SAML 1.1 identity provider worksheet
If you assume the role of the identity provider in the federation, and use SAML 1.1, record your configuration information in the following tables.
General Information Description Your value Federation name The unique name you give to the federation. Role The role you provide in the federation. (In these instructions, we are the identity provider.) Identity provider Company name The name of the company creating this provider.
Federation Protocol Description Your value Protocol The SAML protocol you and the partner use in the federation. SAML 1.1
Point of Contact Server Description Your value Point of contact server URL The URL that provides access to the endpoints on the point of contact server.
Sets Description Your value Amount of time before the issue date that an assertion is considered valid The number of seconds that an assertion is considered valid before its issue date. Default value: 60 Amount of time the assertion is valid after being issued The number of seconds that an assertion is considered valid after its issue date. Default value: 60 Include the following attribute types in the SAML assertions Provide attribute types in the value text box. A "*" means include all types. It is selected by default.
Signatures Description Your value Signature options:
- SAML messages for Browser POST profile are signed (required)
- Sign SAML messages for artifact profile (optional)
- When browser POST is used as the profile, SAML messages must be signed. Therefore, it is pre-selected and cannot be deselected.
- We have the option of also signing the SAML messages when browser artifact is used.
One of the following:
- Sign browser artifact messages. (Select check box.)
- Do not sign browser artifact messages. (Clear check box.)
Select Signing Key
- Keystore in IBM Security Verify Access key service, where the key is stored
- Private key you will use for signing
Because Browser POST messages must be signed, we are required to supply a signing key. If we select to also sign messages when browser artifact is used, the same signing key is used to sign them. Be sure we have created the key and imported it into the appropriate keystore in the IBM Security Verify Access key service prior to this task.
- Keystore name
- Certificate label
SAML Message Settings Description Your value Artifact Resolution Service URL The URL for your artifact resolution endpoint. ( The value for this field is filled in automatically using the point of contact server URL you specified earlier.) Artifact Cache Lifetime (seconds) The artifact cache lifetime in seconds. Default value: 30 seconds. Allow IBM Protocol Extension Whether you will allow the use of the IBM PROTOCOL extension. The extension allows a query-string parameter that specifies whether browser artifact or browser POST is used. For information, see SAML 1.1 . One of the following:
- Allow IBM Protocol Extension. (Check box.)
- Do not allow Protocol Extension. (Clear the check box.)
Identity mapping Description Your value Identity mapping options
- User JavaScript transformation for identity mapping
- Use an external web service for identity mapping
If we configure an identity provider, this mapping specifies how to create an assertion containing attributes mapped from a local user account. If we configure a service provider, this mapping specifies how to match an assertion from the partner to the local user accounts.
If we choose JavaScript for mapping, on a subsequent panel, we are asked to select the JavaScript file to use. If we choose an external web service, on a subsequent panel, we are asked to provide the following information:
- URI format (HTTP or HTTPS)
- Web service URI
- Server Certificate database, if the URI format is HTTPS
- Client authentication type, if the URI format is HTTPS
- Message format:
- XML
- WS-Trust
After completing the tables, continue with the instructions in Create and modify a federation.
Parent topic: Gather the federation configuration information