• Provider Type

• Description

• Protocol Support Enumeration

• Signing Key

• Encryption Key

• Name Identifier Encryption

• Sign Authentication Request

Provider Type

The static value of this attribute is the type of provider being configured: hosted or remote

Description

The value of this attribute is a description of the service provider.

Protocol Support Enumeration

Choose the Liberty ID-FF release that is supported by this provider.

• urn:liberty:iff:2003-08 refers to the Liberty Identity Federation Framework Version 1.2.

• urn:liberty:iff:2002-12 refers to the Liberty Identity Federation Framework Version 1.1.

Signing Key

Defines the security certificate alias that is used to sign requests and responses. Certificates are stored in a Java keystore file. Each specific certificate is mapped to an alias that is used to fetch the certificate

Encryption Key

Defines the security certificate alias that is used for encryption. Certificates are stored in a Java keystore file. Each specific certificate is mapped to an alias that is used to fetch the certificate.

Name Identifier Encryption

Select the check box to enable encryption of the name identifier.

Sign Authentication Request

If enabled, the service provider will sign all authentication requests.

Communication URLs

• SOAP Endpoint

• Single Logout Service

• Single Logout Return

• Federation Termination Service

• Federation Termination Return

• Name Registration Service

• Name Registration Return

• Assertion Consumer URL

• Assertion Consumer Service URL ID

• Set Assertion consumer Service URL as Default

SOAP Endpoint

Defines a URI to the service provider’s SOAP message receiver. This value communicates the location of the SOAP receiver in non browser communications.

Single Logout Service

Defines a URL to which identity providers can send logout requests. Single logout synchronizes the logout functionality across all sessions authenticated by the identity provider.

Single Logout Return

Defines a URL to which the identity providers can send single logout responses.

Federation Termination Service

Defines a URL to which an identity provider will send federation termination requests.

Federation Termination Return

Defines a URL to which the identity providers can send federation termination responses.

Name Registration Service

Defines a URL that will be used when communicating with the identity provider to specify a new name identifier for the principal. (Registration can occur only after a federation session is established.)

Name Registration Return

Defines a URL to which the identity providers can send name registration responses. (Registration can occur only after a federation session is established.)

Assertion Consumer URL

Defines the URL to which an Identity Provider can send SAML assertions.

Assertion Consumer Service URL ID

If the value of the Protocol Support Enumeration common attribute is urn:liberty:iff:2003-08, type the required ID.

Set Assertion consumer Service URL as Default

Select the check box to use the Assertion Consumer Service URL as the default value when no identifier is provided in the request.

Communication Profiles

• Federation Termination

• Single Logout

• Name Registration

• Supported SSO Profile

Federation Termination

Select a profile to notify other providers of a principal’s federation termination:

• HTTP Redirect

• SOAP

Single Logout

Select a profile to notify other providers of a principal’s logout:

• HTTP Redirect

• HTTP Get

• SOAP

Name Registration

Select a profile to notify other providers of a principal’s name registration:

• HTTP Redirect

• SOAP

Supported SSO Profile

Select a profile for sending authentication requests:

• Browser Post (specifies a browser-based HTTP POST protocol)

• Browser Artifact (specifies a non-browser SOAP-based protocol)

• WML (specifies the Wireless Markup Language protocol)

• LECP (specifies a Liberty-enabled Client Proxy)

  ---

  Note –

  OpenSSO Enterprise can handle requests that come from a Liberty-enabled client proxy profile, but it requires additional configuration that is beyond the scope of this manual.

  ---

Service Provider Configuration

• Provider Alias

• Authentication Type

• Identity Provider Forced Authentication

• Request Identity Provider to be Passive

• Name Registration After Federation

• Name ID Policy

• Affiliation Federation

• Provider Status

• Responds With

Provider Alias

Defines an alias name for the local service provider.

Authentication Type

Select the provider that should be used for authentication requests from a provider hosted locally:

• Remote specifies that the provider hosted locally would contact a remote identity provider upon receiving an authentication request.

• Local specifies that the provider hosted locally should contact a local identity provider upon receiving an authentication request (essentially, itself).

Identity Provider Forced Authentication

Select the check box to indicate that the identity provider must re-authenticate (even during a live session) when an authentication request is received. This attribute is enabled by default.

Request Identity Provider to be Passive

Select the check box to specify that the identity provider must not interact with the principal and must interact with the user.

Name Registration After Federation

This option, if enabled, allows for a service provider to participate in name registration after it has been federated.

Name ID Policy

An enumeration permitting requester influence over name identifier policy at the identity provider.

Affiliation Federation

Select the check box to enable affiliation federation.

Provider Status

Defines whether the service provider is active or inactive. Active, the default, means the service provider can process requests and generate responses.

Responds With

Specifies the type of statements the service provider can generate. For example , lib:AuthenticationStatement.

