Trusted Partners

This attribute defines any trusted partner (remote to the server on which Federation Manager is installed) that will be communicating with Federation Manager.

The trusted partner site must have a prearranged trust relationship with one or more of the sites configured in the Site Identifiers attribute.

To configure a new Trusted Partner, click New and see Trusted Partners: Selecting Partner Type and Profile.

Trusted Partners: Selecting Partner Type and Profile

This attribute defines any trusted partner (remote to the server on which Federation Manager is installed) that will be communicating with Federation Manager.

The trusted partner site must have a prearranged trust relationship with one or more of the sites configured in the Site Identifiers property.

The first step in configuring a trusted partner is to determine the partner's role in the trust relationship. A trusted partner can be a source site (one that generates a single sign-on assertion) or a destination site (one that consumes a single sign-on assertion). For example, if the partner is the source site, this attribute is configured based on how it will send assertions. If the partner is the destination site, this attribute is configured based on the profile in which it will be receiving assertions. Following is the first part of the procedure for configuring a trusted partner. The starting point is the SAML configuration screen of the Federation module.

To edit or duplicate the attributes of a trusted partner profile, click the appropriate button in the Actions column next to the configured trusted partner name.

1. In the Federation Manager Console, click the SAML tab.

2. Under Trusted Partners, click New.

   The Trusted Partner profile page is displayed.

   ---

   Note –

   Click Edit to change the role of the partner site if you are modifying an existing trusted partner.

   ---

3. Select the role (Destination or Source) of the partner site you are configuring by checking the appropriate profile(s) used to communicate with it.

   You may choose Web Browser Artifact Profile or Web Browser Post Profile for either Destination, Source or both, or SOAP Query for Destination only. The choices made dictate which of the attributes in the following steps need to be configured.

4. Click Next.

5. To complete the configuration, see Trusted Partners: Configuring Trusted Partner Attributes.

Trusted Partners: Configuring Trusted Partner Attributes

Following is the second part of the procedure for configuring a trusted partner. The starting point is Trusted Partners: Selecting Partner Type and Profile. Based on the role(s) selected in the first part, any of the sub-attributes listed in the following sections may need to be defined for the Trusted Partner.

If you reached this page by clicking Edit or Duplicate on the SAML configuration screen under Federation, modify the trusted partner profile based on the steps below and click Save to change the values. Click Save on the SAML Profile page to complete the modification.

1. Type in values for the Common Settings subattributes.

   Source ID

   This is a 20 byte sequence (encoded using the Base64 format) that comes from the partner site. It is generally the same value as that used for the Site ID attribute when configuring the Site Identifiers attribute.

   Target

   This is the domain of the partner site (with or without a port number). If you want to contact a web page that is hosted in this domain, the redirect URL is picked up from the values defined in .

   ---

   Note –

   If there are two defined entries for the same domain (one containing a port number and one without a port number), the entry with the port number takes precedence. For example, assume the following two trusted partner definitions: target=sun.com and target=sun.com:8080. If the principal is seeking http://machine.sun.com:8080/index.html, the second definition will be chosen.

   ---

   Site Attribute Mapper

   The class is used to return a list of attribute values defined as AttributeStatements elements in an Authentication Assertion. A site attribute mapper needs to be implemented from the com.sun.identity.saml.plugins.PartnerSiteAttributeMapper interface.

   If no class is defined, no attributes will be included in the assertion.

   Version

   The SAML version used (1.0 or 1.1) to send SAML requests. If this parameter has no value, the following default values (defined in AMConfig.properties) are used:

   • com.example.identity.saml.assertion.version=1.1

   • com.example.identity.saml.protocol.version=1.1

   Account Mapper

   The class that defines how the subject of an assertion is related to an identity at the destination site. An account mapper needs to be implemented from the com.sun.identity.saml.plugins.PartnerAccountMapper interface. If no class is specified, a default account mapper implementation will be used. This default implementation assumes that two sites have the same directory structure. For example, the root suffix, and user IDs are the same.

   Certificate

   A certificate alias that is used to verify the signature in an assertion when it is signed by the partner and the certificate cannot be found in the KeyInfo portion of the signed assertion.

   Host List

   A list of the IP addresses, the DNS host name, or the alias of the client authentication certificate used by the partner. This is configured for all hosts within the partner site that can send requests to this authority. This list helps to ensure that the requestor is indeed the intended receiver of the artifact. If the requester is defined in this list, the interaction will continue. If the requester’s information does not match any hosts defined in the host list, the request will be rejected.

   Issuer

   The creator of a generated assertion. The default syntax is hostname:port.

2. Type in values for the Destination subattributes.

   Artifact: SAML URL

   The URL that points to the servlet that implements the Web Browser Artifact Profile.

   Post: Post URL

   The URL that points to the servlet that implements the Web Browser POST Profile.

   SOAP Query: Attribute Mapper

   The class that is used to obtain single sign-on information from a query. You need to implement an attribute mapper from the included interface. If no class is specified, the DefaultAttributeMapper will be used.

   SOAP Query: Action Mapper

   The class that is used to get single sign-on information and map partner actions to authorization decisions. You need to implement an action mapper from the included interface. If no class is specified, the DefaultActionMapper will be used.

3. Type in values for the Source subattributes.

   Artifact: SOAP URL

   The URL to the SAML SOAP Receiver.

   Authentication Type

   Authentication types that can be used with SAML:

   • NOAUTH

   • BASICAUTH

   • SSL

   • SSLWITHBASICAUTH

   This attribute is optional. If not specified, the default is NOAUTH. If BASICAUTH or SSLWITHBASICAUTH is specified, the Trusted Partners attribute is required and should be HTTPS.

   User

   When BASICAUTH is chosen as the Authentication Type, the value of this attribute defines the user identifier of the partner being used to protect the partner’s SOAP receiver.

   User's Password

   When BASICAUTH is chosen as the Authentication Type, the value of this attribute defines the password for the user identifier of the partner being used to protect the partner’s SOAP receiver.

   User's Password (reenter)

   Reenter the password defined previously.

4. Click Finish.

5. Click Save on the SAML Profile page to complete the configuration.