test

Sun Java System Federation Manager 7.0 User's Guide

ProcedureTo Modify Remote Service Provider Attributes in a Provider Entity

After creating an entity and adding a service provider, you can edit the service provider profile. In a provider entity, this might entail adding metadata that was not available to configure when originally adding the service provider. The starting point is the Entity Descriptors screen under Federation.

  1. Click on the name of a configured provider entity to modify its profile.

    The entity's profile page is displayed.

  2. Select Service Provider from the View menu.

  3. Modify values for the Common Attributes.

    Common Attributes contain values that generally define the identity provider itself.

    Provider Type

    The static value of this attribute defines whether this is a hosted or remote provider.

    Description

    This attribute contains the description provided when you created the entity. You can modify the description originally entered.

    Valid Until

    Type the expiration date for the metadata pertaining to the provider. Use Coordinated Universal Time (UTC) in the format yyyy-mm-ddThh:mm:ss.SZ. For example, 2004-12-31T12:30:00.0Z.

    Cache Duration

    Type the maximum amount of time the entity can be cached. The value is defined in the format PnYnMnDTnHnMnS, where n is an integer. For example, P1Y2M4DT9H8M20S defines the cache duration as 1 year, 2 months, 4 days, 9 hours, 8 minutes, and 20 seconds.

    Protocol Support Enumeration

    Choose the protocol release supported by this entity.

    • urn:liberty:iff:2003-08 refers to the Liberty Identity Federation Framework version 1.2.

    • urn:liberty:iff:2002-12 refers to the Liberty Identity Federation Framework version 1.1.

    Server Name Identifier Mapping Binding

    Name identifier mapping allows a service provider to obtain a name identifier for a principal that has federated in the namespace of a different service provider. Implementing this protocol allows the requesting service provider to communicate with the second service provider without an identity federation having been enabled. Type a URI that identifies the communication specifications.

    Note –

    Currently, the Name Identifier Mapping profile only supports SOAP. If this attribute is used, its value must be http://projectliberty.org/profiles/nim-sp-http.

    Additional Meta Locations

    Type a URL that points to other relevant metadata concerning the provider.

    Signing Key: Key Alias

    Type the key alias used to sign requests and responses.

    Encryption Key: Key Alias

    Type the security certificate alias. Certificates are stored in a Java keystore file. Each specific certificate is mapped to an alias that is used to fetch the certificate.

    Encryption Key: Key Size

    Type the length for keys used by the web service consumer when interacting with another entity.

    Encryption Key: Encryption Method

    Choose the method of encryption. The choices include:

    • None

    • AES

    • DES

    • 3DES

    Name Identifier Encryption

    Select the check box to enable encryption of the name identifier.

  4. Modify values for the Communication URLs attributes.

    Communication URLs attributes contain locations for sending transmissions to the service provider being configured.

    SOAP Endpoint

    Type a URI to the identity provider’s SOAP message receiver. This value communicates the location of the SOAP receiver in non browser communications.

    Single Logout Service

    Type a URL to which service providers can send logout requests. Single logout synchronizes the logout functionality across all sessions authenticated by the identity provider.

    Single Logout Return

    Type a URL to which the identity provider will redirect the principal after completing a logout.

    Federation Termination Service

    Type a URL to which a service provider will send federation termination requests.

    Federation Termination Return

    Type a URL to which the identity provider will redirect the principal after completing federation termination.

    Name Registration Service

    Type a URL to which a service provider will send requests to specify the name identifier that will be used when communicating with the identity provider about a principal. This service can only be used after a federation session is established.

    Name Registration Return

    Type a URL to which the identity provider will redirect the principal after HTTP name registration has been completed.

  5. Modify values for the Communication Profiles attributes.

    Communication Profiles attributes define the transmission methods used by the service provider.

    Federation Termination

    Select a profile to notify other providers of a principal’s federation termination:

    • HTTP Redirect

    • SOAP

    Single Logout

    Select a profile to notify other providers of a principal’s logout:

    • HTTP Redirect

    • HTTP Get

    • SOAP

    Name Registration

    Select a profile to notify other providers of a principal’s name registration:

    • HTTP Redirect

    • SOAP

    Single Sign-on/Federation

    Select a profile for sending authentication requests:

    • Browser Post (specifies a browser-based HTTP POST protocol)

    • Browser Artifact (specifies a non-browser SOAP-based protocol)

    • LECP (specifies a Liberty-enabled Client Proxy)

      Note –

      Federation Manager can handle requests that come from a Liberty-enabled client proxy profile, but it requires additional configuration that is beyond the scope of this manual.

  6. Select any of the available authentication domains to assign to the provider.

    A provider can belong to one or more authentication domains. However, a provider without a specified authentication domain can not participate in Liberty-based communications. If no authentication domains have been created, this attribute can be defined later.

  7. Modify values for the Service Provider attributes.

    Service Provider attributes define general information regarding the service provider.

    Assertion Consumer URL

    Type the URL to the end point which will receive all SAML assertions.

    Assertion Consumer Service URL ID

    If the value of the Protocol Support Enumeration common attribute is urn:liberty:iff:2003-08, type the required ID.

    Set Assertion Consumer Service URL as Default

    Select the check box to use the Assertion Consumer Service URL as the default value when no identifier is provided in the request.

    Sign Authentication Request

    Select the check box to make the service provider always signs authentication requests.

    Name Registration after Federation

    Select the check box to enable the service provider to participate in name registration after a principal has been federated.

    Name ID Policy

    Select the option permitting requester influence over name identifier policy at the identity provider. The options include:

    None

    The identity provider will return the name identifier(s) corresponding to the federation that exists between the identity provider and the requesting service provider or affiliation group for the principal. If no such federation exists, an error will be returned.

    One-time

    The identity provider will issue a temporary, one-time-use identifier for the principal after federation.

    Federation

    The identity provider may start a new identity federation if one does not already exist for the principal.

    Enable Affiliation Federation

    Select the check box to enable affiliation federation.

  8. Provide information for the Proxy Authentication Attributes.

    Proxy Authentication Configuration attributes define values for dynamic identity provider proxying.

    Enable Proxy Authentication

    Select the check box to enable proxy authentication for a service provider.

    Proxy Identity Providers List

    Add a list of identity providers that can be used for proxy authentication. The value is a URI defined as the provider's identifier.

    Maximum Number of Proxies

    Type the maximum number of identity providers that can be proxied.

    Use Introduction Cookie for Proxying

    Select the check box if you want introductions to be used to find the proxying identity provider.

  9. Provide values for the Organizations Profile attributes.

    The Organizations Profile attributes provide basic information that may be required when interacting with a principal. These attributes are optional.

    Names

    Type the complete legal name of the entity’s organization. Use the format locale|organization-name. For example, en|organization-name.com.

    Note –

    If the Names attribute contains a value, it is required to add values to the Display Names and URL attributes.

    Display Names

    Type a name that is suitable for display. Use the format locale|organization-display-name. For example, en|organization-display-name.com.

    URL

    Type a URL that can be used to direct a principal to additional information on the entity's organization. Use the format locale|organization-URL. For example, en|http://www.organization-name.com.

  10. (Optional) To configure Contact Persons for the provider, click New Contact Person.

    See To Add a Contact Person to a Provider in a Provider Entity.

  11. Click Save to complete the configuration.