A hosted provider is hosted on the same server as Federation Manager. Editing the New Hosted Service Provider attributes entails adding metadata concerning the service provider to the provider entity profile. The starting point is To Add a Service Provider to a Provider Entity.
Provide information for the Common Attributes.
Common Attributes contain values that generally define the identity provider itself.
This attribute contains the description provided when you created the entity. You can modify the description originally entered.
Type the expiration date for the metadata pertaining to the provider. Use Coordinated Universal Time (UTC) in the format yyyy-mm-ddThh:mm:ss.SZ. For example, 2004-12-31T12:30:00.0Z.
Type the maximum amount of time the entity can be cached. The value is defined in the format PnYnMnDTnHnMnS, where n is an integer. For example, P1Y2M4DT9H8M20S defines the cache duration as 1 year, 2 months, 4 days, 9 hours, 8 minutes, and 20 seconds.
Choose the protocol release supported by this entity.
urn:liberty:iff:2003-08 refers to the Liberty Identity Federation Framework version 1.2.
urn:liberty:iff:2002-12 refers to the Liberty Identity Federation Framework version 1.1.
Name identifier mapping allows a service provider to obtain a name identifier for a principal that has federated in the namespace of a different service provider. Implementing this protocol allows the requesting service provider to communicate with the second service provider without an identity federation having been enabled. Type a URI that identifies the communication specifications.
Currently, the Name Identifier Mapping profile only supports SOAP. If this attribute is used, its value must be http://projectliberty.org/profiles/nim-sp-http.
Type a URL that points to other relevant metadata concerning the provider.
Type the key alias used to sign requests and responses.
Type the security certificate alias. Certificates are stored in a Java keystore file. Each specific certificate is mapped to an alias that is used to fetch the certificate.
Type the length for keys used by the web service consumer when interacting with another entity.
Choose the method of encryption. The choices include:
Select the check box to enable encryption of the name identifier.
Provide information for the Communication URLs attributes.
Communication URLs attributes contain locations for sending transmissions to the service provider being configured.
Type a URL to the service provider’s SOAP message receiver. This value communicates the location of the SOAP receiver in non browser communications.
Type a URL to which service providers can send logout requests. Single logout synchronizes the logout functionality across all sessions authenticated by the identity provider.
Type a URL to which the service provider will redirect the principal after completing a logout.
Type a URL to which another provider will send federation termination requests.
Type a URL to which the service provider will redirect the principal after completing federation termination.
Type a URL to which a service provider will send requests to specify the name identifier that will be used when communicating with the identity provider about a principal. This service can only be used after a federation session is established.
Type a URL to which the identity provider will redirect the principal after HTTP name registration has been completed.
Provide information for the Communication Profiles attributes.
Communication Profiles attributes define the transmission methods used by the service provider.
Select a profile to notify other providers of a principal’s federation termination:
Select a profile to notify other providers of a principal’s logout:
Select a profile to notify other providers of a principal’s name registration:
Select a profile for sending authentication requests:
Browser Post (specifies a browser-based HTTP POST protocol)
Browser Artifact (specifies a non-browser SOAP-based protocol)
LECP (specifies a Liberty-enabled Client Proxy)
Federation Manager can handle requests that come from a Liberty-enabled client proxy profile, but it requires additional configuration that is beyond the scope of this manual.
Select any of the available authentication domains to assign to the provider.
A provider can belong to one or more authentication domains. However, a provider without a specified authentication domain can not participate in Liberty-based communications. If no authentication domains have been created, this attribute can be defined later.
Provide information for the Service Provider attributes.
Service Provider attributes define general information regarding the service provider.
Type the URL to the end point which will receive all SAML assertions.
If the value of the Protocol Support Enumeration common attribute is urn:liberty:iff:2003-08, type the required ID.
Select the check box to use the Assertion Consumer Service URL as the default value when no identifier is provided in the request.
Select the check box to make the service provider always signs authentication requests.
Select the check box to enable the service provider to participate in name registration after a principal has been federated.
Select the option permitting requester influence over name identifier policy at the identity provider. The options include:
The identity provider will return the name identifier(s) corresponding to the federation that exists between the identity provider and the requesting service provider or affiliation group for the principal. If no such federation exists, an error will be returned.
The identity provider will issue a temporary, one-time-use identifier for the principal after federation.
