Create Identity Provider Partner

General

Create Identity Provider Pattern page is used to define an identity provider (IdP) partner record for Access Manager. You can specify service details manually or load them from a metadata file.

Following table describes the elements in General section of the Create Identity Provider Partner page:

Element	Description
Name	Type a Provider Name.
Description	Type a short description that will help you or another Administrator identify this provider in the future.
Enable Partner	Select whether this partner is currently participating in the federation.
Default Identity Provider Partner	Select to use the default Provider Partner.

Service Information

Following table describes the elements in the Service Information section of the Create Identity Provider Partner page:

Element	Description
Protocol	Choose from the following menu options in the drop-down: SAML 1.1 SAML 2.0 OpenID 2.0
Provider ID	This is the Provider ID of the provider. Applies to SAML 1.1 and SAML 2.0 only.
Succinct ID	This is the succinct ID of the provider. This element is required if using the artifact profile. Applies to SAML 1.1 and SAML 2.0 only.
SSO Service URL	This is the URL address to which the SSO requests are sent. Applies to SAML 1.1 and SAML 2.0 only.
SOAP Service URL	This is the URL address to which SOAP service request is sent. This element is required if using artifact profile. Applies to SAML 1.1 and SAML 2.0 only.
Load Signing Certificate	Upload the signing certificate. Click on Browse and select the file that needs to be uploaded. You can specify it in `pem` and `der` formats. Applies to SAML 1.1 and SAML 2.0 only.
Service Details	Choose from the following options: Load from provider metadata- You can specify service details by loading an XML metadata file. Enter Manually- You can specify service details by entering values manually. Applies to SAML 2.0 only.
Metadata File	Click Browse and select a file to use. This field appears only if Load from Provider Metadata option is selected. Applies to SAML 2.0 only.
Logout Request Service URL	This is the URL to which logout requests are sent. Applies to SAML 2.0 only.
Logout Response URL	This is the URL to which responses to logout requests are sent. Applies to SAML 2.0 only.
Load Encryption Certificate	Click Browse and select a file to upload the Encryption certificate. Only visible when Enter Manually is selected. Applies to SAML 2.0 only.
Service Details	Select an option from the drop-down menu. Indicates which of the following options Identity Federation (the RP) uses to perform Federation SSO with the Idp. By discovering the Idp SSO URLs via the Idp XRDS metadata available at the Discovery Service URL. By using the specified static OpenID login endpoint which is the IDP SSO service URL. Applies to OpenID 2.0 only.
Discovery URL	Defines the location where the IdP publishes its XRDS metadata. Applies to OpenID 2.0 only.
Endpoint URL	Defines the Idp SSO Service location. Applies to OpenID 2.0 only.

Mapping Options

This setting indicates how an incoming assertion is mapped to a user in the identity store. The following table describes the elements in the User Mapping section of the Create Identity Provider Partner page:

Element	Description
User Identity Store	Choose an option from the drop-down menu. This is the identity store in which the IdP's users will be located and mapped. Identity Federation supports multiple identity stores, defined on a per-partner basis. Optionally, if no user identity is selected, the default Access Manager store is used.
User Search Base DN	This is the base search DN used when looking up user records. If omitted, the default user search base DN configured for the selected user identity store is used.
Map assertion Name ID to User ID Store attribute	This setting indicates how an incoming assertion is mapped to a user in the identity store. Choose this option to indicate a map assertion Name ID to User ID store attribute.
Map assertion Name ID to User ID Store attribute	Enter the identity store attribute to which the assertion NameID will be mapped.
Map assertion attribute to User ID Store attribute	This setting indicates how an incoming assertion is mapped to a user in the identity store. Choose this option to indicate a map assertion attribute to User ID store attribute.
Assertion Attribute	Enter assertion attribute to which it will be mapped.
User ID Store Attribute	Enter Identity Store Attribute to which it will be mapped.
Map assertion to user record using LDAP query	This setting indicates how an incoming assertion is mapped to a user in the identity store. Choose this option to indicate a map assertion to user record using LDAP query.
LDAP Query	Enter an LDAP query with placeholders for incoming data. You may use any of the following: An attribute from the SAML assertions `Attribute Statement` element, referenced by its name prefixed and suffixed with the % character. The SAML assertion subject's `NameID` referenced by `%fed.nameidvalue%`. The identity provider's partner name, referenced by `%fed.partner%.` For example, an LDAP query to map an incoming assertion based on two assertion attributes (lastname and email) would be (`&(sn=%lastname%)(mail=%email%`)).

Attribute Mapping

Following table describes the elements in the Attribute Mapping section of the Create Identity Provider Partner page:

Element	Description
Attribute Profile	Indicates the attribute mapping profile to which the partner is bound. Click the search icon to open a Search window from which you can search for one or more previously configured Attribute Profiles. Select the profile and click OK to select, or click Cancel to cancel the selection.
Save	Click Save to create the identity provider definition.

Element

Description

Attribute Profile

Indicates the attribute mapping profile to which the partner is bound.

Click the search icon to open a Search window from which you can search for one or more previously configured Attribute Profiles. Select the profile and click OK to select, or click Cancel to cancel the selection.

Save

Click Save to create the identity provider definition.