7.3 Create Identity Provider Partner
General
Create Identity Provider Pattern page is used to define an identity provider (IdP) partner record for Access Manager. You can specify service details manually or load them from a metadata file.
Following table describes the elements in General section of the Create Identity Provider Partner page:
Element | Description |
---|---|
Name |
Type a Provider Name. |
Description |
Type a short description that will help you or another Administrator identify this provider in the future. |
Enable Partner |
Select whether this partner is currently participating in the federation. |
Default Identity Provider Partner |
Select to use the default Provider Partner. |
Service Information
Following table describes the elements in the Service Information section of the Create Identity Provider Partner page:
Element | Description |
---|---|
Protocol |
Choose from the following menu options in the drop-down:
|
Provider ID |
This is the Provider ID of the provider. Applies to SAML 1.1 and SAML 2.0 only. |
Succinct ID |
This is the succinct ID of the provider. This element is required if using the artifact profile. Applies to SAML 1.1 and SAML 2.0 only. |
SSO Service URL |
This is the URL address to which the SSO requests are sent. Applies to SAML 1.1 and SAML 2.0 only. |
SOAP Service URL |
This is the URL address to which SOAP service request is sent. This element is required if using artifact profile. Applies to SAML 1.1 and SAML 2.0 only. |
Load Signing Certificate |
Upload the signing certificate. Click on Browse and select the file that needs to be uploaded. You can specify it in Applies to SAML 1.1 and SAML 2.0 only. |
Service Details |
Choose from the following options:
Applies to SAML 2.0 only. |
Metadata File |
Click Browse and select a file to use. This field appears only if Load from Provider Metadata option is selected. Applies to SAML 2.0 only. |
Logout Request Service URL |
This is the URL to which logout requests are sent. Applies to SAML 2.0 only. |
Logout Response URL |
This is the URL to which responses to logout requests are sent. Applies to SAML 2.0 only. |
Load Encryption Certificate |
Click Browse and select a file to upload the Encryption certificate. Only visible when Enter Manually is selected. Applies to SAML 2.0 only. |
Service Details |
Select an option from the drop-down menu. Indicates which of the following options Identity Federation (the RP) uses to perform Federation SSO with the Idp.
Applies to OpenID 2.0 only. |
Discovery URL |
Defines the location where the IdP publishes its XRDS metadata. Applies to OpenID 2.0 only. |
Endpoint URL |
Defines the Idp SSO Service location. Applies to OpenID 2.0 only. |
Mapping Options
This setting indicates how an incoming assertion is mapped to a user in the identity store. The following table describes the elements in the User Mapping section of the Create Identity Provider Partner page:
Element | Description |
---|---|
User Identity Store |
Choose an option from the drop-down menu. This is the identity store in which the IdP's users will be located and mapped. Identity Federation supports multiple identity stores, defined on a per-partner basis. Optionally, if no user identity is selected, the default Access Manager store is used. |
User Search Base DN |
This is the base search DN used when looking up user records. If omitted, the default user search base DN configured for the selected user identity store is used. |
Map assertion Name ID to User ID Store attribute |
This setting indicates how an incoming assertion is mapped to a user in the identity store. Choose this option to indicate a map assertion Name ID to User ID store attribute. |
Map assertion Name ID to User ID Store attribute |
Enter the identity store attribute to which the assertion NameID will be mapped. |
Map assertion attribute to User ID Store attribute |
This setting indicates how an incoming assertion is mapped to a user in the identity store. Choose this option to indicate a map assertion attribute to User ID store attribute. |
Assertion Attribute |
Enter assertion attribute to which it will be mapped. |
User ID Store Attribute |
Enter Identity Store Attribute to which it will be mapped. |
Map assertion to user record using LDAP query |
This setting indicates how an incoming assertion is mapped to a user in the identity store. Choose this option to indicate a map assertion to user record using LDAP query. |
LDAP Query |
Enter an LDAP query with placeholders for incoming data. You may use any of the following:
For example, an LDAP query to map an incoming assertion based on two assertion attributes (lastname and email) would be ( |
Attribute Mapping
Following table describes the elements in the Attribute Mapping section of the Create Identity Provider Partner page:
Element | Description |
---|---|
Attribute Profile |
Indicates the attribute mapping profile to which the partner is bound. Click the search icon to open a Search window from which you can search for one or more previously configured Attribute Profiles. Select the profile and click OK to select, or click Cancel to cancel the selection. |
Save |
Click Save to create the identity provider definition. |
Related Topics
Managing Identity Federation Partners in Administrator's Guide for Oracle Access Management.