The identity provider may start a new identity federation if one does not already exist for the principal.
Select the check box to enable affiliation federation.
Provide information for the Hosted Configuration attributes.
Hosted Configuration attributes define general information regarding the provider hosted on the same machine as Federation Manager.
Type the URL of the local identity provider.
Type an alias name for the local identity provider.
Select the provider that should be used for authentication requests from a provider hosted locally.
Remote specifies that the provider hosted locally would contact a remote identity provider upon receiving an authentication request.
Local specifies that the provider hosted locally should contact a local identity provider upon receiving an authentication request (essentially, itself).
Select the authentication context class (method of authentication) to use if the identity provider does not receive this information as part of a service provider request. This value also specifies the authentication context used by the service provider when an unknown user tries to access a protected resource. The options are as follows:
Mobile Digital ID
Select the check box to indicate that the identity provider must reauthenticate the principal (even if the principal has an existing session from a prior authentication) when an authentication request is received from a remote service provider. This attribute is enabled by default.
Select the check box to specify that the identity provider must not prompt a user for authentication credentials upon receiving an authentication request from a remote service provider. The default (unchecked) is to authenticate the user upon receiving an authentication request.
Type the value of the organization's distinguished name.
Type the URI of the version of the Liberty Alliance Project specification being used. The default value is http://projectliberty.org/specs/v1.
This field defines the class used by a service provider to participate in name registration. Name registration is a profile by which service providers specify a principal’s name identifier that an identity provider will use when communicating to the service provider. The value is com.sun.identity.federation.services.util.FSNameIdentifierImpl.
Type the URL of the home page of the identity provider.
Type the URL to which a principal will be redirected if single sign-on has failed.
Select the check box to enable auto federation.
When creating an Auto Federation Attribute Statement, the value of this attribute will be used. The statement will contain AutoFedAttribute as the attribute name and this common attribute as the value.
Specify a pluggable class used for adding attribute statements to an assertion that is generated during the Liberty-based single sign-on process.
Specifies a pluggable implementation to store and retrieve the user attribute information from the users data store. The default implementation of the com.sun.identity.federation.accountmgmt.FSUserProvider interface is the com.sun.identity.federation.accountmgmt.DefaultFSUserProvider class.
Specifies a pluggable implementation of the com.sun.identity.federation.plugins.FederationSPAdapter interface. The implemented class allows applications to customize their actions before and after invoking the federation protocols. For example, a service provider may want to choose to redirect to a specific location after single sign-on. There is no default implementation but the spi sample included with Federation Manager makes use of the class.
Stores configuration information that may be used to initialize the Service Provider Adapter Implementation Class Name. The usage of this attribute is also demonstrated in the spi sample application.
Provide information for the Proxy Authentication Attributes.
Proxy Authentication Configuration attributes define values for dynamic identity provider proxying.
Select the check box to enable proxy authentication for a service provider.
Add a list of identity providers that can be used for proxy authentication. The value is a URI defined as the provider's identifier.
Type the maximum number of identity providers that can be proxied.
Select the check box if you want introductions to be used to find the proxying identity provider.
Provide information for the SAML Attributes.
SAML Attributes define general information regarding SAML assertions.
Type the interval of time (in seconds) for which an assertion issued by the identity provider will remain valid. A principal will remain authenticated until the assertion interval expires.
Type the interval of time (in seconds) before assertions stored in the identity provider will be cleared.
Type the interval of time (in seconds) to specify the time out for assertion artifacts.
Type a number to define the amount of assertions an identity provider can issue, or the number of assertions that can be stored.
Provide values for the Organizations Profile attributes.
The Organizations Profile attributes provide basic information that may be required when interacting with a principal. These attributes are optional.
Type the complete legal name of the entity’s organization. Use the format locale|organization-name. For example, en|organization-name.com.
If the Names attribute contains a value, it is required to add values to the Display Names and URL attributes.
Type a name that is suitable for display. Use the format locale|organization-display-name. For example, en|organization-display-name.com.
Type a URL that can be used to direct a principal to additional information on the entity's organization. Use the format locale|organization-URL. For example, en|http://www.organization-name.com.
(Optional) To configure Contact Persons for the provider, click New Contact Person.
Continue configuring the entity by selecting another option from the View menu or click OK to complete the configuration.