SAML 2.0 identity provider worksheet

Edit online

If you are the identity provider in the federation and use SAML 2.0, record your configuration information in the following tables.

Table 1. Federation protocol
Federation protocol Description Your value
Federation name The name you want to give this federation.

The name must not contain any ASCII control characters or special characters except hyphen and underscore.

  
Select the protocol for this federation:
  • OpenID Connect
  • SAML 2.0
 The protocol you want to use in the federation. In these instructions, use SAML 2.0.
Table 2. Template
Template Description Your value
Select the template:
  • Quick Connect
  • SAML 2.0
 Choose Quick Connect to quickly set up an identity provider federation to work with partner templates that can assist with the establishment of federations to well-known partners.

Choose SAML 2.0 to use the full set of configuration options.

The template cannot be changed after a federation is created.

  
Table 3. General information
General information Description Your value
Company name The name of the company that is creating this provider.  
Provider ID A unique identifier that identifies the provider to its partner provider.

The default value is point_of_contact _server_URL/federation_name/saml20.

  
Role Your role is either Identity Provider or Service Provider.

An identity provider vouches for the identity of the end user. The Identity Provider authenticates the user and provides an authentication token to the service provider.

A service provider provides a service to end users. In most cases, service providers do not authenticate users, but instead request authentication decisions from an identity provider. You cannot change the role after a federation is created.

 Identity provider
Table 4. Point of contact server
Point of contact server Description Your value
Point of contact server URL The endpoint URL of the point of contact server. The point of contact server is a reverse proxy server that is configured in front of the runtime listening interfaces. The format is
http[s]://hostname[:portnumber]/[junction]/sps
  
Table 5. Profile selection
Profile selection Description Your value
SAML 2.0 profile options:
  • Web Browser Single Sign-on
  • Name Identifier Management
  • Single Logout
 The profile for your federation. The Web Browser Single Sign-on profile must be selected by default. You cannot clear this selection.

For more information about profiles, see SAML profiles.

 
Table 6. Single Sign-on settings
Settings Description Your value
Bindings:
You can choose one or more binding options.
  • HTTP Artifact
  • HTTP POST
  • HTTP Redirect
 The choice of binding depends on the type of messages sent. For example, an authentication request message can be sent from a service provider to an identity provider. The response message can be sent from an identity provider to a service provider by using either HTTP POST or HTTP artifact.

A pair of partners in a federation does not need to use the same binding.

  
The default NameID format The default format determines processing rules for the NameID value if one of the following items is true:
  • The format attribute is not set
  • The format attribute is set to urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
 Choose one of the following formats:
  • urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
  • urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
  • urn:oasis:names:tc:SAML:2.0:nameid-format:transient
Amount of time, in seconds, before the issue date that an assertion is considered valid Specifies that you require your partner to sign SAML validations. You will validate the signature on the incoming SAML assertions.  
Amount of time, in seconds, that the assertion is valid before being issued Specifies that you require your partner to validate the signature on SAML authentication requests. You will sign the outgoing SAML authentication requests.  
Require consent to federate Requires the identity provider to present a page to the user verifying the federation request.  
Enable ECP Check this check box to enable the ECP profile.  
Add Session State Headers Add or delete a Session State Header. Multiple headers can be added. Specify the name of the Session State Header that you are adding in the field.
Require signature on incoming SAML assertions Specifies that you require your partner to sign SAML assertions. You will validate the signature on the incoming SAML assertions.  
Require outgoing SAML authentication requests to be signed Specifies that you require your partner to validate the signature on SAML authentication requests. You will sign the outgoing SAML authentication requests.  
Table 7. Name Identifier Management settings
Settings Description Your value
Bindings:
You can choose one or more binding options.
  • HTTP Artifact
  • HTTP POST
  • HTTP Redirect
  • HTTP SOAP
 The choice of binding depends on the type of messages sent. A pair of partners in a federation does not need to use the same binding.  
Message signatures Select which outgoing SAML messages require a signature:
  • Name identifier management requests
  • Name identifier management responses
 Specifies whether you will sign the outgoing SAML name identifier management requests and responses.  
Table 8. Single logout settings
Settings Description Your value
Bindings:
You can choose one or more binding options.
  • HTTP Artifact
  • HTTP POST
  • HTTP Redirect
  • HTTP SOAP
 The choice of binding depends on the type of messages sent. A pair of partners in a federation does not need to use the same binding.  
Message signatures Select which outgoing SAML messages require a signature:
  • Single logout requests
  • Single logout responses
 Specifies whether you will sign the outgoing SAML logout requests and responses.  
Exclude session index Select whether to exclude session index in the single logout request.

