Chapter 7 Federation, Authentication Domains and Entities

Federation Manager implements the Liberty Alliance Project Liberty Identity Federation Framework (Liberty ID-FF) specification. The Liberty ID-FF defines a set of protocols, bindings and profiles that provide a solution for identity federation, cross-domain authentication and session management.

This chapter covers the following topics:

• Entities: Provider and Affiliate

• Authentication Domains

• Auto-Federation

• Bulk Federation

Entities: Provider and Affiliate

In Federation Manager an entity can contain configuration information for an individual identity provider, an individual service provider, or one of each. An entity can also contain configuration information for an affiliation, a group of providers of either type. Both provider and affiliation entities can be configured using the Federation Manager Console by selecting Entities under Federation.

---

Note –

An entity can be created but it will not be available for assignment to an authentication domain until it has been populated with provider(s).

---

There are two types of entities:

Provider Entity

A provider entity holds the metadata for individual service or identity providers. All identity providers and service providers must first be configured within a provider entity. After they are configured in a provider entity, they can be associated with an authentication domain, or chosen to be included in an affiliate entity. Using the entity descriptor attributes, one individual identity provider, one individual service provider, or one provider of each type can be defined within a provider entity. A provider entity profile contains the following groups of attributes:

• General Attributes

• Identity Provider

• Service Provider

Providers in a provider entity must also be defined as remote or hosted.

Affiliate Entity

An affiliate entity holds the metadata that defines a group of one or more providers that was formed without regard to the boundaries of an authentication domain. This affiliation (referenced by an affiliationID) is formed and maintained by an affiliation owner (referenced by the providerID of the entity that defined it) who chooses the trusted providers from already configured provider entities. Members of the affiliation may invoke services either as a member of the affiliation (using the affiliationID), or individually (using their providerID). For example, when a service provider issues an authentication request on behalf of an affiliation, the AffiliationID will be used to achieve single sign-on and the identity provider will resolve federations based on the same AffiliationID. The affiliate entity itself does not contain configuration information for any providers, only configuration information for the affiliation. An affiliate entity profile contains the following groupings of attributes:

• General Attributes

• Affiliate

Using these attributes, a group of providers are collectively identified and maintained by an affiliation owner.

Typically, providers in an authentication domain exchange XML metadata as specified in the Liberty Alliance Project Metadata specification. Federation Manager provides command line utilities to import these XML files as remote providers. Hosted providers (those deployed within a specific instance of Federation Manager) already have configured metadata in the directory where Federation Manager was installed. Federation Manager also provides facilities to export XML metadata representing a given hosted provider. This exported data can then be used as input to configure a provider in a compliant product (Sun Java System Access Manager or another instance of Federation Manager).

Depending on the type of provider the Federation Manager instance adopts, XML metadata can be loaded using the command line tools to create hosted providers. All providers created this way can be managed as entities using the Federation Manager Console.

All configured entities are listed under Entity Descriptors. The following tasks are associated with entities:

• To Create a New Provider Entity or Affiliate Entity

• To Modify the General Attributes of a Provider Entity or an Affiliate Entity

• To Add an Identity Provider to a Provider Entity

• To Add a New Hosted Identity Provider to a Provider Entity

• To Add a New Remote Identity Provider to a Provider Entity

• To Add a Service Provider to a Provider Entity

• To Add a New Hosted Service Provider to a Provider Entity

• To Add a New Remote Service Provider to a Provider Entity

• To Modify Hosted Identity Provider Attributes in a Provider Entity

• To Modify Remote Identity Provider Attributes in a Provider Entity

• To Modify Hosted Service Provider Attributes in a Provider Entity

• To Modify Remote Service Provider Attributes in a Provider Entity

• To Add a Contact Person to a Provider in a Provider Entity

• To Modify a Contact Person Profile in a Provider Entity

• To Create the Affiliation in an Affiliate Entity

To Create a New Provider Entity or Affiliate Entity

Establishing an entity is a two-step process. First, you create the entity. (This is when you define whether it is a provider entity or an affiliate entity.) After creating the entity, you configure it with provider information or affiliation information. The following procedure is used to create the new entity only. The starting point is the Entity Descriptors screen under Federation.

---

Note –

An entity can be created but it will not be available for assignment to an authentication domain until it has been populated with provider(s).

---

1. Click New to display the entity attributes.

   The New Entity Descriptor page is displayed.

2. Type a value for the Entity Name.

   This field specifies the Uniform Resource Identifier (URI) of the entity and must be unique. For example, http://shivalik.sun.com or http://provider2.com:875.

3. (Optional) Enter a description of the entity in the Description field.

4. Select one of the following options to define the entity’s type.

   • Select Provider and click Create.

     The new entity is now displayed as a provider entity in the list of configured Entities.

   • Select Affiliate, enter a value for both Affiliate ID and Affiliate Owner ID and click Create.

     The Affiliate ID specifies a URI defined by the Affiliate Owner that uniquely represents the affiliate entity. For example, http://shivalik.sun.com or http://provider2.com:875. The Affiliate Owner ID is the provider ID of the service provider (defined in a provider entity) that is forming the affiliation. After entering these values and clicking OK, the new entity is displayed as an affiliate entity in the list of configured Entities.

     ---

     Note –

     Defining a service provider as the Affiliate Owner does not automatically include it as a member of the affiliate. If an owner is also a member, the provider ID must be defined in both attributes.

     ---

   The new entity is displayed on the Entities screen.

To Modify the General Attributes of a Provider Entity or an Affiliate Entity

After creating an entity, you can edit its profile. This might include modifying attributes, adding identity providers and service providers (as entities), or configuring affiliates. Editing the General attributes of an entity profile might entail modifying the already-defined Common attributes, adding a contact person, or providing optional organizational information. The following procedure is for editing the General attributes. The starting point is the Entities screen under Federation.

1. Select the name of a configured entity to modify its profile.

   The entity's profile page is displayed.

2. Select General from the View menu.

3. Edit the values of any of the Entity Common Attributes.

   Entity Name

   The static value of this attribute is the name provided when you created the entity.

   Type

   The static value of this attribute is the type of entity, Provider or Affiliate.

   Description

   The value of this attribute is the description provided when you created the entity. You may modify the description originally entered.

   Valid Until

   Enter the expiration date for the metadata pertaining to the provider. Use Coordinated Universal Time (UTC) in the format yyyy-mm-ddThh:mm:ss.SZ. For example, 2004-12-31T12:30:00.0Z.

   Cache Duration

   Enter the maximum amount of time the entity can be cached. The value is defined in the format PnYnMnDTnHnMnS, where n is an integer variable. For example, P1Y2M4DT9H8M20S defines the cache duration as 1 year, 2 months, 4 days, 9 hours, 8 minutes, and 20 seconds.

4. Provide values for the Entity Contact Person Profile attributes.

   First Name

   Type the given name of the entity’s contact person.

   Last Name

   Type the surname of the entity’s contact person.

   Type

   Choose the type of contact from the drop-down menu:

   • Administrative

   • Billing

   • Technical

   • Other

   Company

   Type the name of the company that employs this person.

   Liberty Principal ID

   Type a URI that points to an online instance of the contact person’s personal information profile.

   Emails

   Type one or more email addresses for the contact person.

   Telephone Numbers

   Type one or more telephone numbers for the contact person.

5. Provide values for the Organizations Profile attributes.

   The Organizations Profile attributes provide basic information that may be required during interactions. These attributes are optional.

   Names

   Type the complete legal name of the entity’s organization. Use the format locale|organization-name. For example, en|organization-name.com.

   ---

   Note –

   If the Names attribute contains a value, it is required to add values to the Display Names and URL attributes.

   ---

   Display Names

   Type a name that is suitable for display. Use the format locale|organization-display-name. For example, en|organization-display-name.com.

   URL

   Type a URL that can be used to direct a principal to additional information on the entity's organization. Use the format locale|organization-URL. For example, en|http://www.organization-name.com.

6. Click Save to complete the configuration, or continue defining values for Identity Provider or Service Provider.

   Procedures for defining values for Identity Provider or Service Provider attributes are detailed in the following sections:

   • To define values for Identity Provider attributes, see To Add an Identity Provider to a Provider Entity.

   • To define values for Service Provider attributes, see To Add a Service Provider to a Provider Entity.

To Add an Identity Provider to a Provider Entity

After editing the General attributes of a provider entity, you can add identity providers to it. The first step in this process is to define the type of identity provider you are adding.

• A hosted provider is hosted on the same server as Federation Manager.

• A remote provider is not hosted on the same server as Federation Manager.

Follow this procedure to begin the process of adding an identity provider to a provider entity. The starting point is the Entities screen under Federation.

1. Select the name of a configured provider entity to modify its profile.

   The entity's profile page is displayed.

2. Select Identity Provider from the View menu.

3. Select the type of provider you are adding.

   • Choose New Hosted Provider if the provider is hosted on the same server as Federation Manager.

   • Choose New Remote Provider if the provider is not hosted on the same server as Federation Manager.

   The appropriate Identity Provider profile page is displayed.

4. Based on your selection in the previous step, choose one of the following:

   • To Add a New Hosted Identity Provider to a Provider Entity

   • To Add a New Remote Identity Provider to a Provider Entity

To Add a New Hosted Identity Provider to a Provider Entity

A hosted provider is hosted on the same server as Federation Manager. Editing the New Hosted Identity Provider attributes entails adding metadata concerning the identity provider to the provider's entity profile. The starting point for this procedure is To Add an Identity Provider to a Provider Entity.

---

Caution –

Federation Manager does not support hosted identity providers. These attributes and this procedure are included for testing purposes only. For real deployment scenarios, use an identity provider focused product such as Sun Java System Access Manager.

---

1. Provide information for the Common Attributes.

   Common Attributes contain values that generally define the identity provider itself.

   Description

   This attribute contains the description provided when you created the entity. You can modify the description originally entered.

   Valid Until

   Type the expiration date for the metadata pertaining to the provider. Use Coordinated Universal Time (UTC) in the format yyyy-mm-ddThh:mm:ss.SZ. For example, 2004-12-31T12:30:00.0Z.

   Cache Duration

   Type the maximum amount of time the entity can be cached. The value is defined in the format PnYnMnDTnHnMnS, where n is an integer. For example, P1Y2M4DT9H8M20S defines the cache duration as 1 year, 2 months, 4 days, 9 hours, 8 minutes, and 20 seconds.

   Protocol Support Enumeration

   Choose the protocol release supported by this entity.

   • urn:liberty:iff:2003-08 refers to the Liberty Identity Federation Framework version 1.2.

   • urn:liberty:iff:2002-12 refers to the Liberty Identity Federation Framework version 1.1.

   Server Name Identifier Mapping Binding

   Name identifier mapping allows a service provider to obtain a name identifier for a principal that has federated in the namespace of a different service provider. Implementing this protocol allows the requesting service provider to communicate with the second service provider without an identity federation having been enabled. Type a URI that identifies the communication specifications and click Add.

   ---

   Note –

   Currently, the Name Identifier Mapping profile only supports SOAP. If this attribute is used, its value must be http://projectliberty.org/profiles/nim-sp-http.

