To Modify Hosted Identity Provider Attributes in a Provider Entity

After creating an entity and adding an identity provider, you can edit the identity provider profile. In a provider entity, this might entail adding metadata that was not available to configure when originally adding the identity provider. The starting point is the Entity Descriptors screen under Federation.

1. Click on the name of a configured provider entity to modify its profile.

   The entity's profile page is displayed.

2. Select Identity Provider from the View menu.

3. Modify values for the Common Attributes.

   Common Attributes contain values that generally define the identity provider itself.

   Provider Type

   The static value of this attribute defines whether this is a hosted or remote provider.

   Description

   This attribute contains the description provided when you created the entity. You can modify the description originally entered.

   Valid Until

   Type the expiration date for the metadata pertaining to the provider. Use Coordinated Universal Time (UTC) in the format yyyy-mm-ddThh:mm:ss.SZ. For example, 2004-12-31T12:30:00.0Z.

   Cache Duration

   Type the maximum amount of time the entity can be cached. The value is defined in the format PnYnMnDTnHnMnS, where n is an integer. For example, P1Y2M4DT9H8M20S defines the cache duration as 1 year, 2 months, 4 days, 9 hours, 8 minutes, and 20 seconds.

   Protocol Support Enumeration

   Choose the protocol release supported by this entity.

   • urn:liberty:iff:2003-08 refers to the Liberty Identity Federation Framework version 1.2.

   • urn:liberty:iff:2002-12 refers to the Liberty Identity Federation Framework version 1.1.

   Server Name Identifier Mapping Binding

   Name identifier mapping allows a service provider to obtain a name identifier for a principal that has federated in the namespace of a different service provider. Implementing this protocol allows the requesting service provider to communicate with the second service provider without an identity federation having been enabled. Type a URI that identifies the communication specifications.

   ---

   Note –

   Currently, the Name Identifier Mapping profile only supports SOAP. If this attribute is used, its value must be http://projectliberty.org/profiles/nim-sp-http.

   ---

   Additional Meta Locations

   Type a URL that points to other relevant metadata concerning the provider.

   Signing Key: Key Alias

   Type the key alias used to sign requests and responses.

   Encryption Key: Key Alias

   Type the security certificate alias. Certificates are stored in a Java keystore file. Each specific certificate is mapped to an alias that is used to fetch the certificate.

   Encryption Key: Key Size

   Type the length for keys used by the web service consumer when interacting with another entity.

   Encryption Key: Encryption Method

   Choose the method of encryption. The choices include:

   • None

   • AES

   • DES

   • 3DES

   Name Identifier Encryption

   Select the check box to enable encryption of the name identifier.

4. Modify values for the Communication URLs attributes.

   Communication URLs attributes contain locations for sending transmissions to the service provider being configured.

   SOAP Endpoint

   Type a URI to the identity provider’s SOAP message receiver. This value communicates the location of the SOAP receiver in non browser communications.

   Single Sign-On Service URL

   Type a URL to which service providers can send single sign-on and federation requests.

   Single Logout Service

   Type a URL to which service providers can send logout requests. Single logout synchronizes the logout functionality across all sessions authenticated by the identity provider.

   Single Logout Return

   Type a URL to which the identity provider will redirect the principal after completing a logout.

   Federation Termination Service

   Type a URL to which a service provider will send federation termination requests.

   Federation Termination Return

   Type a URL to which the identity provider will redirect the principal after completing federation termination.

   Name Registration Service

   Type a URL to which a service provider will send requests to specify the name identifier that will be used when communicating with the identity provider about a principal. This service can only be used after a federation session is established.

   Name Registration Return

   Type a URL to which the identity provider will redirect the principal after HTTP name registration has been completed.

5. Modify values for the Communication Profiles attributes.

   Communication Profiles attributes define the transmission methods used by the identity provider.

   Federation Termination

   Select a profile to notify other providers of a principal’s federation termination:

   • HTTP Redirect

   • SOAP

   Single Logout

   Select a profile to notify other providers of a principal’s logout:

   • HTTP Redirect

   • HTTP Get

   • SOAP

   Name Registration

   Select a profile to notify other providers of a principal’s name registration:

   • HTTP Redirect

   • SOAP

   Single Sign-on/Federation

   Select a profile for sending authentication requests:

   • Browser Post (specifies a browser-based HTTP POST protocol)

   • Browser Artifact (specifies a non-browser SOAP-based protocol)

   • LECP (specifies a Liberty-enabled Client Proxy)

     ---

     Note –

     Federation Manager can handle requests that come from a Liberty-enabled client proxy profile, but it requires additional configuration that is beyond the scope of this manual.

     ---

6. Select any of the available authentication domains to assign to the provider.

   A provider can belong to one or more authentication domains. However, a provider without a specified authentication domain can not participate in Liberty-based communications. If no authentication domains have been created, this attribute can be defined later.

7. Select the authentication context to be used if the identity provider does not receive the information as part of a service provider request.

   This attribute maps the Liberty-defined authentication context classes to authentication methods available at the identity provider. This value also specifies the authentication context used by the service provider when an unknown user tries to access a protected resource.

   Supported

   Select the check box next to the authentication context class if the identity provider supports it.