If this property is selected, the logout request message sent out from this Identity Provider will exclude session index. When the Service Provider receives this logout request, it will log out all the sessions for the current user. The Identity Provider will log out only the current user session locally.

This setting is used on the identity provider only.

  
Optional attribute- ResponseLocation    
Table 9. Signature options
Signatures Description Your value

Certificate database

Select the database where the signing certificate is stored

  

Certificate label

Name of the certificate to use for signing.

  
Include the following KeyInfo elements Determine which KeyInfo elements to include in the digital signature for a SAML message or assertion.
X509 certificate data
Specify whether you want the BASE64 encoded certificate data to be included with your signature. The default action is to include the X.509 certificate data.
X509 Subject Name
Specify whether you want the subject name to be included with your signature. The default action is to exclude the X.509 subject name.
X509 Subject Key Identifier
Specify whether you want the X.509 subject key identifier to be included with your signature. The default action is to exclude the subject key identifier.
X509 Subject Issuer Details
Specify whether you want the issuer name and the certificate serial number to be included with your signature. The default action is to exclude the X.509 subject issuer details.
Public key
Specify whether you want the public key to be included with your signature. The default action is to exclude the public key.
  
Table 10. Encryption options
Signatures Description Your value

Certificate database

Select the database where the encryption certificate is stored

  

Certificate label

Name of the certificate to use for encryption.

  
Table 11. SAML message settings
Message settings Description Your value
Message Lifetime in seconds An integer value specifying the length of time, in seconds, that a message is valid. The default value is 300  
Artifact Lifetime in seconds The length of time, in seconds, that an artifact is considered valid. This field is only valid when HTTP artifact binding has been enabled. The default value is 120.  
Session Timeout in seconds The length of time, in seconds, that the session remains valid. The default value is 7200.  
Select which outgoing messages require a signature:
  • Artifact requests
  • Artifact responses
 Specifies whether you will sign the outgoing SAML artifact requests and responses.  
Message issuer format Format attribute of the Issuer of the SAML message.  
Message issuer name qualifier Name qualifier attribute of the Issuer of the SAML message.  
Table 12. Access policy settings
Access Policy Description Your value
Enable access policy If you configure an identity provider, this setting specifies whether to enable access policy. If you enable access policy, you must select one of the policies that you defined.
Note: If access policy is enabled on both the federation configuration and the partner configuration, the partner configuration takes effect.
  
Table 13. Identity mapping settings
Identity mapping Description Your value

Identity mapping options

  • Use JavaScript transformation for identity mapping
  • Use an external web service for identity mapping
 If you configure an identity provider, this mapping specifies how to create an assertion that contains attributes that are mapped from a local user account.

If you configure a service provider, this mapping specifies how to match an assertion from the partner to the local user accounts.

 If you choose JavaScript for mapping, on a subsequent panel, you are asked to select the JavaScript file to use.
If you choose an external web service, on a subsequent panel, you are asked to provide the following information:
  • URI format (HTTP or HTTPS)
  • Web service URI
  • Server Certificate database, if the URI format is HTTPS
  • Client authentication type, if the URI format is HTTPS
  • Message format:
    • XML
    • WS-Trust
Table 14. SAML Message Extensions
Message Extensions Description Your value
SAML Message Extension options:
  • No message extensions (default)
  • Use Javascript to add message extensions
 If you configure your federation with a message extension rule, every time a SAML message is written, the rule is invoked in order to gather any extensions which need to be included. The mapping rule is invoked with context information about the federation and partner, as well as the kind of message being sent.

The mapping rule context is available in a variable ‘context’. For documentation on this object see the on box javadoc for the class JSMessageExtensionContext.

 If Javascript extensions are enabled, a subsequent dialogue allows selection of the mapping rule.

Traditional identity mapping rules with the category SAML_2_0 are filtered from the view, as identity mapping rules are not compatible with extension rules. There is a rule available out of the box, which contains information and examples.

After you complete the tables, continue with the instructions in Creating and modifying a federation.