   ---

   Additional Meta Locations

   Type a URL that points to other relevant metadata concerning the provider.

   Signing Key: Key Alias

   Type the key alias used to sign requests and responses.

   Encryption Key: Key Alias

   Type the security certificate alias. Certificates are stored in a Java keystore file. Each specific certificate is mapped to an alias that is used to fetch the certificate.

   Encryption Key: Key Size

   Type the length for keys used by the web service consumer when interacting with another entity.

   Encryption Key: Encryption Method

   Choose the method of encryption. The choices include:

   • None

   • AES

   • DES

   • 3DES

   Name Identifier Encryption

   Select the check box to enable encryption of the name identifier.

2. Provide information for the Communication URLs attributes.

   Communication URLs attributes contain locations for sending transmissions to the identity provider being configured.

   SOAP Endpoint

   Type a URL to the identity provider’s SOAP message receiver. This value communicates the location of the SOAP receiver in non browser communications.

   Single Sign-On Service URL

   Type a URL to which service providers can send single sign-on and federation requests.

   Single Logout Service

   Type a URL to which service providers can send logout requests. Single logout synchronizes the logout functionality across all sessions authenticated by the identity provider.

   Single Logout Return

   Type a URL to which the identity provider will redirect the principal after completing a logout.

   Federation Termination Service

   Type a URL to which a service provider will send federation termination requests.

   Federation Termination Return

   Type a URL to which the identity provider will redirect the principal after completing federation termination.

   Name Registration Service

   Type a URL to which a service provider will send requests to specify the name identifier that will be used when communicating with the identity provider about a principal. This service can only be used after a federation session is established.

   Name Registration Return

   Type a URL to which the identity provider will redirect the principal after HTTP name registration has been completed.

3. Provide information for the Communication Profiles attributes.

   Communication Profiles attributes define the transmission methods used by the identity provider.

   Federation Termination

   Select a profile to notify other providers of a principal’s federation termination:

   • HTTP Redirect

   • SOAP

   Single Logout

   Select a profile to notify other providers of a principal’s logout:

   • HTTP Redirect

   • HTTP Get

   • SOAP

   Name Registration

   Select a profile to notify other providers of a principal’s name registration:

   • HTTP Redirect

   • SOAP

   Single Sign-on/Federation

   Select a profile for sending authentication requests:

   • Browser Post (specifies a browser-based HTTP POST protocol)

   • Browser Artifact (specifies a non-browser SOAP-based protocol)

   • LECP (specifies a Liberty-enabled Client Proxy)

     ---

     Note –

     Federation Manager can handle requests that come from a Liberty-enabled client proxy profile, but it requires additional configuration that is beyond the scope of this manual.

     ---

4. Select any of the available authentication domains to assign to the provider.

   A provider can belong to one or more authentication domains. However, a provider without a specified authentication domain can not participate in Liberty-based communications. If no authentication domains have been created, you can define this attribute later.

5. Provide information for the Hosted Configuration attributes.

   Hosted Configuration attributes define general information regarding the provider hosted on the same machine as Federation Manager.

   Provider URL

   Type the URL of the provider hosted locally.

   Provider Alias

   Type an alias name for the provider hosted locally.

   Authentication Type

   Select what type of provider should be used for authentication requests from a provider hosted locally.

   • Remote specifies that the provider hosted locally would contact a remote identity provider upon receiving an authentication request.

   • Local specifies that the provider hosted locally should contact a local identity provider upon receiving an authentication request (essentially, itself).

   Default Authentication Context

   Select the authentication context class (method of authentication) to use if the identity provider does not receive this information as part of a service provider request. This value also specifies the authentication context used by the service provider when an unknown user tries to access a protected resource. The options are:

   • Password

   • Mobile Digital ID

   • Smartcard

   • Smartcard-PKI

   • MobileUnregistered

   • Software-PKI

   • Previous-Session

   • Mobile Contract

   • Time-Sync-Token

   • Password-ProtectedTransport

   Identity Provider Forced Authentication

   Select the check box to indicate that the identity provider must reauthenticate the principal (even if the principal has an existing session from a prior authentication) when an authentication request is received from a remote service provider. This attribute is enabled by default.

   Request Identity Provider to be Passive

   Select the check box to specify that the identity provider must not prompt a user for authentication credentials upon receiving an authentication request from a remote service provider. The default (unchecked) is to authenticate the user upon receiving an authentication request.

   Realm

   Type a value which points to the realm in which this provider is configured. For example, /sp.

   Liberty Version URI

   Type the URI of the version of the Liberty Alliance Project specification being used. The default value is http://projectliberty.org/specs/v1.

   Name Identifier Implementation

   This field defines the class used by a service provider to participate in name registration. Name registration is a profile by which service providers specify a principal’s name identifier that an identity provider will use when communicating to the service provider. The value is com.sun.identity.federation.services.util.FSNameIdentifierImpl.

   Home Page URL

   Type the URL of the home page for the provider hosted locally.

   Single Sign-on Failure Redirect URL

   Type the URL to which a principal will be redirected if single sign-on has failed.

   Assertion Issuer

   Type the name of the host that issues the assertion. This value might be the load balancer's host name if Federation Manager is behind one.

   Generate Discovery Bootstrapping Resource Offering

   Select the check box if you want a Discovery Service Resource Offering to be generated during the Liberty-based single sign on process for bootstrapping purposes.

   Auto Federation

   Select the check box to enable auto federation.

   Auto Federation Common Attribute Name

   When creating an Auto Federation Attribute Statement, the value of this attribute will be used. The statement will contain AutoFedAttribute as the attribute name and this common attribute as the value.

   Attribute Statement Plugin

   Specify a pluggable class used for adding attribute statements to an assertion that is generated during the Liberty-based single sign-on process.

6. Provide information for the SAML Attributes.

   SAML Attributes define general values regarding how the identity provider will send SAML assertions.

   Assertion Interval

   Type the interval of time (in seconds) that an assertion issued by the identity provider will remain valid. A principal will remain authenticated until the assertion interval expires.

   Cleanup Interval

   Type the interval of time (in seconds) before assertions stored in the identity provider will be cleared.

   Artifact Timeout

   Type the interval of time (in seconds) to specify the timeout for assertion artifacts.

   Assertion Limit

   Type a number to define how many assertions an identity provider can issue, or how many assertions that can be stored.

7. Provide values for the Organization attributes.

   ---

   Note –

   The Organization attributes provide basic information that may be required when interacting with a principal. These attributes are optional.

   ---

   Names

   Type the complete legal name of the entity’s organization. Use the format locale|organization-name. For example, en|organization-name.com.

   ---

   Note –

   If the Names attribute contains a value, it is required to add values to the Display Names and URL attributes.

   ---

   Display Names

   Type a name that is suitable for display. Use the format locale|organization-display-name. For example, en|organization-display-name.com.

   URL

   Type a URL that can be used to direct a principal to additional information on the entity's organization. Use the format locale|organization-URL. For example, en|http://www.organization-name.com.

8. (Optional) To configure Contact Persons for the provider, click New Contact Person.

   For more information, see To Add a Contact Person to a Provider in a Provider Entity.

9. Click OK to add the provider to the entity.

10. Continue configuring the entity by selecting another option from the View menu or click Save to complete the configuration.

To Add a New Remote Identity Provider to a Provider Entity

A remote provider is not hosted on the same server as Federation Manager. Editing the New Remote Identity Provider attributes entails adding metadata concerning the identity provider to the provider entity profile. The starting point is To Add an Identity Provider to a Provider Entity.

1. Provide information for the Common Attributes.

   Common Attributes contain values that generally define the identity provider itself.

   Description

   This attribute contains the description provided when you created the entity. You can modify the description originally entered.

   Valid Until

   Type the expiration date for the metadata pertaining to the provider. Use Coordinated Universal Time (UTC) in the format yyyy-mm-ddThh:mm:ss.SZ. For example, 2004-12-31T12:30:00.0Z.

   Cache Duration

   Type the maximum amount of time the entity can be cached. The value is defined in the format PnYnMnDTnHnMnS, where n is an integer. For example, P1Y2M4DT9H8M20S defines the cache duration as 1 year, 2 months, 4 days, 9 hours, 8 minutes, and 20 seconds.

   Protocol Support Enumeration

   Choose the protocol release supported by this entity.

   • urn:liberty:iff:2003-08 refers to the Liberty Identity Federation Framework version 1.2.

   • urn:liberty:iff:2002-12 refers to the Liberty Identity Federation Framework version 1.1.

   Server Name Identifier Mapping Binding

   Name identifier mapping allows a service provider to obtain a name identifier for a principal that has federated in the namespace of a different service provider. Implementing this protocol allows the requesting service provider to communicate with the second service provider without an identity federation having been enabled. Type a URI that identifies the communication specifications.

   ---

   Note –

   Currently, the Name Identifier Mapping profile only supports SOAP. If this attribute is used, its value must be http://projectliberty.org/profiles/nim-sp-http.

   ---

   Additional Meta Locations

   Type a URL that points to other relevant metadata concerning the provider.

   Signing Key: Key Alias

   Type the key alias used to sign requests and responses.

   Encryption Key: Key Alias

   Type the security certificate alias. Certificates are stored in a Java keystore file. Each specific certificate is mapped to an alias that is used to fetch the certificate.

   Encryption Key: Key Size

   Type the length for keys used by the web service consumer when interacting with another entity.

   Encryption Key: Encryption Method

   Choose the method of encryption. The choices include:

   • None

   • AES

   • DES

   • 3DES

   Name Identifier Encryption

   Select the check box to enable encryption of the name identifier.

2. Provide information for the Communication URLs attributes.

   Communication URLs attributes contain locations for sending transmissions to the remote identity provider.

   SOAP Endpoint

   Type a URL to the identity provider’s SOAP message receiver. This value communicates the location of the SOAP receiver in non browser communications.

   Single Sign-On Service URL

   Type a URL to which service providers can send single sign-on and federation requests.

   Single Logout Service

   Type a URL to which service providers can send logout requests. Single logout synchronizes the logout functionality across all sessions authenticated by the identity provider.

   Single Logout Return

   Type a URL to which the identity provider will redirect the principal after completing a logout.

   Federation Termination Service

   Type a URL to which a service provider will send federation termination requests.

   Federation Termination Return

   Type a URL to which the identity provider will redirect the principal after completing federation termination.

   Name Registration Service

   Type a URL to which a service provider will send requests to specify the name identifier that will be used when communicating with the identity provider about a principal. This service can only be used after a federation session is established.

   Name Registration Return

   Type a URL to which the identity provider will redirect the principal after HTTP name registration has been completed.

3. Provide information for the Communication Profiles attributes.

   Communication Profiles attributes define the transmission methods used by the identity provider.