   Context Reference

   The Liberty-defined authentication context classes are:

   • Mobile Contract

   • Mobile Digital ID

   • MobileUnregistered

   • Password

   • Password-ProtectedTransport

   • Previous-Session

   • Smartcard

   • Smartcard-PKI

   • Software-PKI

   • Time-Sync-Token

   Key

   Choose the authentication type to which the context is mapped.

   Value

   Type the authentication option.

   Priority

   Choose a priority level for cases where there are multiple contexts.

8. Choose from the available Trusted Providers and add to the entity.

   The list contains configured entities that have been populated with service providers.

9. Provide information for the Hosted Configuration attributes.

   Hosted Configuration attributes define general information regarding the provider hosted on the same machine as Federation Manager.

   Provider Alias

   Type an alias name for the local identity provider.

   Authentication Type

   Select the provider that should be used for authentication requests from a provider hosted locally.

   • Remote specifies that the provider hosted locally would contact a remote identity provider upon receiving an authentication request.

   • Local specifies that the provider hosted locally should contact a local identity provider upon receiving an authentication request (essentially, itself).

   Default Authentication Context

   Select the authentication context class (method of authentication) to use if the identity provider does not receive this information as part of a service provider request. This value also specifies the authentication context used by the service provider when an unknown user tries to access a protected resource. The options are as follows:

   • Password

   • Mobile Digital ID

   • Smartcard

   • Smartcard-PKI

   • MobileUnregistered

   • Software-PKI

   • Previous-Session

   • Mobile Contract

   • Time-Sync-Token

   • Password-ProtectedTransport

   Identity Provider Forced Authentication

   Select the check box to indicate that the identity provider must reauthenticate the principal (even if the principal has an existing session from a prior authentication) when an authentication request is received from a remote service provider. This attribute is enabled by default.

   Request Identity Provider to be Passive

   Select the check box to specify that the identity provider must not prompt a user for authentication credentials upon receiving an authentication request from a remote service provider. The default (unchecked) is to authenticate the user upon receiving an authentication request.

   Organization DN

   Type a value which points to the organization in which this provider is configured. For example, /sp.

   Liberty Version URI

   Type the URI of the version of the Liberty Alliance Project specification being used. The default value is http://projectliberty.org/specs/v1.

   Name Identifier Implementation

   This field defines the class used by a service provider to participate in name registration. Name registration is a profile by which service providers specify a principal’s name identifier that an identity provider will use when communicating to the service provider. The value is com.sun.identity.federation.services.util.FSNameIdentifierImpl.

   Home Page URL

   Type the URL of the home page of the identity provider.

   Single Sign-on Failure Redirect URL

   Type the URL to which a principal will be redirected if single sign-on has failed.

   Assertion Issuer

   Type the name of the host that issues the assertion. This value might be the load balancer's host name if Federation Manager is behind one.

   Generate Discovery Bootstrapping Resource Offering

   Select the check box if you want a Discovery Service Resource Offering to be generated during the Liberty-based single sign on process for bootstrapping purposes.

   Auto Federation

   Select the check box to enable auto federation.

   Auto Federation Common Attribute Name

   When creating an Auto Federation Attribute Statement, the value of this attribute will be used. The statement will contain AutoFedAttribute as the attribute name and this common attribute as the value.

   Attribute Statement Plugin

   Specify a pluggable class used for adding attribute statements to an assertion that is generated during the Liberty-based single sign-on process.

   User Provider Implementation Class Name

   Specifies a pluggable implementation to store and retrieve the user attribute information from the users data store. The default implementation of the com.sun.identity.federation.accountmgmt.FSUserProvider interface is the com.sun.identity.federation.accountmgmt.DefaultFSUserProvider class.

10. Provide information for the SAML Attributes.

    SAML Attributes define general information regarding SAML assertions that are sent by the identity provider.

    Assertion Interval

    Type the interval of time (in seconds) that an assertion issued by the identity provider will remain valid. A principal will remain authenticated until the assertion interval expires.

    Cleanup Interval

    Type the interval of time (in seconds) before assertions stored in the identity provider will be cleared.

    Artifact Timeout

    Type the interval of time (in seconds) to specify the timeout for assertion artifacts.

    Assertion Limit

    Type a number to define how many assertions an identity provider can issue, or how many assertions that can be stored.

11. Provide values for the Organizations Profile attributes.

    The Organizations Profile attributes provide basic information that may be required when interacting with a principal. These attributes are optional.

    Names

    Type the complete legal name of the entity’s organization. Use the format locale|organization-name. For example, en|organization-name.com.

    ---

    Note –

    If the Names attribute contains a value, it is required to add values to the Display Names and URL attributes.

    ---

    Display Names

    Type a name that is suitable for display. Use the format locale|organization-display-name. For example, en|organization-display-name.com.

    URL

    Type a URL that can be used to direct a principal to additional information on the entity's organization. Use the format locale|organization-URL. For example, en|http://www.organization-name.com.

12. (Optional) To configure Contact Persons for the provider, click New Contact Person.

    See To Add a Contact Person to a Provider in a Provider Entity.

13. Continue modifying the entity by selecting another option from the View menu or click Save to complete the configuration.