Service URL

• List of COTs Page URL

• Federate Page URL

• Home Page URL

• Single Sign-on Failure Redirect URL

• Termination Done URL

• Error Page URL

• Logout Done URL

List of COTs Page URL

Defines the URL that lists all of the circle of trusts to which the provider belongs.

Federate Page URL

Specifies the URL which performs the federation operation.

Home Page URL

Defines the URL of the home page of the identity provider.

Single Sign-on Failure Redirect URL

Defines the URL to which a principal will be redirected if single sign-on has failed.

Termination Done URL

Defines the URL to which a principal is redirected after federation termination is completed.

Error Page URL

Defines the URL to which a principal is directed upon an error.

Logout Done URL

Defines the URL to which a principal is directed after logout.

Plug-ins

• Service Provider Adapter

• Federation SP Adapter Env

• User Provider Class

• Name Identifier Implementation

Service Provider Adapter

Defines the implementation class for the com.sun.identity.federation.plugins.FSSPAdapter interface. The default value is:

com.sun.identity.federation.plugins.FSDefaultSPAdapter

Federation SP Adapter Env

Defines a list of environment properties to be used by the service provider adapter SPI implementation class.

User Provider Class

Specifies a plug-able class used to provide user operations such as finding a user, getting user attributes, and so forth. . The default value is:

com.sun.identity.federation.accountmgmt.DefaultFSUserProvider

Name Identifier Implementation

This field defines the class used by a service provider to participate in name registration. Name registration is a profile by which service providers specify a principal’s name identifier that an identity provider will use when communicating with the service provider. The value is com.sun.identity.federation.services.util.FSNameIdentifierImpl.

Service Provider Attribute Mapper

• Attribute Mapper Class

• Service Provider Attribute Mapping

Attribute Mapper Class

The class used to map user attributes defined locally to attributes in the SAML assertion. There is no default class.

Service Provider Attribute Mapping

Specify values to define the mappings used by the default attribute mapper plug-in specified above. Mappings should be configured in the format:

SAML-attribute=local-attribute

For example, Email=emailaddress or Address=postaladdress. Type the mapping as a New Value and click Add.

Auto Federation

• Auto Federation

• Auto Federation Common Attribute Name

Auto Federation

Select the check box to enable auto-federation.

Auto Federation Common Attribute Name

Defines the user's common LDAP attribute name such as telephonenumber. For creating an Auto Federation Attribute Statement. When creating an Auto Federation Attribute Statement, the value of this attribute will be used. The statement will contain the attribute element and this common attribute as its value.

Authentication Context

This attribute defines the service provider's default authentication context class (method of authentication). This method will always be called when the service provider sends an authentication request. This value also specifies the authentication context used by the service provider when an unknown user tries to access a protected resource. The options are:

Supported

Select the check box next to the authentication context class if the service provider supports it.

Context Reference

The Liberty-defined authentication context classes are:

• Mobile Contract

• Mobile Digital ID

• MobileUnregistered

• Password

• Password-ProtectedTransport

• Previous-Session

• Smartcard

• Smartcard-PKI

• Software-PKI

• Time-Sync-Token

Level

Choose a priority level for cases where there are multiple contexts.

Proxy Authentication Configuration

• Proxy Authentication

• Proxy Identity Providers List

• Maximum Number of Proxies

• Use Introduction Cookie for Proxying

Proxy Authentication Configuration attributes define values for dynamic provider proxying.

Proxy Authentication

Select the check box to enable proxy authentication for a service provider.

Proxy Identity Providers List

Type an identifier for an identity provider(s) that can be used for proxy authentication in New Value and click Add. The value is a URI defined as the provider's identifier.

Maximum Number of Proxies

Enter the maximum number of identity providers that can be used for proxy authentication.

Use Introduction Cookie for Proxying

Select the check box if you want introduction cookies to be used to find the proxying identity provider.

WS-Federation Entity Provider Attributes

The WS-Federation entity provider type is based on the WS-Federation protocol. The implementation of this protocol allows single sign-on between OpenSSO Enterprise and the Microsoft Active Directory Federation Service. The WS-Federation provider entity allows you to assign and configure the following roles:

• Identity Provider

• Service Provider

WS-Federation General Attributes

The following attributes are common to both Identity and Service Provider types:

SP Display Name

This attribute defines the name the WS-Federation service provider. The default is the meta alias given at creation time.

IDP Display Name

This attribute defines the name the WS-Federation identity provider. The default is the meta alias given at creation time.

Realm

Displays the realm to which the provider belongs.

Token Issuer Name

Defines a unique identifier for the identity or service provider.

Token Issuer Endpoint

Specifies the URL at which the identity or service provider is providing WS-Federation services. For example:

https://demo.example.com/OpenSSO Enterprise/WSFederationServlet/metaAlias/example

WS-Federation Identity Provider Customization

The following attributes apply to the WS-Federation Identity Provider role:

NameID Format

Defines the format of the name identifier component of the single sign-on response sent from the identity provider to the service provider. WS-Federation single sign-on supports the following identifier formats (default is UPN):

• Email

• Common Name

• UPN – User Principal Name. The syntax is username@domain, where an example of domainis example.com.