   Federation Termination

   Select a profile to notify other providers of a principal’s federation termination:

   • HTTP Redirect

   • SOAP

   Single Logout

   Select a profile to notify other providers of a principal’s logout:

   • HTTP Redirect

   • HTTP Get

   • SOAP

   Name Registration

   Select a profile to notify other providers of a principal’s name registration:

   • HTTP Redirect

   • SOAP

   Single Sign-on/Federation

   Select a profile for sending authentication requests:

   • Browser Post (specifies a browser-based HTTP POST protocol)

   • Browser Artifact (specifies a non-browser SOAP-based protocol)

   • LECP (specifies a Liberty-enabled Client Proxy)

     ---

     Note –

     Federation Manager can handle requests that come from a Liberty-enabled client proxy profile, but it requires additional configuration that is beyond the scope of this manual.

     ---

4. Select any of the available authentication domains to assign to the provider.

   A provider can belong to one or more authentication domains, however a provider without a specified authentication domain can not participate in Liberty-based communications. If no authentication domains have been created, this attribute can be defined later.

5. Provide information for the Proxy Authentication Configuration attributes.

   Proxy Authentication Configuration attributes define values for dynamic identity provider proxying.

   Enable Proxy Authentication

   Select the check box to enable proxy authentication for a service provider.

   Proxy Identity Providers List

   Add a list of identity providers that can be used for proxy authentication. The value is a URI defined as the provider's identifier.

   Maximum Number of Proxies

   Type the maximum number of identity providers that can be proxied.

   Use Introduction Cookie for Proxying

   Select the check box if you want introductions to be used to find the proxying identity provider.

6. Provide values for the Organization attributes.

   The Organization attributes provide basic information that may be required when interacting with a principal. These attributes are optional.

   Names

   Type the complete legal name of the entity’s organization. Use the format locale|organization-name. For example, en|organization-name.com.

   ---

   Note –

   If the Names attribute contains a value, it is required to add values to the Display Names and URL attributes.

   ---

   Display Names

   Type a name that is suitable for display. Use the format locale|organization-display-name. For example, en|organization-display-name.com.

   URL

   Type a URL that can be used to direct a principal to additional information on the entity's organization. Use the format locale|organization-URL. For example, en|http://www.organization-name.com.

7. (Optional) To configure Contact Persons for the provider, click New Contact Person.

   For more information, see To Add a Contact Person to a Provider in a Provider Entity.

8. Click OK to add the provider to the entity.

9. Continue configuring the entity by selecting another option from the View menu or click Save to complete the configuration.

To Add a Service Provider to a Provider Entity

After editing the General attributes of a provider entity, you can add service providers to it. The first step in this process is to define the type of service provider you are adding.

• A hosted provider is hosted on the same server as Federation Manager.

• A remote provider is not hosted on the same server as Federation Manager.

Follow this procedure to begin the process of adding a service provider to a provider entity. The starting point is the Entity Descriptors screen under Federation.

1. Select the name of a configured provider entity to modify its profile.

   The entity's profile page is displayed.

2. Select Service Provider from the View menu.

3. Select the type of provider you are adding:

   • Choose New Hosted Provider if the provider is hosted on the same server as Federation Manager.

   • Choose New Remote Provider if the provider is not hosted on the same server as Federation Manager.

   The appropriate Service Provider page is displayed.

4. Based on your selection in the previous step, choose one of the following:

   • To Add a New Hosted Service Provider to a Provider Entity

   • To Add a New Remote Service Provider to a Provider Entity

To Add a New Hosted Service Provider to a Provider Entity

A hosted provider is hosted on the same server as Federation Manager. Editing the New Hosted Service Provider attributes entails adding metadata concerning the service provider to the provider entity profile. The starting point is To Add a Service Provider to a Provider Entity.

1. Provide information for the Common Attributes.

   Common Attributes contain values that generally define the identity provider itself.

   Description

   This attribute contains the description provided when you created the entity. You can modify the description originally entered.

   Valid Until

   Type the expiration date for the metadata pertaining to the provider. Use Coordinated Universal Time (UTC) in the format yyyy-mm-ddThh:mm:ss.SZ. For example, 2004-12-31T12:30:00.0Z.

   Cache Duration

   Type the maximum amount of time the entity can be cached. The value is defined in the format PnYnMnDTnHnMnS, where n is an integer. For example, P1Y2M4DT9H8M20S defines the cache duration as 1 year, 2 months, 4 days, 9 hours, 8 minutes, and 20 seconds.

   Protocol Support Enumeration

   Choose the protocol release supported by this entity.

   • urn:liberty:iff:2003-08 refers to the Liberty Identity Federation Framework version 1.2.

   • urn:liberty:iff:2002-12 refers to the Liberty Identity Federation Framework version 1.1.

   Server Name Identifier Mapping Binding

   Name identifier mapping allows a service provider to obtain a name identifier for a principal that has federated in the namespace of a different service provider. Implementing this protocol allows the requesting service provider to communicate with the second service provider without an identity federation having been enabled. Type a URI that identifies the communication specifications.

   ---

   Note –

   Currently, the Name Identifier Mapping profile only supports SOAP. If this attribute is used, its value must be http://projectliberty.org/profiles/nim-sp-http.

   ---

   Additional Meta Locations

   Type a URL that points to other relevant metadata concerning the provider.

   Signing Key: Key Alias

   Type the key alias used to sign requests and responses.

   Encryption Key: Key Alias

   Type the security certificate alias. Certificates are stored in a Java keystore file. Each specific certificate is mapped to an alias that is used to fetch the certificate.

   Encryption Key: Key Size

   Type the length for keys used by the web service consumer when interacting with another entity.

   Encryption Key: Encryption Method

   Choose the method of encryption. The choices include:

   • None

   • AES

   • DES

   • 3DES

   Name Identifier Encryption

   Select the check box to enable encryption of the name identifier.

2. Provide information for the Communication URLs attributes.

   Communication URLs attributes contain locations for sending transmissions to the service provider being configured.

   SOAP Endpoint

   Type a URL to the service provider’s SOAP message receiver. This value communicates the location of the SOAP receiver in non browser communications.

   Single Logout Service

   Type a URL to which service providers can send logout requests. Single logout synchronizes the logout functionality across all sessions authenticated by the identity provider.

   Single Logout Return

   Type a URL to which the service provider will redirect the principal after completing a logout.

   Federation Termination Service

   Type a URL to which another provider will send federation termination requests.

   Federation Termination Return

   Type a URL to which the service provider will redirect the principal after completing federation termination.

   Name Registration Service

   Type a URL to which a service provider will send requests to specify the name identifier that will be used when communicating with the identity provider about a principal. This service can only be used after a federation session is established.

   Name Registration Return

   Type a URL to which the identity provider will redirect the principal after HTTP name registration has been completed.

3. Provide information for the Communication Profiles attributes.

   Communication Profiles attributes define the transmission methods used by the service provider.

   Federation Termination

   Select a profile to notify other providers of a principal’s federation termination:

   • HTTP Redirect

   • SOAP

   Single Logout

   Select a profile to notify other providers of a principal’s logout:

   • HTTP Redirect

   • HTTP Get

   • SOAP

   Name Registration

   Select a profile to notify other providers of a principal’s name registration:

   • HTTP Redirect

   • SOAP

   Single Sign-on/Federation

   Select a profile for sending authentication requests:

   • Browser Post (specifies a browser-based HTTP POST protocol)

   • Browser Artifact (specifies a non-browser SOAP-based protocol)

   • LECP (specifies a Liberty-enabled Client Proxy)

     ---

     Note –

     Federation Manager can handle requests that come from a Liberty-enabled client proxy profile, but it requires additional configuration that is beyond the scope of this manual.

     ---

4. Select any of the available authentication domains to assign to the provider.

   A provider can belong to one or more authentication domains. However, a provider without a specified authentication domain can not participate in Liberty-based communications. If no authentication domains have been created, this attribute can be defined later.

5. Provide information for the Service Provider attributes.

   Service Provider attributes define general information regarding the service provider.

   Assertion Consumer URL

   Type the URL to the end point which will receive all SAML assertions.

   Assertion Consumer Service URL ID

   If the value of the Protocol Support Enumeration common attribute is urn:liberty:iff:2003-08, type the required ID.

   Set Assertion Consumer Service URL as Default

   Select the check box to use the Assertion Consumer Service URL as the default value when no identifier is provided in the request.

   Sign Authentication Request

   Select the check box to make the service provider always signs authentication requests.

   Name Registration after Federation

   Select the check box to enable the service provider to participate in name registration after a principal has been federated.

   Name ID Policy

   Select the option permitting requester influence over name identifier policy at the identity provider. The options include:

   None

   The identity provider will return the name identifier(s) corresponding to the federation that exists between the identity provider and the requesting service provider or affiliation group for the principal. If no such federation exists, an error will be returned.

   One-time

   The identity provider will issue a temporary, one-time-use identifier for the principal after federation.

   Federation

   The identity provider may start a new identity federation if one does not already exist for the principal.

   Enable Affiliation Federation

   Select the check box to enable affiliation federation.

6. Provide information for the Hosted Configuration attributes.

   Hosted Configuration attributes define general information regarding the provider hosted on the same machine as Federation Manager.

   Provider URL

   Type the URL of the local identity provider.

   Provider Alias

   Type an alias name for the local identity provider.

   Authentication Type

   Select the provider that should be used for authentication requests from a provider hosted locally.

   • Remote specifies that the provider hosted locally would contact a remote identity provider upon receiving an authentication request.

   • Local specifies that the provider hosted locally should contact a local identity provider upon receiving an authentication request (essentially, itself).

   Default Authentication Context

   Select the authentication context class (method of authentication) to use if the identity provider does not receive this information as part of a service provider request. This value also specifies the authentication context used by the service provider when an unknown user tries to access a protected resource. The options are as follows:

   • Password

   • Mobile Digital ID

   • Smartcard

   • Smartcard-PKI

   • MobileUnregistered

   • Software-PKI

   • Previous-Session

   • Mobile Contract

   • Time-Sync-Token

   • Password-ProtectedTransport

   Identity Provider Forced Authentication

   Select the check box to indicate that the identity provider must reauthenticate the principal (even if the principal has an existing session from a prior authentication) when an authentication request is received from a remote service provider. This attribute is enabled by default.

   Request Identity Provider to be Passive

   Select the check box to specify that the identity provider must not prompt a user for authentication credentials upon receiving an authentication request from a remote service provider. The default (unchecked) is to authenticate the user upon receiving an authentication request.

   Organization DN

   Type the value of the organization's distinguished name.

   Liberty Version URI

   Type the URI of the version of the Liberty Alliance Project specification being used. The default value is http://projectliberty.org/specs/v1.

   Name Identifier Implementation

   This field defines the class used by a service provider to participate in name registration. Name registration is a profile by which service providers specify a principal’s name identifier that an identity provider will use when communicating to the service provider. The value is com.sun.identity.federation.services.util.FSNameIdentifierImpl.

   Home Page URL

   Type the URL of the home page of the identity provider.

   Single Sign-on Failure Redirect URL

   Type the URL to which a principal will be redirected if single sign-on has failed.

   Auto Federation

   Select the check box to enable auto federation.

   Auto Federation Common Attribute Name

   When creating an Auto Federation Attribute Statement, the value of this attribute will be used. The statement will contain AutoFedAttribute as the attribute name and this common attribute as the value.

