Authentication Domains

An authentication domain is a federation of any number of service providers (and at least one identity provider) with whom principals can transact business in a secure and apparently seamless environment. (An authentication domain is NOT a domain in the domain name system sense of the word.) In Federation Manager, before creating and populating an authentication domain, you create a grouping of providers called an entity. Then, you configure and save the authentication domain itself. Finally, to add an entity, you edit the configured authentication domain.

For more information on entities, see Entities: Provider and Affiliate.

Authentication domains are configured using the Federation Manager Console by selecting Authentication Domains under Federation. The following tasks are associated with authentication domains:

• To Create a New Authentication Domain

• To Modify an Authentication Domain Profile

• To Add Providers to an Authentication Domain

• To Delete an Authentication Domain Profile

The members of the domain must have previously established a circle of trust based on the Liberty Alliance Project architecture and operational agreements.

To Create a New Authentication Domain

Follow this procedure to create a new authentication domain. The starting point is the Authentication Domains screen under Federation.

1. Click New to display the authentication domain attributes.

   The New Authentication Domain profile page is displayed.

2. Type a name for the authentication domain.

3. (Optional) Type a description of the authentication domain in the Description field.

4. (Optional) Type a value for the Writer Service URL.

   The Writer Service URL specifies the location of the servlet that writes the common domain cookie. Use the format http://common-domain-host:port/common/writer.

5. (Optional) Type a value for the Reader Service URL.

   The Reader Service URL specifies the location of the servlet that reads the common domain cookie. Use the format http://common-domain-host:port/common/transfer.

6. Choose Active or Inactive.

   The default status is Active. Choosing Inactive disables communication within the authentication domain.

7. Click OK to complete the configuration.

   The new authentication domain is displayed on the Authentication Domains screen.

To Modify an Authentication Domain Profile

Follow this procedure to edit the General attributes of an existing authentication domain, or to add providers to it. (See To Add Providers to an Authentication Domain.) The starting point is the Authentication Domains screen under Federation.

1. Select the name of a configured authentication domain to modify its profile, or to add providers to it.

   The Authentication Domain Profile page is displayed.

2. Edit the values of the authentication domain's General attributes.

   Name

   Contains the name for the authentication domain. This value is static.

   Description

   Contains a description of the authentication domain.

   Writer Service URL

   Specifies the location of the service that writes the common domain cookie. Use the format http://common-domain-host:port/common/writer.

   Reader Service URL

   Specifies the location of the service that reads the common domain cookie. Use the format http://common-domain-host:port/common/transfer.

   Status

   The default status is Active. Selecting Inactive disables communication within the authentication domain.

3. Click Add to add providers to the authentication domain.

   The Trusted Partner page is displayed with a list of available provider entities.

4. Choose one or more available providers and click the Add arrow to select them.

   The list provided contains the names of entities that have been created. These entities contain providers. For more information, see To Add Providers to an Authentication Domain.

5. Click OK to save the providers to the authentication domain.

   This will return you to the previous Authentication Domain Profile screen.

6. Click Save to complete the operation.

To Add Providers to an Authentication Domain

Identity providers and service providers must first be configured within entities before they are available to add to an authentication domain. Once created and populated with providers, an entity (and thus the providers) can be assigned to an authentication domain.

An entity cannot be assigned to an authentication domain until it has been populated with provider(s).

For more information, see Entities: Provider and Affiliate.

1. Choose one or more available providers and click the Add arrow to select them.

   The list provided contains the names of entities that have been created. These entities contain providers.

2. Click OK to save the providers to the authentication domain.

   This will return you to the previous Authentication Domain Profile screen.

3. Finish your configurations and click Save to complete the operation.

To Delete an Authentication Domain Profile

Follow this procedure to delete an existing authentication domain. The starting point is the Authentication Domains screen under Federation.

1. Check the box next to the name of the authentication domain you want to delete.

2. Click Delete.

   Deleting an authentication domain does not delete the providers that belong to it.