WS-Federation partner properties
To configure a WS-Federation federation partner, specify values for a set of properties.
The properties in this list describe the inputs that provide when we use the LMI wizard to configure a partner for a WS-Federation federation. The list consists of three sections:
- Common properties used by both identity provider and service provider partners
- Properties used by only the identity provider partner
- Properties used by only the service provider partner
Be sure to review both the common properties section and the section for your type of partner.
Common properties for both identity provider partners and service provider partners
- Federation name
- The name of the federation to which we are adding the partner.
- Enabled
- Whether to enable the partner. Select or clear.
- Connection Template
- Displays the type of template used. The partner wizard automatically detects which template (default or SharePoint) was used to create the federation, and uses the same template to create the partner. The field is read-only.
- The name of the WS-Federation realm for this partner
The name of the WS-Federation Realm. This name is the unique identifier for this instance of Security Verify Access. The Realm name is included in assertions that are sent to federation partners. Partners rely on finding a known (defined) Realm name to accept the assertions.
To determine the Realm name, use the local management interface to view the federation configuration. Select Federation > Manage > Federations, select your federation, and click Edit. On the Point of Contact Server pane, make note of the Realm value the wizard displays, and click Cancel to exit the wizard. For information, see Create and modify a federation.
The Realm name is generated from the point of contact server value. For example, if the point of contact server URL is https://test.com/isam/sps then the realm is set as:
https://test.com/isam/sps/wsfed/wsf
In the example above, the string wsfed is the name of the federation.
The name of the WS-Federation endpoint for this partner The endpoint for all requests for WS-Federation services. The endpoint is generated from the point of contact server URL value.
To determine the WS-Federation endpoint name, use the local management interface to view the federation configuration. Select Federation > Manage > Federations, select the federation, and click Edit. On the Point of Contact Server pane, make note of the Endpoint value the wizard displays, and click Cancel to exit the wizard. For information, see Create and modify a federation.
For example, if the point of contact server URL is https://test.com/isam/sps then the endpoint is set to:
https://test.com/isam/sps/wsfed/wsf
In the example above, the string wsfed is the name of the federation.
Maximum request lifetime (in milliseconds) Time, in milliseconds, the request is valid. A value of -1 means the request lifetime has no limit. Partner role Identity Provider or Service Provider. The partner role is read-only and is the opposite of the federation role. SharePoint partners must be service providers because all SharePoint federations are identity provider federations. Identity mapping options
- Use the identity mapping configured for this partner's federation.
- Do not perform identity mapping.
- Use JavaScript transformation for identity mapping.
- Use an external web service for identity mapping.
The type of identity mapping to use with this partner. We can choose to use the identity mapping configured for this partner's federation. Or, we can choose to override the identity mapping configured for this partner's federation.
If we choose JavaScript for mapping, on a subsequent page we are asked to select the JavaScript file to use.
If we choose an external web service, on a subsequent page we are asked to provide the following information:
- URI format (HTTP or HTTPS)
- Web service URI
- Server Certificate database, if the URI format is HTTPS.
- Client authentication type, if the URI format is HTTPS.
- Message format:
- XML
- WS-Trust
Properties for only the identity provider partner
- Create multiple attribute statements in the Universal User
- Identity provider partner only.
Select or clear. Select this check box to keep multiple attribute statements in the groups they were received in. This option might be necessary if your custom identity mapping rules are written to operate on one or more specific groups of attribute statements. If this check box is not selected, multiple attribute statements are arranged into a single group (AttributeList) in the STSUniversalUser document.
- Enable signature validation
- Identity provider partner only.
Enable or disable validation of signatures in the token module. Select or clear.
- Use the keystore alias to find the public key for signature validation
- Identity provider partner only.
Public key for signature validation, which is the default. Certificate database and label.
- Certificate database
- For identity provider partner.
This property is displayed if we choose to use the keystore alias. Certificate database to use for validation.
- Certificate label
- For identity provider partner.
This property is displayed if we choose to use the keystore alias. Certificate label for validation.
- Use the KeyInfo of the XML signature to find the X509 Certificate for signature validation
- Identity provider partner only.
Determines the appropriate certificate for signature validation. When we select this option, provide the subject distinguished name matching the certificate.
- Regexp
- Identity provider partner only.
Regular expression to validate the subject distinguished name that is returned in theKeyInfo.
Properties for only the service provider partner
- Include the following attribute types in the SAML assertions (a "*" means include all types)
- Service provider partner only.
Types of attributes to be inserted during token creation. The attributes consist of information about the identity (user). Use && to separate attribute types. By default, all types are supported, as indicated by the asterisk (*) wildcard character. For example, to add user-defined attribute types type1 and type2, enter:
type1&&type2- Subject confirmation method
- Service provider partner only.
Subject confirmation method for the assertion. We can select one confirmation method, or choose No Subject Confirmation Method. If we select the holder-of-key type, the default includes the X.509 Certificate Data in the KeyInfo for the SubjectConfirmationMethod. STSUniversalUser can provide the data for the subject confirmation method KeyInfo. The data can also be extracted from the signed request data. Valid values:
- No Subject Confirmation Method
- urn:oasis:names:tc:SAML:1.0:bearer
- urn:oasis:names:tc:SAML:1.0:holder-of-key
- urn:oasis:names:tc:SAML:1.0:sender-vouches
- Sign SAML assertions
- Service provider partner only.
Select if SAML assertions must be signed.
- Certificate database
- Service provider partner only.
Select the database where the signing certificate is stored.
- Certificate label
- Service provider partner only.
Name of the certificate to use for signing.
- Include the following KeyInfo elements
- Service provider partner only.
Determines what KeyInfo elements to include in the digital signature for a SAML message or assertion. Select one or more of the following elements.
- X509 certificate data
- Specify whether we want the BASE64 encoded certificate data to be included with your signature. The default action is to include the X.509 certificate data.
- X509 Subject Name
- Specify whether we want the subject name to be included with your signature. The default action is to exclude the X.509 subject name.
- X509 Subject Key Identifier
- Specify whether we want the X.509 subject key identifier to be included with your signature. The default action is to exclude the subject key identifier.
- X509 Subject Issuer Details
- Specify whether we want the issuer name and the certificate serial number to be included with your signature. The default action is to exclude the X.509 subject issuer details.
- Public key
- Specify whether we want the public key to be included with your signature. The default action is to exclude the public key. If we do not select any of the KeyInfo elements, X.509 certificate data is still included in the signature by default.
- Use Inclusive Namespaces
- Service provider partner only.
Whether to use the InclusiveNamespaces construct, which means employing exclusive XML canonicalization for greater standardization. The default is cleared.
- Signature algorithm for signing SAML assertions
- Service provider partner only.
Signature algorithm to use to sign the SAML assertion.
- RSA-SHA1
http://www.w3.org/2000/09/xmldsig#rsa-sha1
- RSA-SHA256
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
RSA-SHA512 http://www.w3.org/2001/04/xmldsig-more#rsa-sha512
Parent topic: Create a WS-Federation partner