   Attribute Statement Plugin

   Specify a pluggable class used for adding attribute statements to an assertion that is generated during the Liberty-based single sign-on process.

   User Provider Implementation Class Name

   Specifies a pluggable implementation to store and retrieve the user attribute information from the users data store. The default implementation of the com.sun.identity.federation.accountmgmt.FSUserProvider interface is the com.sun.identity.federation.accountmgmt.DefaultFSUserProvider class.

   Service Provider Adapter Implementation Class Name

   Specifies a pluggable implementation of the com.sun.identity.federation.plugins.FederationSPAdapter interface. The implemented class allows applications to customize their actions before and after invoking the federation protocols. For example, a service provider may want to choose to redirect to a specific location after single sign-on. There is no default implementation but the spi sample included with Federation Manager makes use of the class.

   Configuration for Service Provider Adapter Implementation

   Stores configuration information that may be used to initialize the Service Provider Adapter Implementation Class Name. The usage of this attribute is also demonstrated in the spi sample application.

7. Provide information for the Proxy Authentication Attributes.

   Proxy Authentication Configuration attributes define values for dynamic identity provider proxying.

   Enable Proxy Authentication

   Select the check box to enable proxy authentication for a service provider.

   Proxy Identity Providers List

   Add a list of identity providers that can be used for proxy authentication. The value is a URI defined as the provider's identifier.

   Maximum Number of Proxies

   Type the maximum number of identity providers that can be proxied.

   Use Introduction Cookie for Proxying

   Select the check box if you want introductions to be used to find the proxying identity provider.

8. Provide information for the SAML Attributes.

   SAML Attributes define general information regarding SAML assertions.

   Assertion Interval

   Type the interval of time (in seconds) for which an assertion issued by the identity provider will remain valid. A principal will remain authenticated until the assertion interval expires.

   Cleanup Interval

   Type the interval of time (in seconds) before assertions stored in the identity provider will be cleared.

   Artifact Timeout

   Type the interval of time (in seconds) to specify the time out for assertion artifacts.

   Assertion Limit

   Type a number to define the amount of assertions an identity provider can issue, or the number of assertions that can be stored.

9. Provide values for the Organizations Profile attributes.

   The Organizations Profile attributes provide basic information that may be required when interacting with a principal. These attributes are optional.

   Names

   Type the complete legal name of the entity’s organization. Use the format locale|organization-name. For example, en|organization-name.com.

   ---

   Note –

   If the Names attribute contains a value, it is required to add values to the Display Names and URL attributes.

   ---

   Display Names

   Type a name that is suitable for display. Use the format locale|organization-display-name. For example, en|organization-display-name.com.

   URL

   Type a URL that can be used to direct a principal to additional information on the entity's organization. Use the format locale|organization-URL. For example, en|http://www.organization-name.com.

10. (Optional) To configure Contact Persons for the provider, click New Contact Person.

    See To Add a Contact Person to a Provider in a Provider Entity.

11. Continue configuring the entity by selecting another option from the View menu or click OK to complete the configuration.

To Add a New Remote Service Provider to a Provider Entity

A remote provider is not hosted on the same server as Federation Manager. Editing the New Remote Service Provider attributes entails adding metadata concerning the service provider to the provider entity profile. The starting point is To Add a Service Provider to a Provider Entity.

1. Provide information for the Common Attributes.

   Common Attributes contain values that generally define the identity provider itself.

   Description

   This attribute contains the description provided when you created the entity. You can modify the description originally entered.

   Valid Until

   Type the expiration date for the metadata pertaining to the provider. Use Coordinated Universal Time (UTC) in the format yyyy-mm-ddThh:mm:ss.SZ. For example, 2004-12-31T12:30:00.0Z.

   Cache Duration

   Type the maximum amount of time the entity can be cached. The value is defined in the format PnYnMnDTnHnMnS, where n is an integer. For example, P1Y2M4DT9H8M20S defines the cache duration as 1 year, 2 months, 4 days, 9 hours, 8 minutes, and 20 seconds.

   Protocol Support Enumeration

   Choose the protocol release supported by this entity.

   • urn:liberty:iff:2003-08 refers to the Liberty Identity Federation Framework version 1.2.

   • urn:liberty:iff:2002-12 refers to the Liberty Identity Federation Framework version 1.1.

   Server Name Identifier Mapping Binding

   Name identifier mapping allows a service provider to obtain a name identifier for a principal that has federated in the namespace of a different service provider. Implementing this protocol allows the requesting service provider to communicate with the second service provider without an identity federation having been enabled. Type a URI that identifies the communication specifications.

   ---

   Note –

   Currently, the Name Identifier Mapping profile only supports SOAP. If this attribute is used, its value must be http://projectliberty.org/profiles/nim-sp-http.

   ---

   Additional Meta Locations

   Type a URL that points to other relevant metadata concerning the provider.

   Signing Key: Key Alias

   Type the key alias used to sign requests and responses.

   Encryption Key: Key Alias

   Type the security certificate alias. Certificates are stored in a Java keystore file. Each specific certificate is mapped to an alias that is used to fetch the certificate.

   Encryption Key: Key Size

   Type the length for keys used by the web service consumer when interacting with another entity.

   Encryption Key: Encryption Method

   Choose the method of encryption. The choices include:

   • None

   • AES

   • DES

   • 3DES

   Name Identifier Encryption

   Select the check box to enable encryption of the name identifier.

2. Provide information for the Communication URLs attributes.

   Communication URLs attributes contain locations for sending transmissions to the remote service provider being configured.

   SOAP Endpoint

   Type a URL to the service provider’s SOAP message receiver. This value communicates the location of the SOAP receiver in non browser communications.

   Single Logout Service

   Type a URL to which providers can send logout requests. Single logout synchronizes the logout functionality across all sessions authenticated by the identity provider.

   Single Logout Return

   Type a URL to which the provider will redirect the principal after completing a logout.

   Federation Termination Service

   Type a URL to which a provider will send federation termination requests.

   Federation Termination Return

   Type a URL to which the provider will redirect the principal after completing federation termination.

   Name Registration Service

   Type a URL to which a provider will send requests to specify the name identifier that will be used when communicating with the identity provider about a principal. This service can only be used after a federation session is established.

   Name Registration Return

   Type a URL to which the provider will redirect the principal after HTTP name registration has been completed.

3. Provide information for the Communication Profiles attributes.

   Communication Profiles attributes define the transmission methods used by the service provider.

   Federation Termination

   Select a profile to notify other providers of a principal’s federation termination:

   • HTTP Redirect

   • SOAP

   Single Logout

   Select a profile to notify other providers of a principal’s logout:

   • HTTP Redirect

   • HTTP Get

   • SOAP

   Name Registration

   Select a profile to notify other providers of a principal’s name registration:

   • HTTP Redirect

   • SOAP

   Single Sign-on/Federation

   Select a profile for sending authentication requests:

   • Browser Post (specifies a browser-based HTTP POST protocol)

   • Browser Artifact (specifies a non-browser SOAP-based protocol)

   • LECP (specifies a Liberty-enabled Client Proxy)

     ---

     Note –

     Federation Manager can handle requests that come from a Liberty-enabled client proxy profile, but it requires additional configuration that is beyond the scope of this manual.

     ---

4. Select any of the available authentication domains to assign to the provider.

   A provider can belong to one or more authentication domains. However, a provider without a specified authentication domain can not participate in Liberty-based communications. If no authentication domains have been created, this attribute can be defined later.

5. Provide information for the Service Provider attributes.

   Service Provider attributes define general information regarding the service provider.

   Assertion Consumer URL

   Type the URL to the end point which will receive all SAML assertions.

   Assertion Consumer Service URL ID

   If the value of the Protocol Support Enumeration common attribute is urn:liberty:iff:2003-08, type the required ID.

   Set Assertion Consumer Service URL as Default

   Select the check box to use the Assertion Consumer Service URL as the default value when no identifier is provided in the request.

   Sign Authentication Request

   Select the check box to make the service provider always signs authentication requests.

   Name Registration after Federation

   Select the check box to enable the service provider to participate in name registration after a principal has been federated.

   Name ID Policy

   Select the option permitting requester influence over name identifier policy at the identity provider. The options include:

   None

   The identity provider will return the name identifier(s) corresponding to the federation that exists between the identity provider and the requesting service provider or affiliation group for the principal. If no such federation exists, an error will be returned.

   One-time

   The identity provider will issue a temporary, one-time-use identifier for the principal after federation.

   Federation

   The identity provider may start a new identity federation if one does not already exist for the principal.

   Enable Affiliation Federation

   Select the check box to enable affiliation federation.

6. Provide information for the Proxy Authentication Configuration attributes.

   Proxy Authentication Configuration attributes define values for dynamic identity provider proxying.

   Enable Proxy Authentication

   Select the check box to enable proxy authentication for a service provider.

   Proxy Identity Providers List

   Add a list of identity providers that can be used for proxy authentication. The value is a URI defined as the provider's identifier.

   Maximum Number of Proxies

   Type the maximum number of identity providers that can be proxied.

   Use Introduction Cookie for Proxying

   Select the check box if you want introductions to be used to find the proxying identity provider.

7. Provide values for the Organizations Profile attributes.

   The Organizations Profile attributes provide basic information that may be required when interacting with a principal. These attributes are optional.

   Names

   Type the complete legal name of the entity’s organization. Use the format locale|organization-name. For example, en|organization-name.com.

   ---

   Note –

   If the Names attribute contains a value, it is required to add values to the Display Names and URL attributes.

   ---

   Display Names

   Type a name that is suitable for display. Use the format locale|organization-display-name. For example, en|organization-display-name.com.

   URL

   Type a URL that can be used to direct a principal to additional information on the entity's organization. Use the format locale|organization-URL. For example, en|http://www.organization-name.com.

8. (Optional) To configure Contact Persons for the provider, click New Contact Person.

   See To Add a Contact Person to a Provider in a Provider Entity.

9. Continue configuring the entity by selecting another option from the View menu or click OK to complete the configuration.

To Modify Hosted Identity Provider Attributes in a Provider Entity

After creating an entity and adding an identity provider, you can edit the identity provider profile. In a provider entity, this might entail adding metadata that was not available to configure when originally adding the identity provider. The starting point is the Entity Descriptors screen under Federation.

1. Click on the name of a configured provider entity to modify its profile.

   The entity's profile page is displayed.

2. Select Identity Provider from the View menu.

3. Modify values for the Common Attributes.

   Common Attributes contain values that generally define the identity provider itself.

   Provider Type

   The static value of this attribute defines whether this is a hosted or remote provider.

   Description

   This attribute contains the description provided when you created the entity. You can modify the description originally entered.

   Valid Until

   Type the expiration date for the metadata pertaining to the provider. Use Coordinated Universal Time (UTC) in the format yyyy-mm-ddThh:mm:ss.SZ. For example, 2004-12-31T12:30:00.0Z.

   Cache Duration

   Type the maximum amount of time the entity can be cached. The value is defined in the format PnYnMnDTnHnMnS, where n is an integer. For example, P1Y2M4DT9H8M20S defines the cache duration as 1 year, 2 months, 4 days, 9 hours, 8 minutes, and 20 seconds.

