WS-Federation federation properties

Edit online

To configure a WS-Federation federation, you must specify values for a set of properties.

The properties in this list describe the inputs that you must provide when you use the LMI wizard to configure a federation. Most properties are specified for both identity provider and service provider federations. The exceptions are described below.

  • Identity provider only
    • Amount of time, in seconds, before the issue date that an assertion is considered valid
    • Amount of time, in seconds, that the assertion is valid before being issued
  • Service provider only
    • Enable one-time assertion use enforcement

Federation properties descriptions

Federation name
The name that you want to give this federation.

The name must not contain any ASCII control characters or special characters except hyphen and underscore.

Select the protocol for this federation
WS-Federation
Select the template
Choose SharePoint to quickly set up an identity provider federation to work with partner templates that can assist with the establishment of federations to SharePoint partners.

Choose WS-Federation to use the full set of configuration options.

Company name
The name of the company that is creating this provider.
Role
Your role is either Identity Provider or Service Provider.

An identity provider vouches for the identity of the user. The Identity Provider authenticates the user and provides an authentication token to the service provider.

A service provider provides a service to users. In most cases, service providers do not authenticate users, but instead request authentication decisions from an identity provider. You cannot change the role after a federation is created.

Note: When you use the SharePoint template, the Role field is not displayed because the Identity Provider role is automatically set. SharePoint deployments do not use Service Provider federations.
Point of contact server URL
The endpoint URL of the point of contact server. The point of contact server is a reverse proxy server that is configured in front of the runtime listening interfaces. The format is: 
http[s]://hostname[:portnumber]/[junction]/sps

For example, https://test.com/isam/sps.

To view your reverse proxy configuration, see Reverse proxy instance management.

Enable one-time assertion use enforcement
Service provider configuration only.

Specifies whether to use the assertion or token only one time. You can select or clear this option.

Amount of time, in seconds, before the issue date that an assertion is considered valid

Identity provider configuration only.

Default value 300 seconds. There is no minimum or maximum enforced.

Amount of time, in seconds, that the assertion is valid before being issued
Identity provider configuration only.

An integer value that specifies the number of seconds that the assertion remains valid. The default value is 300 seconds.

Identity mapping

Identity mapping options

  • Do not perform identity mapping
  • Use JavaScript transformation for identity mapping
  • Use an external web service for identity mapping
If you configure an identity provider, this mapping specifies how to create an assertion that contains attributes that are mapped from a local user account.

If you configure a service provider, this mapping specifies how to match an assertion from the partner to the local user accounts.

If you choose JavaScript for mapping, on a subsequent page, you are asked to select the JavaScript file to use.
If you choose an external web service, on a subsequent page, you are asked to provide the following information:
  • URI format (HTTP or HTTPS)
  • Web service URI
  • Server Certificate database, if the URI format is HTTPS.
  • Client authentication type, if the URI format is HTTPS.
  • Message format:
    • XML
    • WS-Trust