Following is the second part of the procedure for configuring a trusted partner. The starting point is Trusted Partners: Selecting Partner Type and Profile. Based on the role(s) selected in the first part, any of the sub-attributes listed in the following sections may need to be defined for the Trusted Partner.
If you reached this page by clicking Edit or Duplicate on the SAML configuration screen under Federation, modify the trusted partner profile based on the steps below and click Save to change the values. Click Save on the SAML Profile page to complete the modification.
Type in values for the Common Settings subattributes.
This is a 20 byte sequence (encoded using the Base64 format) that comes from the partner site. It is generally the same value as that used for the Site ID attribute when configuring the Site Identifiers attribute.
This is the domain of the partner site (with or without a port number). If you want to contact a web page that is hosted in this domain, the redirect URL is picked up from the values defined in .
If there are two defined entries for the same domain (one containing a port number and one without a port number), the entry with the port number takes precedence. For example, assume the following two trusted partner definitions: target=sun.com and target=sun.com:8080. If the principal is seeking http://machine.sun.com:8080/index.html, the second definition will be chosen.
The class is used to return a list of attribute values defined as AttributeStatements elements in an Authentication Assertion. A site attribute mapper needs to be implemented from the com.sun.identity.saml.plugins.PartnerSiteAttributeMapper interface.
If no class is defined, no attributes will be included in the assertion.
The SAML version used (1.0 or 1.1) to send SAML requests. If this parameter has no value, the following default values (defined in AMConfig.properties) are used:
The class that defines how the subject of an assertion is related to an identity at the destination site. An account mapper needs to be implemented from the com.sun.identity.saml.plugins.PartnerAccountMapper interface. If no class is specified, a default account mapper implementation will be used. This default implementation assumes that two sites have the same directory structure. For example, the root suffix, and user IDs are the same.
A certificate alias that is used to verify the signature in an assertion when it is signed by the partner and the certificate cannot be found in the KeyInfo portion of the signed assertion.
A list of the IP addresses, the DNS host name, or the alias of the client authentication certificate used by the partner. This is configured for all hosts within the partner site that can send requests to this authority. This list helps to ensure that the requestor is indeed the intended receiver of the artifact. If the requester is defined in this list, the interaction will continue. If the requester’s information does not match any hosts defined in the host list, the request will be rejected.
The creator of a generated assertion. The default syntax is hostname:port.
Type in values for the Destination subattributes.
The URL that points to the servlet that implements the Web Browser Artifact Profile.
The URL that points to the servlet that implements the Web Browser POST Profile.
The class that is used to obtain single sign-on information from a query. You need to implement an attribute mapper from the included interface. If no class is specified, the DefaultAttributeMapper will be used.
The class that is used to get single sign-on information and map partner actions to authorization decisions. You need to implement an action mapper from the included interface. If no class is specified, the DefaultActionMapper will be used.
Type in values for the Source subattributes.
The URL to the SAML SOAP Receiver.
Authentication types that can be used with SAML:
This attribute is optional. If not specified, the default is NOAUTH. If BASICAUTH or SSLWITHBASICAUTH is specified, the Trusted Partners attribute is required and should be HTTPS.
When BASICAUTH is chosen as the Authentication Type, the value of this attribute defines the user identifier of the partner being used to protect the partner’s SOAP receiver.
When BASICAUTH is chosen as the Authentication Type, the value of this attribute defines the password for the user identifier of the partner being used to protect the partner’s SOAP receiver.
Reenter the password defined previously.
Click Save on the SAML Profile page to complete the configuration.