   Protocol Support Enumeration

   Choose the protocol release supported by this entity.

   • urn:liberty:iff:2003-08 refers to the Liberty Identity Federation Framework version 1.2.

   • urn:liberty:iff:2002-12 refers to the Liberty Identity Federation Framework version 1.1.

   Server Name Identifier Mapping Binding

   Name identifier mapping allows a service provider to obtain a name identifier for a principal that has federated in the namespace of a different service provider. Implementing this protocol allows the requesting service provider to communicate with the second service provider without an identity federation having been enabled. Type a URI that identifies the communication specifications.

   ---

   Note –

   Currently, the Name Identifier Mapping profile only supports SOAP. If this attribute is used, its value must be http://projectliberty.org/profiles/nim-sp-http.

   ---

   Additional Meta Locations

   Type a URL that points to other relevant metadata concerning the provider.

   Signing Key: Key Alias

   Type the key alias used to sign requests and responses.

   Encryption Key: Key Alias

   Type the security certificate alias. Certificates are stored in a Java keystore file. Each specific certificate is mapped to an alias that is used to fetch the certificate.

   Encryption Key: Key Size

   Type the length for keys used by the web service consumer when interacting with another entity.

   Encryption Key: Encryption Method

   Choose the method of encryption. The choices include:

   • None

   • AES

   • DES

   • 3DES

   Name Identifier Encryption

   Select the check box to enable encryption of the name identifier.

4. Modify values for the Communication URLs attributes.

   Communication URLs attributes contain locations for sending transmissions to the service provider being configured.

   SOAP Endpoint

   Type a URI to the identity provider’s SOAP message receiver. This value communicates the location of the SOAP receiver in non browser communications.

   Single Sign-On Service URL

   Type a URL to which service providers can send single sign-on and federation requests.

   Single Logout Service

   Type a URL to which service providers can send logout requests. Single logout synchronizes the logout functionality across all sessions authenticated by the identity provider.

   Single Logout Return

   Type a URL to which the identity provider will redirect the principal after completing a logout.

   Federation Termination Service

   Type a URL to which a service provider will send federation termination requests.

   Federation Termination Return

   Type a URL to which the identity provider will redirect the principal after completing federation termination.

   Name Registration Service

   Type a URL to which a service provider will send requests to specify the name identifier that will be used when communicating with the identity provider about a principal. This service can only be used after a federation session is established.

   Name Registration Return

   Type a URL to which the identity provider will redirect the principal after HTTP name registration has been completed.

5. Modify values for the Communication Profiles attributes.

   Communication Profiles attributes define the transmission methods used by the identity provider.

   Federation Termination

   Select a profile to notify other providers of a principal’s federation termination:

   • HTTP Redirect

   • SOAP

   Single Logout

   Select a profile to notify other providers of a principal’s logout:

   • HTTP Redirect

   • HTTP Get

   • SOAP

   Name Registration

   Select a profile to notify other providers of a principal’s name registration:

   • HTTP Redirect

   • SOAP

   Single Sign-on/Federation

   Select a profile for sending authentication requests:

   • Browser Post (specifies a browser-based HTTP POST protocol)

   • Browser Artifact (specifies a non-browser SOAP-based protocol)

   • LECP (specifies a Liberty-enabled Client Proxy)

     ---

     Note –

     Federation Manager can handle requests that come from a Liberty-enabled client proxy profile, but it requires additional configuration that is beyond the scope of this manual.

     ---

6. Select any of the available authentication domains to assign to the provider.

   A provider can belong to one or more authentication domains. However, a provider without a specified authentication domain can not participate in Liberty-based communications. If no authentication domains have been created, this attribute can be defined later.

7. Select the authentication context to be used if the identity provider does not receive the information as part of a service provider request.

   This attribute maps the Liberty-defined authentication context classes to authentication methods available at the identity provider. This value also specifies the authentication context used by the service provider when an unknown user tries to access a protected resource.

   Supported

   Select the check box next to the authentication context class if the identity provider supports it.

   Context Reference

   The Liberty-defined authentication context classes are:

   • Mobile Contract

   • Mobile Digital ID

   • MobileUnregistered

   • Password

   • Password-ProtectedTransport

   • Previous-Session

   • Smartcard

   • Smartcard-PKI

   • Software-PKI

   • Time-Sync-Token

   Key

   Choose the authentication type to which the context is mapped.

   Value

   Type the authentication option.

   Priority

   Choose a priority level for cases where there are multiple contexts.

8. Choose from the available Trusted Providers and add to the entity.

   The list contains configured entities that have been populated with service providers.

9. Provide information for the Hosted Configuration attributes.

   Hosted Configuration attributes define general information regarding the provider hosted on the same machine as Federation Manager.

   Provider Alias

   Type an alias name for the local identity provider.

   Authentication Type

   Select the provider that should be used for authentication requests from a provider hosted locally.

   • Remote specifies that the provider hosted locally would contact a remote identity provider upon receiving an authentication request.

   • Local specifies that the provider hosted locally should contact a local identity provider upon receiving an authentication request (essentially, itself).

   Default Authentication Context

   Select the authentication context class (method of authentication) to use if the identity provider does not receive this information as part of a service provider request. This value also specifies the authentication context used by the service provider when an unknown user tries to access a protected resource. The options are as follows:

   • Password

   • Mobile Digital ID

   • Smartcard

   • Smartcard-PKI

   • MobileUnregistered

   • Software-PKI

   • Previous-Session

   • Mobile Contract

   • Time-Sync-Token

   • Password-ProtectedTransport

   Identity Provider Forced Authentication

   Select the check box to indicate that the identity provider must reauthenticate the principal (even if the principal has an existing session from a prior authentication) when an authentication request is received from a remote service provider. This attribute is enabled by default.

   Request Identity Provider to be Passive

   Select the check box to specify that the identity provider must not prompt a user for authentication credentials upon receiving an authentication request from a remote service provider. The default (unchecked) is to authenticate the user upon receiving an authentication request.

   Organization DN

   Type a value which points to the organization in which this provider is configured. For example, /sp.

   Liberty Version URI

   Type the URI of the version of the Liberty Alliance Project specification being used. The default value is http://projectliberty.org/specs/v1.

   Name Identifier Implementation

   This field defines the class used by a service provider to participate in name registration. Name registration is a profile by which service providers specify a principal’s name identifier that an identity provider will use when communicating to the service provider. The value is com.sun.identity.federation.services.util.FSNameIdentifierImpl.

   Home Page URL

   Type the URL of the home page of the identity provider.

   Single Sign-on Failure Redirect URL

   Type the URL to which a principal will be redirected if single sign-on has failed.

   Assertion Issuer

   Type the name of the host that issues the assertion. This value might be the load balancer's host name if Federation Manager is behind one.

   Generate Discovery Bootstrapping Resource Offering

   Select the check box if you want a Discovery Service Resource Offering to be generated during the Liberty-based single sign on process for bootstrapping purposes.

   Auto Federation

   Select the check box to enable auto federation.

   Auto Federation Common Attribute Name

   When creating an Auto Federation Attribute Statement, the value of this attribute will be used. The statement will contain AutoFedAttribute as the attribute name and this common attribute as the value.

   Attribute Statement Plugin

   Specify a pluggable class used for adding attribute statements to an assertion that is generated during the Liberty-based single sign-on process.

   User Provider Implementation Class Name

   Specifies a pluggable implementation to store and retrieve the user attribute information from the users data store. The default implementation of the com.sun.identity.federation.accountmgmt.FSUserProvider interface is the com.sun.identity.federation.accountmgmt.DefaultFSUserProvider class.

10. Provide information for the SAML Attributes.

    SAML Attributes define general information regarding SAML assertions that are sent by the identity provider.

    Assertion Interval

    Type the interval of time (in seconds) that an assertion issued by the identity provider will remain valid. A principal will remain authenticated until the assertion interval expires.

    Cleanup Interval

    Type the interval of time (in seconds) before assertions stored in the identity provider will be cleared.

    Artifact Timeout

    Type the interval of time (in seconds) to specify the timeout for assertion artifacts.

    Assertion Limit

    Type a number to define how many assertions an identity provider can issue, or how many assertions that can be stored.

11. Provide values for the Organizations Profile attributes.

    The Organizations Profile attributes provide basic information that may be required when interacting with a principal. These attributes are optional.

    Names

    Type the complete legal name of the entity’s organization. Use the format locale|organization-name. For example, en|organization-name.com.

    ---

    Note –

    If the Names attribute contains a value, it is required to add values to the Display Names and URL attributes.

    ---

    Display Names

    Type a name that is suitable for display. Use the format locale|organization-display-name. For example, en|organization-display-name.com.

    URL

    Type a URL that can be used to direct a principal to additional information on the entity's organization. Use the format locale|organization-URL. For example, en|http://www.organization-name.com.

12. (Optional) To configure Contact Persons for the provider, click New Contact Person.

    See To Add a Contact Person to a Provider in a Provider Entity.

13. Continue modifying the entity by selecting another option from the View menu or click Save to complete the configuration.

To Modify Remote Identity Provider Attributes in a Provider Entity

After creating an entity and adding an identity provider, you can edit the identity provider profile. In a provider entity, this might entail adding metadata that was not available to configure when originally adding the identity provider. The starting point is the Entities configuration screen of the Federation module.

1. Click on the name of a configured provider entity to modify its profile.

   The entity's profile page is displayed.

2. Select Identity Provider from the View menu.

3. Modify values for the Common Attributes.

   Common Attributes contain values that generally define the identity provider itself.

   Provider Type

   The static value of this attribute defines whether this is a hosted or remote provider.

   Description

   This attribute contains the description provided when you created the entity. You can modify the description originally entered.

   Valid Until

   Type the expiration date for the metadata pertaining to the provider. Use Coordinated Universal Time (UTC) in the format yyyy-mm-ddThh:mm:ss.SZ. For example, 2004-12-31T12:30:00.0Z.

   Cache Duration

   Type the maximum amount of time the entity can be cached. The value is defined in the format PnYnMnDTnHnMnS, where n is an integer. For example, P1Y2M4DT9H8M20S defines the cache duration as 1 year, 2 months, 4 days, 9 hours, 8 minutes, and 20 seconds.

   Protocol Support Enumeration

   Choose the protocol release supported by this entity.

   • urn:liberty:iff:2003-08 refers to the Liberty Identity Federation Framework version 1.2.

   • urn:liberty:iff:2002-12 refers to the Liberty Identity Federation Framework version 1.1.

   Server Name Identifier Mapping Binding

   Name identifier mapping allows a service provider to obtain a name identifier for a principal that has federated in the namespace of a different service provider. Implementing this protocol allows the requesting service provider to communicate with the second service provider without an identity federation having been enabled. Type a URI that identifies the communication specifications.

   ---

   Note –

   Currently, the Name Identifier Mapping profile only supports SOAP. If this attribute is used, its value must be http://projectliberty.org/profiles/nim-sp-http.

   ---

   Additional Meta Locations

   Type a URL that points to other relevant metadata concerning the provider.