NameID Attribute

Defines the attribute in the user's profile that will be used as the name ID value. The default is uid.

Name Includes Domain

When using the UPN format defined in the NameID Format attribute, this specifies whether the NameID Attribute in the user's profile includes a domain. If it does, then the NameID Attribute will be used for the UPN as it is currently defined. Otherwise, it is combined with a domain to form a UPN.

Domain Attribute

When using the UPN format, if the Name Includes Domain attribute is not selected, this specifies an attribute in the user's profile to be used as the UPN domain.

UPN Domain

When using UPN format, if the Name Includes Domain attribute is not selected, and if a value for Domain Attribute is not specified, or if there is no value for that attribute for a particular user, then this attribute is used to constructing the UPN.

Signing Cert Alias

This attribute specifies the provider certificate alias used to find the assertion signing certificate in the keystore.

Claim Types

Specifies the claim type so the WS-Federation service can recognize the type of token that is exchanged between federation partners.

The EmailAddress claim type is used to identify a specific security principal by an email address.

The UPN claim type is used to identify a specific security principal via a User Principal Name.

The CommonName claim type is used to identify a security principal via a CN value consistent with X.500 naming conventions. The value of this claim is not necessarily unique and should not be used for authorization purposes.

Account Mapper

This attribute specifies the implementation of the AccountMapper interface used to map a remote user account to a local user account for purposes of single sign-on. The default value is com.sun.identity.wsfed.plugins.DefaultIDPAccountMapper.

Attribute Mapper

This defines the class used to map attributes in the assertion to user attributes defined locally by the identity provider. The default class is com.sun.identity.wsfederation.plugins.DefaultIDPAttributeMapper.

Attribute Map

Specifies values to define the mappings used by the default attribute mapper plug-in. Mappings should be configured in the format:

SAML_Assertion_Attribute_Name=User_Profile_Attribute_Name

For example, EmailAddress=mail or Address=postaladdress. Type the mapping as a New Value and click Add.

Assertion Effective Time

Assertions are valid for a period of time and not before or after.

Effective Time specifies (in seconds) the amount of time that an assertion is valid counting from the assertion's issue time. The default value is 600 seconds.

WS-Federation Service Provider Customization

The following attributes apply to the WS-Federation service provider role:

Assertion Signed

All assertions received by this service provider must be signed.

Account Mapper

This attribute specifies the implementation of the AccountMapper interface used to map a remote user account to a local user account for purposes of single sign-on. The default value is com.sun.identity.wsfed.plugins.

DefaultADFSPartnerAccountMapper is the default implementation.

Attribute Mapper

This defines the class used to map attributes in the assertion to user attributes defined locally by the identity provider. The default class is com.sun.identity.wsfederation.plugins.DefaultSPAttributeMapper.

Attribute Map

Specifies values to define the mappings used by the default attribute mapper plug-in. Mappings should be configured in the format:

SAML_attr=local-attribute

For example, EmailAddress=mail or Address=postaladdress. Type the mapping as a New Value and click Add.

Assertion Effective Time

Assertions are valid for a period of time and not before or after.

Effective Time specifies (in seconds) the amount of time that an assertion is valid counting from the assertion's issue time. The default value is 600 seconds.

Assertion Skew Time

Assertions are valid for a period of time and not before or after. This attribute specifies a grace period (in seconds) for the notBefore value. The default value is 300. It has no relevance to the notAfter value.

Default Relay State

After a successful WS-Federation operation (single sign-on, single logout, or federation termination), a page is displayed. This page, generally the originally requested resource, is specified in the initiating request using the RelayState element. If a RelayState is not specified, the value of this defaultRelayState property is displayed.

---

Caution –

When RelayState or defaultRelayState contains special characters (such as &), it must be URL-encoded. For example, if the value of RelayState is http://www.sun.com/apps/myapp.jsp?param1=abc&param2=xyz, it must be URL-encoded as:

http%3A%2F%2Fwww.sun.com%2Fapps%2Fmyapp.jsp%3Fparam1%3Dabc%26param2%3Dxyz

and then appended to the URL. For example, the service provider initiated single sign-on URL would be:

http://host:port/deploy-uri/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=http://www.idp.com&RelayState=http%3A%2F%2Fwww.sun.com%2Fapps%2Fmyapp.jsp%3Fparam1%3Dabc%26param2%3Dxyz

---

Home Realm Discovery

Specifies the service so that the service provider can identify the preferred identity provider. The service URL is specified as a contact endpoint by the service provider.

Account Realm Selection

Specifies the identity provider selection mechanism and configuration. Either the cookie or HTTP Request header attribute can be used to locate the identity provider.