SAML 1.1 identity provider partner worksheet

If we use SAML 1.1 as a service provider, add an identity provider partner to the federation. Some information can be supplied to you in a metadata file, or all of the information can be supplied to you manually.

Use the following worksheet to gather the necessary information from the partner. Modify this worksheet to reflect the specific information that we need from the partner. We must also ask the partner to complete the modified worksheet.

Select Federation Description Your value
Federation name The name of the federation to which we are adding the partner.  

Import metadata Description Your value
Configure the partner manually Enter the information of the partner manually in the subsequent windows. See Table 3 If Configure the partner manually is selected in the Create New Partner window and the Next button is clicked, the user is unable to go back to change the option to add a new partner.

To rectify this issue, cancel the widget and start again.

 
Metadata file The name and path of the file obtained from the partner containing the configuration information of the partner.  

Basic Information Description
Name Provide a name for the partner.
Enabled Check this for the partner to be active.
Provider ID Provide a unique identifier that identifies the provider partner to the federation.

Sets Description
Artifact Resolution Service URL The value for this must be a URI.
Intersite Transfer Service URL The value for this must be a URI.
Create multiple attribute statements in the Universal User Select this check box to keep multiple attribute statements in the groups they were received in.

This option might be necessary if the custom identity mapping rules are written to operate on one or more specific groups of attribute statements.

If this check box is not selected, multiple attribute statements are arranged into a single group (AttributeList) in the STSUniversalUser document.

The default setting of the check box is not selected and this setting is appropriate for most configurations.

Maximum request life time (in miliseconds) Default value: -1, which means the request never expires.

Signature Validation Description Your value
Validate Signatures on SAML Messages for Artifact Profile (optional) We have the option of validating the SAML message signatures when browser artifact is used. One of the following:

  • Validate signatures for artifact. (Select check box.)
  • Do not validate signatures for artifact. (Clear check box.)

Select the key for validating artifacts: If we select to validate messages when browser artifact is used, the same validation key is used to validate them.

The key we use is the public key corresponding to the private key the partner uses to sign messages. If we are importing the data of the partner, the key is supplied in the metadata file.

If we are manually entering the data of the partner, be sure that we have obtained the key from your partner. Then import the key into the appropriate keystore in the IBM Security Verify Access key service before this task.

  • Certificate database
  • Certificate Label

Configure Security Token Description Your value
Enable Signature Validation If the partner signs assertions, we can choose to validate those signatures. In some cases, the partner require us to validate the signatures. One of the following:

  • Enable validation signatures. (Select check box.)
  • Do not validate signatures. (Clear check box.)

Select Validation Key Type of signature validation to use.

  • If we select keystore alias, provide the values for certificate keystore and label.

  • If we select KeyInfo, provide the regular expression matching the validation key.

One of the following:

  • Use the KeyInfo of the XML signature to find X.509 certificate for signature validation
  • Use keystore alias to find public key for signature validation (Default).

Select key and truststore

  • Truststore in IBM Security Verify Access key service, where the key is stored
  • Public key to use for validating the signature

If we choose to validate the assertion signatures or the partner requires signature validation, we must select a keystore and a key. The key we use must be the public key corresponding to the private key the partner uses to sign the assertions. Obtain this key and create the keystore before this task.

  • Keystore
  • Certificate label

Server Certificate Validation for SOAP Description Your value
Select Server Validation Certificate Public key for the certificate that shows during SSL communication with the partner.

You and the partner must agree on which certificate to use. We must have already obtained the certificate and keystore for the certificate. No password is required.

This is a mandatory configuration for browser artifact profile.

  • Keystore name
  • Certificate Label

If no option is selected, the server certificate validation is disabled.

Client Authentication for SOAP Description Your value
Client authentication information Either:

  • Basic authentication

    • Username
    • Password

  • Client certificate authentication

    • Certificate we must present to the server of the identity provider.

      The certificate that you and your identity provider partner agreed that you would present.

    • Keystore in IBM Security Verify Access key service, where the key is stored

  • None- Client authentication information is disabled.

If the partner requires mutual authentication, we must know which type we must use.

If it is basic authentication, we need a user name and password.

If it is client certificate authentication, we need the certificate that you and the partner have agreed to use.

  • If we need a certificate, be sure that we have agreed with the partner where to get it. Then, import it into the appropriate keystore in the IBM Security Verify Access key service before this task.
  • Client certificate authentication does not require a password for the truststore.

One of the following:

  • Basic authentication information:

    • Username:
    • Password:

  • Client certificate authentication information:

    • Keystore name:
    • Certificate Label

Identity mapping Description Your value
Identity mapping options One of the following:

  • Use the identity mapping configured for this partner's federation.
  • Use JavaScript transformation for identity mapping
  • Use an external web service for identity mapping

The type of identity mapping to use with this partner. We can choose to use the identity mapping configured for this partner's federation. Or, we can choose to override the identity mapping configured for this partner's federation. If we choose JavaScript for mapping, on a subsequent panel, we are asked to select the JavaScript file to use.

If we choose an external web service, on a subsequent panel, we are asked to provide the following information:

  • URI format (HTTP or HTTPS)

  • Web service URI
  • Server Certificate database, if the URI format is HTTPS
  • Client authentication type, if the URI format is HTTPS
  • Message format:

    • XML
    • WS-Trust

Parent topic: Obtain federation configuration data from the partner