   Signing Key: Key Alias

   Type the key alias used to sign requests and responses.

   Encryption Key: Key Alias

   Type the security certificate alias. Certificates are stored in a Java keystore file. Each specific certificate is mapped to an alias that is used to fetch the certificate.

   Encryption Key: Key Size

   Type the length for keys used by the web service consumer when interacting with another entity.

   Encryption Key: Encryption Method

   Choose the method of encryption. The choices include:

   • None

   • AES

   • DES

   • 3DES

   Name Identifier Encryption

   Select the check box to enable encryption of the name identifier.

4. Modify values for the Communication URLs attributes.

   Communication URLs attributes contain locations for sending transmissions to the service provider being configured.

   SOAP Endpoint

   Type a URI to the identity provider’s SOAP message receiver. This value communicates the location of the SOAP receiver in non browser communications.

   Single Sign-On Service URL

   Type a URL to which service providers can send single sign-on and federation requests.

   Single Logout Service

   Type a URL to which service providers can send logout requests. Single logout synchronizes the logout functionality across all sessions authenticated by the identity provider.

   Single Logout Return

   Type a URL to which the identity provider will redirect the principal after completing a logout.

   Federation Termination Service

   Type a URL to which a service provider will send federation termination requests.

   Federation Termination Return

   Type a URL to which the identity provider will redirect the principal after completing federation termination.

   Name Registration Service

   Type a URL to which a service provider will send requests to specify the name identifier that will be used when communicating with the identity provider about a principal. This service can only be used after a federation session is established.

   Name Registration Return

   Type a URL to which the identity provider will redirect the principal after HTTP name registration has been completed.

5. Modify values in the Communication Profiles attributes.

   Communication Profiles attributes define the transmission methods used by the identity provider.

   Federation Termination

   Select a profile to notify other providers of a principal’s federation termination:

   • HTTP Redirect

   • SOAP

   Single Logout

   Select a profile to notify other providers of a principal’s logout:

   • HTTP Redirect

   • HTTP Get

   • SOAP

   Name Registration

   Select a profile to notify other providers of a principal’s name registration:

   • HTTP Redirect

   • SOAP

   Single Sign-on/Federation

   Select a profile for sending authentication requests:

   • Browser Post (specifies a browser-based HTTP POST protocol)

   • Browser Artifact (specifies a non-browser SOAP-based protocol)

   • LECP (specifies a Liberty-enabled Client Proxy)

     ---

     Note –

     Federation Manager can handle requests that come from a Liberty-enabled client proxy profile, but it requires additional configuration that is beyond the scope of this manual.

     ---

6. Select any of the available authentication domains to assign to the provider.

   A provider can belong to one or more authentication domains. However, a provider without a specified authentication domain can not participate in Liberty-based communications. If no authentication domains have been created, this attribute can be defined later.

7. Provide information for the Proxy Authentication Configuration attributes.

   Proxy Authentication Configuration attributes define values for dynamic identity provider proxying.

   Enable Proxy Authentication

   Select the check box to enable proxy authentication for a service provider.

   Proxy Identity Providers List

   Add a list of identity providers that can be used for proxy authentication. The value is a URI defined as the provider's identifier.

   Maximum Number of Proxies

   Type the maximum number of identity providers that can be proxied.

   Use Introduction Cookie for Proxying

   Select the check box if you want introductions to be used to find the proxying identity provider.

8. Provide values for the Organizations Profile attributes.

   The Organizations Profile attributes provide basic information that may be required when interacting with a principal. These attributes are optional.

   Names

   Type the complete legal name of the entity’s organization. Use the format locale|organization-name. For example, en|organization-name.com.

   ---

   Note –

   If the Names attribute contains a value, it is required to add values to the Display Names and URL attributes.

   ---

   Display Names

   Type a name that is suitable for display. Use the format locale|organization-display-name. For example, en|organization-display-name.com.

   URL

   Type a URL that can be used to direct a principal to additional information on the entity's organization. Use the format locale|organization-URL. For example, en|http://www.organization-name.com.

9. (Optional) To configure Contact Persons for the provider, click New Contact Person.

   See To Add a Contact Person to a Provider in a Provider Entity.

10. Click Save to complete the configuration.

To Modify Hosted Service Provider Attributes in a Provider Entity

After creating an entity and adding a service provider, you can edit the service provider profile. In a provider entity, this might entail adding metadata that was not available to configure when originally adding the service provider. The starting point is the Entities configuration screen of the Federation module.

1. Click on the name of a configured provider entity to modify its profile.

2. Select Service Provider from the View menu.

3. Modify values for the Common Attributes.

   Common Attributes contain values that generally define the identity provider itself.

   Provider Type

   The static value of this attribute defines whether this is a hosted or remote provider.

   Description

   This attribute contains the description provided when you created the entity. You can modify the description originally entered.

   Valid Until

   Type the expiration date for the metadata pertaining to the provider. Use Coordinated Universal Time (UTC) in the format yyyy-mm-ddThh:mm:ss.SZ. For example, 2004-12-31T12:30:00.0Z.

   Cache Duration

   Type the maximum amount of time the entity can be cached. The value is defined in the format PnYnMnDTnHnMnS, where n is an integer. For example, P1Y2M4DT9H8M20S defines the cache duration as 1 year, 2 months, 4 days, 9 hours, 8 minutes, and 20 seconds.

   Protocol Support Enumeration

   Choose the protocol release supported by this entity.

   • urn:liberty:iff:2003-08 refers to the Liberty Identity Federation Framework version 1.2.

   • urn:liberty:iff:2002-12 refers to the Liberty Identity Federation Framework version 1.1.

   Server Name Identifier Mapping Binding

   Name identifier mapping allows a service provider to obtain a name identifier for a principal that has federated in the namespace of a different service provider. Implementing this protocol allows the requesting service provider to communicate with the second service provider without an identity federation having been enabled. Type a URI that identifies the communication specifications.

   ---

   Note –

   Currently, the Name Identifier Mapping profile only supports SOAP. If this attribute is used, its value must be http://projectliberty.org/profiles/nim-sp-http.

   ---

   Additional Meta Locations

   Type a URL that points to other relevant metadata concerning the provider.

   Signing Key: Key Alias

   Type the key alias used to sign requests and responses.

   Encryption Key: Key Alias

   Type the security certificate alias. Certificates are stored in a Java keystore file. Each specific certificate is mapped to an alias that is used to fetch the certificate.

   Encryption Key: Key Size

   Type the length for keys used by the web service consumer when interacting with another entity.

   Encryption Key: Encryption Method

   Choose the method of encryption. The choices include:

   • None

   • AES

   • DES

   • 3DES

   Name Identifier Encryption

   Select the check box to enable encryption of the name identifier.

4. Modify values for the Communication URLs attributes.

   Communication URLs attributes contain locations for sending transmissions to the service provider being configured.

   SOAP Endpoint

   Type a URI to the identity provider’s SOAP message receiver. This value communicates the location of the SOAP receiver in non browser communications.

   Single Logout Service

   Type a URL to which service providers can send logout requests. Single logout synchronizes the logout functionality across all sessions authenticated by the identity provider.

   Single Logout Return

   Type a URL to which the identity provider will redirect the principal after completing a logout.

   Federation Termination Service

   Type a URL to which a service provider will send federation termination requests.

   Federation Termination Return

   Type a URL to which the identity provider will redirect the principal after completing federation termination.

   Name Registration Service

   Type a URL to which a service provider will send requests to specify the name identifier that will be used when communicating with the identity provider about a principal. This service can only be used after a federation session is established.

   Name Registration Return

   Type a URL to which the identity provider will redirect the principal after HTTP name registration has been completed.

5. Modify values for the Communication Profiles attributes.

   Communication Profiles attributes define the transmission methods used by the service provider.

   Federation Termination

   Select a profile to notify other providers of a principal’s federation termination:

   • HTTP Redirect

   • SOAP

   Single Logout

   Select a profile to notify other providers of a principal’s logout:

   • HTTP Redirect

   • HTTP Get

   • SOAP

   Name Registration

   Select a profile to notify other providers of a principal’s name registration:

   • HTTP Redirect

   • SOAP

   Single Sign-on/Federation

   Select a profile for sending authentication requests:

   • Browser Post (specifies a browser-based HTTP POST protocol)

   • Browser Artifact (specifies a non-browser SOAP-based protocol)

   • LECP (specifies a Liberty-enabled Client Proxy)

     ---

     Note –

     Federation Manager can handle requests that come from a Liberty-enabled client proxy profile, but it requires additional configuration that is beyond the scope of this manual.

     ---

6. Select any of the available authentication domains to assign to the provider.

   A provider can belong to one or more authentication domains. However, a provider without a specified authentication domain can not participate in Liberty-based communications. If no authentication domains have been created, this attribute can be defined later.

7. Type a positive number in the Level box for the challenge/response protocol.

   The number corresponds to the authentication level defined for the particular authentication module. The user will be redirected to a module with the defined authentication level.

   • Mobile Contract

   • Mobile Digital ID

   • Mobile Unregistered

   • Password

   • Password-ProtectedTransport

   • Previous-Session

   • Smartcard

   • Smartcard-PKI

   • Software-PKI

   • Time-Sync-Token

8. Choose from the available Trusted Providers and add to the entity.

   The list contains configured entities that have been populated with service providers.

9. Modify values for the Service Provider attributes.

   Service Provider attributes define general information regarding the service provider.

   Assertion Consumer URL

   Type the URL to the end point which will receive all SAML assertions.

   Assertion Consumer Service URL ID

   If the value of the Protocol Support Enumeration common attribute is urn:liberty:iff:2003-08, type the required ID.

   Set Assertion Consumer Service URL as Default

   Select the check box to use the Assertion Consumer Service URL as the default value when no identifier is provided in the request.

   Sign Authentication Request

   Select the check box to make the service provider always signs authentication requests.

   Name Registration after Federation

   Select the check box to enable the service provider to participate in name registration after a principal has been federated.

   Name ID Policy

   Select the option permitting requester influence over name identifier policy at the identity provider. The options include:

   None

   The identity provider will return the name identifier(s) corresponding to the federation that exists between the identity provider and the requesting service provider or affiliation group for the principal. If no such federation exists, an error will be returned.

   One-time

   The identity provider will issue a temporary, one-time-use identifier for the principal after federation.

   Federation

   The identity provider may start a new identity federation if one does not already exist for the principal.

   Enable Affiliation Federation

   Select the check box to enable affiliation federation.

10. Modify values for the Hosted Configuration attributes.

    Hosted Configuration attributes define general information regarding the provider hosted on the same machine as Federation Manager.

    Provider Alias

    Type an alias name for the local identity provider.

    Authentication Type

    Select the provider that should be used for authentication requests from a provider hosted locally.

    • Remote specifies that the provider hosted locally would contact a remote identity provider upon receiving an authentication request.

    • Local specifies that the provider hosted locally should contact a local identity provider upon receiving an authentication request (essentially, itself).

