SAML 2.0 identity provider worksheet
If you are the identity provider in the federation and use SAML 2.0, record your configuration information in the following tables.
Federation protocol | Description | Your value |
---|---|---|
Federation name | The name you want to give this federation. The name must not contain any ASCII control characters or special characters except hyphen and underscore. |
|
Select the protocol for this federation:
|
The protocol you want to use in the federation. | In these instructions, use SAML 2.0. |
Template | Description | Your value |
---|---|---|
Select the template:
|
Choose Quick Connect to quickly set up an identity
provider federation to work with partner templates that can assist with the establishment of
federations to well-known partners. Choose SAML 2.0 to use the full set of configuration options. The template cannot be changed after a federation is created. |
General information | Description | Your value |
---|---|---|
Company name | The name of the company that is creating this provider. | |
Provider ID | A unique identifier that identifies the provider to its partner
provider. The default value is point_of_contact _server_URL/federation_name/saml20. |
|
Role | Your role is either Identity Provider or
Service Provider. An identity provider vouches for the identity of the end user. The Identity Provider authenticates the user and provides an authentication token to the service provider. A service provider provides a service to end users. In most cases, service providers do not authenticate users, but instead request authentication decisions from an identity provider. You cannot change the role after a federation is created. |
Identity provider |
Point of contact server | Description | Your value |
---|---|---|
Point of contact server URL | The endpoint URL of the point of contact server. The point of contact server
is a reverse proxy server that is configured in front of the runtime listening interfaces. The
format
is
|
Profile selection | Description | Your value |
---|---|---|
SAML 2.0 profile options:
|
The profile for your federation. The Web Browser Single
Sign-on profile must be selected by default. You cannot clear this selection. For more information about profiles, see SAML profiles. |
Settings | Description | Your value |
---|---|---|
Bindings: You can choose one or more binding options.
|
The choice of binding depends on the type of messages sent. For example, an
authentication request message can be sent from a service provider to an identity provider. The
response message can be sent from an identity provider to a service provider by using either HTTP
POST or HTTP artifact. A pair of partners in a federation does not need to use the same binding. |
|
The default NameID format | The default format determines processing rules for the NameID value
if one of the following items is true:
|
Choose one of the following formats:
|
Amount of time, in seconds, before the issue date that an assertion is considered valid | Specifies that you require your partner to sign SAML validations. You will validate the signature on the incoming SAML assertions. | |
Amount of time, in seconds, that the assertion is valid before being issued | Specifies that you require your partner to validate the signature on SAML authentication requests. You will sign the outgoing SAML authentication requests. | |
Require consent to federate | Requires the identity provider to present a page to the user verifying the federation request. | |
Enable ECP | Check this check box to enable the ECP profile. | |
Add Session State Headers | Add or delete a Session State Header. Multiple headers can be added. | Specify the name of the Session State Header that you are adding in the field. |
Require signature on incoming SAML assertions | Specifies that you require your partner to sign SAML assertions. You will validate the signature on the incoming SAML assertions. | |
Require outgoing SAML authentication requests to be signed | Specifies that you require your partner to validate the signature on SAML authentication requests. You will sign the outgoing SAML authentication requests. |
Settings | Description | Your value |
---|---|---|
Bindings: You can choose one or more binding options.
|
The choice of binding depends on the type of messages sent. A pair of partners in a federation does not need to use the same binding. | |
Message signatures Select which outgoing SAML messages require a signature:
|
Specifies whether you will sign the outgoing SAML name identifier management requests and responses. |
Settings | Description | Your value |
---|---|---|
Bindings: You can choose one or more binding options.
|
The choice of binding depends on the type of messages sent. A pair of partners in a federation does not need to use the same binding. | |
Message signatures Select which outgoing SAML messages require a signature:
|
Specifies whether you will sign the outgoing SAML logout requests and responses. | |
Exclude session index | Select whether to exclude session index in the single logout request. If this property is selected, the logout request message sent out from this Identity Provider will exclude session index. When the Service Provider receives this logout request, it will log out all the sessions for the current user. The Identity Provider will log out only the current user session locally. This setting is used on the identity provider only. |
|
Optional attribute- ResponseLocation |
Signatures | Description | Your value |
---|---|---|
Certificate database |
Select the database where the signing certificate is stored |
|
Certificate label |
Name of the certificate to use for signing. |
|
Include the following KeyInfo elements | Determine which KeyInfo elements to include in the digital
signature for a SAML message or assertion.
|
Signatures | Description | Your value |
---|---|---|
Certificate database |
Select the database where the encryption certificate is stored |
|
Certificate label |
Name of the certificate to use for encryption. |
Message settings | Description | Your value |
---|---|---|
Message Lifetime in seconds | An integer value specifying the length of time, in seconds, that a
message is valid. The default value is 300 . |
|
Artifact Lifetime in seconds | The length of time, in seconds, that an artifact is considered
valid. This field is only valid when HTTP artifact binding has been enabled. The default value
is 120 . |
|
Session Timeout in seconds | The length of time, in seconds, that the session remains valid. The
default value is 7200 . |
|
Select which outgoing messages require a signature:
|
Specifies whether you will sign the outgoing SAML artifact requests and responses. | |
Message issuer format | Format attribute of the Issuer of the SAML message. | |
Message issuer name qualifier | Name qualifier attribute of the Issuer of the SAML message. |
Access Policy | Description | Your value |
---|---|---|
Enable access policy | If you configure an identity provider, this setting specifies whether to enable access
policy. If you enable access policy, you must select one of the policies that you defined. Note: If
access policy is enabled on both the federation configuration and the partner configuration, the
partner configuration takes effect.
|
Identity mapping | Description | Your value |
---|---|---|
Identity mapping options
|
If you configure an identity provider, this mapping specifies how to create an
assertion that contains attributes that are mapped from a local user account. If you configure a service provider, this mapping specifies how to match an assertion from the partner to the local user accounts. |
If you choose JavaScript for mapping, on a subsequent panel, you are asked to
select the JavaScript file to use. If you choose an external web service, on a subsequent panel,
you are asked to provide the following information:
|
Message Extensions | Description | Your value |
---|---|---|
SAML Message Extension options:
|
If you configure your federation with a message extension rule, every time a SAML message is
written, the rule is invoked in order to gather any extensions which need to be included. The
mapping rule is invoked with context information about the federation and partner, as well as the
kind of message being sent. The mapping rule context is available in a variable ‘context’. For documentation on this object see the on box javadoc for the class JSMessageExtensionContext. |
If Javascript extensions are enabled, a subsequent dialogue allows selection of the mapping
rule. Traditional identity mapping rules with the category SAML_2_0 are filtered from the view, as identity mapping rules are not compatible with extension rules. There is a rule available out of the box, which contains information and examples. |
After you complete the tables, continue with the instructions in Creating and modifying a federation.