    Default Authentication Context

    Select the authentication context class (method of authentication) to use if the identity provider does not receive this information as part of a service provider request. This value also specifies the authentication context used by the service provider when an unknown user tries to access a protected resource. The options are as follows:

    • Password

    • Mobile Digital ID

    • Smartcard

    • Smartcard-PKI

    • MobileUnregistered

    • Software-PKI

    • Previous-Session

    • Mobile Contract

    • Time-Sync-Token

    • Password-ProtectedTransport

    Identity Provider Forced Authentication

    Select the check box to indicate that the identity provider must reauthenticate the principal (even if the principal has an existing session from a prior authentication) when an authentication request is received from a remote service provider. This attribute is enabled by default.

    Request Identity Provider to be Passive

    Select the check box to specify that the identity provider must not prompt a user for authentication credentials upon receiving an authentication request from a remote service provider. The default (unchecked) is to authenticate the user upon receiving an authentication request.

    Organization DN

    Type the value of the organization's distinguished name.

    Liberty Version URI

    Type the URI of the version of the Liberty Alliance Project specification being used. The default value is http://projectliberty.org/specs/v1.

    Name Identifier Implementation

    This field defines the class used by a service provider to participate in name registration. Name registration is a profile by which service providers specify a principal’s name identifier that an identity provider will use when communicating to the service provider. The value is com.sun.identity.federation.services.util.FSNameIdentifierImpl.

    Home Page URL

    Type the URL of the home page of the identity provider.

    Single Sign-on Failure Redirect URL

    Type the URL to which a principal will be redirected if single sign-on has failed.

    Auto Federation

    Select the check box to enable auto federation.

    Auto Federation Common Attribute Name

    When creating an Auto Federation Attribute Statement, the value of this attribute will be used. The statement will contain AutoFedAttribute as the attribute name and this common attribute as the value.

    Attribute Statement Plugin

    Specify a pluggable class used for adding attribute statements to an assertion that is generated during the Liberty-based single sign-on process.

    User Provider Implementation Class Name

    Specifies a pluggable implementation to store and retrieve the user attribute information from the users data store. The default implementation of the com.sun.identity.federation.accountmgmt.FSUserProvider interface is the com.sun.identity.federation.accountmgmt.DefaultFSUserProvider class.

    Service Provider Adapter Implementation Class Name

    Specifies a pluggable implementation of the com.sun.identity.federation.plugins.FederationSPAdapter interface. The implemented class allows applications to customize their actions before and after invoking the federation protocols. For example, a service provider may want to choose to redirect to a specific location after single sign-on. There is no default implementation but the spi sample included with Federation Manager makes use of the class.

    Configuration for Service Provider Adapter Implementation

    Stores configuration information that may be used to initialize the Service Provider Adapter Implementation Class Name. The usage of this attribute is also demonstrated in the spi sample application.

11. Provide information for the Proxy Authentication Attributes.

    Proxy Authentication Configuration attributes define values for dynamic identity provider proxying.

    Enable Proxy Authentication

    Select the check box to enable proxy authentication for a service provider.

    Proxy Identity Providers List

    Add a list of identity providers that can be used for proxy authentication. The value is a URI defined as the provider's identifier.

    Maximum Number of Proxies

    Type the maximum number of identity providers that can be proxied.

    Use Introduction Cookie for Proxying

    Select the check box if you want introductions to be used to find the proxying identity provider.

12. Provide information for the SAML Attributes.

    SAML Attributes define general information regarding SAML assertions sent by the identity provider.

    Assertion Interval

    Type the interval of time (in seconds) for which an assertion issued by the identity provider will remain valid. A principal will remain authenticated until the assertion interval expires.

    Cleanup Interval

    Type the interval of time (in seconds) before assertions stored in the identity provider will be cleared.

    Artifact Timeout

    Type the interval of time (in seconds) to specify the time out for assertion artifacts.

    Assertion Limit

    Type a number to define the amount of assertions an identity provider can issue, or the number of assertions that can be stored.

13. Provide values for the Organizations Profile attributes.

    The Organizations Profile attributes provide basic information that may be required when interacting with a principal. These attributes are optional.

    Names

    Type the complete legal name of the entity’s organization. Use the format locale|organization-name. For example, en|organization-name.com.

    ---

    Note –

    If the Names attribute contains a value, it is required to add values to the Display Names and URL attributes.

    ---

    Display Names

    Type a name that is suitable for display. Use the format locale|organization-display-name. For example, en|organization-display-name.com.

    URL

    Type a URL that can be used to direct a principal to additional information on the entity's organization. Use the format locale|organization-URL. For example, en|http://www.organization-name.com.

14. (Optional) To configure Contact Persons for the provider, click New Contact Person.

    See To Add a Contact Person to a Provider in a Provider Entity.

15. Click Save to complete the configuration.

To Modify Remote Service Provider Attributes in a Provider Entity

After creating an entity and adding a service provider, you can edit the service provider profile. In a provider entity, this might entail adding metadata that was not available to configure when originally adding the service provider. The starting point is the Entity Descriptors screen under Federation.

1. Click on the name of a configured provider entity to modify its profile.

   The entity's profile page is displayed.

2. Select Service Provider from the View menu.

3. Modify values for the Common Attributes.

   Common Attributes contain values that generally define the identity provider itself.

   Provider Type

   The static value of this attribute defines whether this is a hosted or remote provider.

   Description

   This attribute contains the description provided when you created the entity. You can modify the description originally entered.

   Valid Until

   Type the expiration date for the metadata pertaining to the provider. Use Coordinated Universal Time (UTC) in the format yyyy-mm-ddThh:mm:ss.SZ. For example, 2004-12-31T12:30:00.0Z.

   Cache Duration

   Type the maximum amount of time the entity can be cached. The value is defined in the format PnYnMnDTnHnMnS, where n is an integer. For example, P1Y2M4DT9H8M20S defines the cache duration as 1 year, 2 months, 4 days, 9 hours, 8 minutes, and 20 seconds.

   Protocol Support Enumeration

   Choose the protocol release supported by this entity.

   • urn:liberty:iff:2003-08 refers to the Liberty Identity Federation Framework version 1.2.

   • urn:liberty:iff:2002-12 refers to the Liberty Identity Federation Framework version 1.1.

   Server Name Identifier Mapping Binding

   Name identifier mapping allows a service provider to obtain a name identifier for a principal that has federated in the namespace of a different service provider. Implementing this protocol allows the requesting service provider to communicate with the second service provider without an identity federation having been enabled. Type a URI that identifies the communication specifications.

   ---

   Note –

   Currently, the Name Identifier Mapping profile only supports SOAP. If this attribute is used, its value must be http://projectliberty.org/profiles/nim-sp-http.

   ---

   Additional Meta Locations

   Type a URL that points to other relevant metadata concerning the provider.

   Signing Key: Key Alias

   Type the key alias used to sign requests and responses.

   Encryption Key: Key Alias

   Type the security certificate alias. Certificates are stored in a Java keystore file. Each specific certificate is mapped to an alias that is used to fetch the certificate.

   Encryption Key: Key Size

   Type the length for keys used by the web service consumer when interacting with another entity.

   Encryption Key: Encryption Method

   Choose the method of encryption. The choices include:

   • None

   • AES

   • DES

   • 3DES

   Name Identifier Encryption

   Select the check box to enable encryption of the name identifier.

4. Modify values for the Communication URLs attributes.

   Communication URLs attributes contain locations for sending transmissions to the service provider being configured.

   SOAP Endpoint

   Type a URI to the identity provider’s SOAP message receiver. This value communicates the location of the SOAP receiver in non browser communications.

   Single Logout Service

   Type a URL to which service providers can send logout requests. Single logout synchronizes the logout functionality across all sessions authenticated by the identity provider.

   Single Logout Return

   Type a URL to which the identity provider will redirect the principal after completing a logout.

   Federation Termination Service

   Type a URL to which a service provider will send federation termination requests.

   Federation Termination Return

   Type a URL to which the identity provider will redirect the principal after completing federation termination.

   Name Registration Service

   Type a URL to which a service provider will send requests to specify the name identifier that will be used when communicating with the identity provider about a principal. This service can only be used after a federation session is established.

   Name Registration Return

   Type a URL to which the identity provider will redirect the principal after HTTP name registration has been completed.

5. Modify values for the Communication Profiles attributes.

   Communication Profiles attributes define the transmission methods used by the service provider.

   Federation Termination

   Select a profile to notify other providers of a principal’s federation termination:

   • HTTP Redirect

   • SOAP

   Single Logout

   Select a profile to notify other providers of a principal’s logout:

   • HTTP Redirect

   • HTTP Get

   • SOAP

   Name Registration

   Select a profile to notify other providers of a principal’s name registration:

   • HTTP Redirect

   • SOAP

   Single Sign-on/Federation

   Select a profile for sending authentication requests:

   • Browser Post (specifies a browser-based HTTP POST protocol)

   • Browser Artifact (specifies a non-browser SOAP-based protocol)

   • LECP (specifies a Liberty-enabled Client Proxy)

     ---

     Note –

     Federation Manager can handle requests that come from a Liberty-enabled client proxy profile, but it requires additional configuration that is beyond the scope of this manual.

     ---

6. Select any of the available authentication domains to assign to the provider.

   A provider can belong to one or more authentication domains. However, a provider without a specified authentication domain can not participate in Liberty-based communications. If no authentication domains have been created, this attribute can be defined later.

7. Modify values for the Service Provider attributes.

   Service Provider attributes define general information regarding the service provider.

   Assertion Consumer URL

   Type the URL to the end point which will receive all SAML assertions.

   Assertion Consumer Service URL ID

   If the value of the Protocol Support Enumeration common attribute is urn:liberty:iff:2003-08, type the required ID.

   Set Assertion Consumer Service URL as Default

   Select the check box to use the Assertion Consumer Service URL as the default value when no identifier is provided in the request.

   Sign Authentication Request

   Select the check box to make the service provider always signs authentication requests.

   Name Registration after Federation

   Select the check box to enable the service provider to participate in name registration after a principal has been federated.

   Name ID Policy

   Select the option permitting requester influence over name identifier policy at the identity provider. The options include:

   None

   The identity provider will return the name identifier(s) corresponding to the federation that exists between the identity provider and the requesting service provider or affiliation group for the principal. If no such federation exists, an error will be returned.

   One-time

   The identity provider will issue a temporary, one-time-use identifier for the principal after federation.

   Federation

   The identity provider may start a new identity federation if one does not already exist for the principal.

   Enable Affiliation Federation

   Select the check box to enable affiliation federation.

8. Provide information for the Proxy Authentication Attributes.

   Proxy Authentication Configuration attributes define values for dynamic identity provider proxying.

   Enable Proxy Authentication

   Select the check box to enable proxy authentication for a service provider.

   Proxy Identity Providers List

   Add a list of identity providers that can be used for proxy authentication. The value is a URI defined as the provider's identifier.

   Maximum Number of Proxies

   Type the maximum number of identity providers that can be proxied.

   Use Introduction Cookie for Proxying

   Select the check box if you want introductions to be used to find the proxying identity provider.

9. Provide values for the Organizations Profile attributes.

   The Organizations Profile attributes provide basic information that may be required when interacting with a principal. These attributes are optional.

   Names

   Type the complete legal name of the entity’s organization. Use the format locale|organization-name. For example, en|organization-name.com.

   ---

   Note –

   If the Names attribute contains a value, it is required to add values to the Display Names and URL attributes.

   ---

   Display Names

   Type a name that is suitable for display. Use the format locale|organization-display-name. For example, en|organization-display-name.com.

   URL

   Type a URL that can be used to direct a principal to additional information on the entity's organization. Use the format locale|organization-URL. For example, en|http://www.organization-name.com.

10. (Optional) To configure Contact Persons for the provider, click New Contact Person.

    See To Add a Contact Person to a Provider in a Provider Entity.

11. Click Save to complete the configuration.

To Add a Contact Person to a Provider in a Provider Entity

Information regarding a contact person for a particular service provider or identity provider can be added to the provider's profile in a provider entity. The starting point is the Entities configuration screen in the Federation module.

1. Click on the name of a configured entity to modify its profile.

   The entity's profile page is displayed.

2. Select either Identity Provider or Service Provider from the View menu.

3. Click New Contact Person under the Contact Persons attribute group.

4. Provide values for the New Contact Person attributes.

   First Name

   Type the given name of the entity’s contact person.

   Last Name

   Type the surname of the entity’s contact person.

   Type

   Choose the type of contact from the drop-down menu:

   • Administrative

   • Billing

   • Technical

   • Other

   Company

   Type the name of the company that employs this person.

   Liberty Principal ID

   Type a URI that points to an online instance of the contact person’s personal information profile.

   Emails

   Type one or more email addresses for the contact person.

   Telephone Numbers

   Type one or more telephone numbers for the contact person.

5. Click OK to complete the Contact Person configuration.

6. Click Save on the Entity Profile page to complete the entity configuration.

To Modify a Contact Person Profile in a Provider Entity

Information regarding a contact person for a particular service provider or identity provider can be added to the provider's profile in a provider entity. The starting point is the Entities configuration screen in the Federation module.

1. Click on the name of a configured entity to modify its profile.

2. Select either Identity Provider or Service Provider from the View menu.

3. Click on the name of a configured Contact Person to modify its profile.

4. Provide new or modified values for the Contact Person profile.

   First Name

   Type the given name of the entity’s contact person.

   Last Name

   Type the surname of the entity’s contact person.

   Type

   Choose the type of contact from the drop-down menu:

   • Administrative

   • Billing

   • Technical

   • Other

   Company

   Type the name of the company that employs this person.

   Liberty Principal ID

   Type a URI that points to an online instance of the contact person’s personal information profile.

   Emails

   Type one or more email addresses for the contact person.

   Telephone Numbers

   Type one or more telephone numbers for the contact person.

5. Click Save to complete the Contact Person configuration.

6. Click Save on the Entity Profile page to complete the entity configuration.

To Create the Affiliation in an Affiliate Entity

After editing the General attributes of an affiliate entity, you can create the affiliation. This might entail modifying the defined Common attributes, or adding members to the affiliation. The starting point is the Entity Descriptors screen under Federation.

1. Click on the name of a configured affiliate entity to modify its profile.

   The entity's profile page is displayed.

2. Select Affiliate from the View menu.

3. Modify values for the Common Attributes.

   Affiliate ID

   Type a new value for the URL identifier of the affiliation, if applicable. The value of this attribute is the name provided when you created the entity.

   Affiliate Owner ID

   Type a new value for the Provider ID of the owner or parent operator of the affiliation. This value points to additional affiliation metadata.

   Valid Until

   Type the expiration date for the metadata pertaining to the provider. Use Coordinated Universal Time (UTC) in the format yyyy-mm-ddThh:mm:ss.SZ. For example, 2004-12-31T12:30:00.0Z.

   Cache Duration

   Type the maximum amount of time the entity can be cached. The value is defined in the format PnYnMnDTnHnMnS, where n is an integer. For example, P1Y2M4DT9H8M20S defines the cache duration as 1 year, 2 months, 4 days, 9 hours, 8 minutes, and 20 seconds.

   Signing Key: Key Alias

   Type the key alias used to sign requests and responses.

   Encryption Key: Key Alias

   Type the security certificate alias. Certificates are stored in a Java keystore file. Each specific certificate is mapped to an alias that is used to fetch the certificate.

   Encryption Key: Key Size

   Type the length for keys used by the web service consumer when interacting with another entity.

   Encryption Key: Encryption Method

   Choose the method of encryption. The choices include:

   • None

   • AES

   • DES

   • 3DES

4. Add members to the affiliation from those available.

5. Click Save.

Authentication Domains

An authentication domain is a federation of any number of service providers (and at least one identity provider) with whom principals can transact business in a secure and apparently seamless environment. (An authentication domain is NOT a domain in the domain name system sense of the word.) In Federation Manager, before creating and populating an authentication domain, you create a grouping of providers called an entity. Then, you configure and save the authentication domain itself. Finally, to add an entity, you edit the configured authentication domain.

---

Note –

For more information on entities, see Entities: Provider and Affiliate.

---

Authentication domains are configured using the Federation Manager Console by selecting Authentication Domains under Federation. The following tasks are associated with authentication domains:

• To Create a New Authentication Domain

• To Modify an Authentication Domain Profile

• To Add Providers to an Authentication Domain

• To Delete an Authentication Domain Profile

---

Note –

The members of the domain must have previously established a circle of trust based on the Liberty Alliance Project architecture and operational agreements.

---

To Create a New Authentication Domain

Follow this procedure to create a new authentication domain. The starting point is the Authentication Domains screen under Federation.

1. Click New to display the authentication domain attributes.

   The New Authentication Domain profile page is displayed.

2. Type a name for the authentication domain.

3. (Optional) Type a description of the authentication domain in the Description field.

4. (Optional) Type a value for the Writer Service URL.

   The Writer Service URL specifies the location of the servlet that writes the common domain cookie. Use the format http://common-domain-host:port/common/writer.

5. (Optional) Type a value for the Reader Service URL.

   The Reader Service URL specifies the location of the servlet that reads the common domain cookie. Use the format http://common-domain-host:port/common/transfer.

6. Choose Active or Inactive.

   The default status is Active. Choosing Inactive disables communication within the authentication domain.

7. Click OK to complete the configuration.

   The new authentication domain is displayed on the Authentication Domains screen.

To Modify an Authentication Domain Profile

Follow this procedure to edit the General attributes of an existing authentication domain, or to add providers to it. (See To Add Providers to an Authentication Domain.) The starting point is the Authentication Domains screen under Federation.

1. Select the name of a configured authentication domain to modify its profile, or to add providers to it.

   The Authentication Domain Profile page is displayed.

2. Edit the values of the authentication domain's General attributes.

   Name

   Contains the name for the authentication domain. This value is static.

   Description

   Contains a description of the authentication domain.

   Writer Service URL

   Specifies the location of the service that writes the common domain cookie. Use the format http://common-domain-host:port/common/writer.

   Reader Service URL

   Specifies the location of the service that reads the common domain cookie. Use the format http://common-domain-host:port/common/transfer.

   Status

   The default status is Active. Selecting Inactive disables communication within the authentication domain.

3. Click Add to add providers to the authentication domain.

   The Trusted Partner page is displayed with a list of available provider entities.

4. Choose one or more available providers and click the Add arrow to select them.

   The list provided contains the names of entities that have been created. These entities contain providers. For more information, see To Add Providers to an Authentication Domain.

5. Click OK to save the providers to the authentication domain.

   This will return you to the previous Authentication Domain Profile screen.

6. Click Save to complete the operation.

To Add Providers to an Authentication Domain

Identity providers and service providers must first be configured within entities before they are available to add to an authentication domain. Once created and populated with providers, an entity (and thus the providers) can be assigned to an authentication domain.

---

Note –

An entity cannot be assigned to an authentication domain until it has been populated with provider(s).

---

For more information, see Entities: Provider and Affiliate.

1. Choose one or more available providers and click the Add arrow to select them.

   The list provided contains the names of entities that have been created. These entities contain providers.

2. Click OK to save the providers to the authentication domain.

   This will return you to the previous Authentication Domain Profile screen.

3. Finish your configurations and click Save to complete the operation.

To Delete an Authentication Domain Profile

Follow this procedure to delete an existing authentication domain. The starting point is the Authentication Domains screen under Federation.

1. Check the box next to the name of the authentication domain you want to delete.

2. Click Delete.

   Deleting an authentication domain does not delete the providers that belong to it.

Auto-Federation

The auto-federation feature in Federation Manager will automatically federate a user's disparate provider accounts based on a common attribute. This common attribute will be exchanged in a single sign-on assertion so that the consuming service provider can identify the user and create account federations. If auto-federation is enabled and it is deemed that a user at provider A and a user at provider B have the same value for the defined common attribute (for example, emailaddress), the two accounts will be federated automatically without principal interaction.

---

Note –

Auto-federating a principal's two distinct accounts at two different providers requires each provider to have agreed to implement support for this functionality beforehand.

---

To Enable Auto-Federation

Ensure that each local service and identity provider participating in auto federation is configured for it . Remote providers would not be configured in your deployment.

1. In the Federation Manager Console, click the Federation tab.

2. Under Federation, select the Entities tab.

3. Select the name of a hosted provider entity to edit its profile.

   Whether an entity is configured to hold hosted or remote providers is not information that is disclosed on this screen.

4. Select Identity Provider or Service Provider from the View menu.

5. Select Hosted Configuration.

6. Enable Auto Federation by checking the box.

7. Type a value for the Auto Federation Common Attribute Name attribute.

   For example, enter emailaddress or userID. You should be sure that each participating user profile (at both providers) has a value for this attribute.

8. Click Save to complete the configuration.

Bulk Federation

Federation Manager provides a script for federating user accounts in bulk. It is called ambulkfed and is located in /FederationManager-base/SUNWam/bin. The script assumes that the user database is LDAPv3–compliant.

---

Note –

The ambulkfed script is the primary script for bulk federation. It uses two other Perl scripts, amGenerateLDIF.pl and amGenerateNI.pl, behind the scenes.

---

As input, ambulkfed takes a file that maps the user distinguished name (DN) of the identity provider to the user DN of the service provider. Each line of the file must place the mappings in the following order and separated by a pipe (“|”): uid=spuser,dc=iplanet,dc=com | uid=idpuser,dc=iplanet,dc=com. The script generates unique random identifiers for each mapping and creates four files:

• spnameidentifiers.txt

• idpnameidentifiers.txt

• spuserdata.ldif

• idpuserdata.ldif

These files contain the data for bulk federation. The LDIFs are used for instances of LDAPv3–compliant data stores. ambulkfed generates and loads the LDIF data based on its given provider role. For example, it will load spuserdata.ldif because Federation Manager acts as a service provider. The LDIFs will also be stored locally and can be used with ldapmodify to load the data into a remote provider. If the remote provider is not an instance of Federation Manager, the generated text files spnameidentifiers.txt and idpnameidentifiers.txt can be used to generate federation data based on the input needs of the provider.