SAML 1.1 service provider partner worksheet

If we use SAML 1.1 as an identity provider, add a service provider partner to the federation. Some information can be supplied to you in a metadata file, or all of the information can be supplied to you manually.

Use the following worksheet to gather the necessary information from the partner. Modify this worksheet to reflect the specific information that we need from the partner. We must also ask the partner to complete that modified worksheet.

Select Federation Description Your value
Federation name The name of the federation to which we are adding the partner.  

Import metadata Description Your value
Configure the partner manually Enter the information of the partner manually in the subsequent windows. See Table 3 If Configure the partner manually is selected in the Create New Partner window and the Next button is clicked, the user is unable to go back to change the option to add a new partner.

To rectify this issue, cancel the widget and start again.

 
Upload a partner metadata file The name and path of the file obtained from the partner containing the configuration information of the partner.  

Basic Information Description
Name Provide a name for the partner.
Enabled Check this for the partner to be active.
Provider ID Provide a unique identifier that identifies the provider partner to the federation.

The value for this must be a URI.

Sets Description Your value
Assertion Consumer Service URL Provide the Assertion Consumer Service URL for the partner.

The value for this must be a URI.

 
Use artifact profile for SSO Check this check box to use the artifact profile for single sign-on.  
Include the following attribute types in the SAML assertions Provide attribute types in the value text box. A "*" means include all types. It is selected by default.
Subject confirmation method There are four subject confirmation methods. It no value is set, this field defaults to No Subject Confirmation Method.  

Configure Security Token Description Your value
Sign SAML Assertions Enable this checkbox if we want to sign SAML assertions.  
Select the key for signing assertions

  • Keystore in IBM Security Verify Access key service, where the key is stored
  • Private key you will use for signing the assertion.

If we choose to sign the assertion signatures, we must select a keystore and a key. Create the keystore and key before this task.

  • KeyStore
  • Certificate label

Include the X509 certificate data If we choose to sign the SAML assertion, specify whether we want the BASE64 encoded certificate data to be included with your signature.

The default action is to include the X.509 certificate data (Yes).

Or, we can also choose to exclude the X.509 certificate data (No).

 
Include the X509 Subject Issuer Details If we choose to sign the SAML assertion, specify whether we want the issuer name and the certificate serial number to be included with your signature.

The default action is to exclude (No) the X.509 subject issuer details .

Or, we can choose to include the X.509 subject issuer details (Yes).

 
Include the X509 Subject Name If we choose to sign the SAML assertion, specify whether we want the subject name to be included with your signature.

The default action is to exclude the X.509 subject name (No).

Or, we can choose to include the X.509 subject name (Yes).

 
Include the X509 Subject Key Identifier If we choose to sign the SAML assertion, specify whether we want the X.509 subject key identifier to be included with your signature.

The default action is to exclude the subject key identifier (No).

Or, we can choose to include the X.509 subject key identifier (Yes).

 
Include the Public Key If we choose to sign the SAML assertion, specify whether we want the public key to be included with your signature.

The default action is to exclude the public key (No).

Or, we can choose to include the public key (Yes).

 
Use the inclusive Namespaces If we choose to sign the SAML assertion, we can select to use the InclusiveNamespaces element in the canonicalization of the assertion during signature creation.

The default is unchecked.

 
Signature Algorithm for signing SAML Messages Signature algorithm to use for the transaction.

The selected key used to sign the SAML messages must match the option chosen in the drop-down menu to prevent signature failure. Select the signature algorithm from the following options.

  • RSA-SHA1
  • DSA-SHA256
  • RSA-SHA512

 

Signatures Description Your value
Validate Signatures on Artifact Requests We can validate the SAML message signatures when browser artifact is used. To use this option, select the Validate Signatures check box. One of the following:

  • Validate signatures for artifact. (Select check box.)
  • Do not validate signatures for artifact. (Clear check box.)

Select the key for validating artifacts: If we select to validate messages when browser artifact is used, the same validation key is used to validate them.

The key we use is the public key corresponding to the private key the partner uses to sign messages. If we are importing the data of the partner, the key is supplied in the metadata file.

If we are manually entering the data of the partner, be sure that we have obtained the key from your partner. Then import the key into the appropriate keystore in the IBM Security Verify Access key service before this task.

  • Certificate database
  • Certificate Label

Signature Algorithm for validating artifacts Signature algorithm to use for the transaction.

The selected key used to sign the SAML messages must match the option chosen in the drop-down menu to prevent signature failure. Select the signature algorithm from the following options.

  • RSA-SHA1
  • DSA-SHA256
  • RSA-SHA512

 

Identity mapping Description Your value
Identity mapping options One of the following:

  • Use the identity mapping configured for this partner's federation.
  • Use JavaScript transformation for identity mapping
  • Use an external web service for identity mapping

The type of identity mapping to use with this partner. We can choose to use the identity mapping configured for this partner's federation. Or, we can choose to override the identity mapping configured for this partner's federation. If we choose JavaScript for mapping, on a subsequent panel, we are asked to select the JavaScript file to use.

If we choose an external web service, on a subsequent panel, we are asked to provide the following information:

  • URI format (HTTP or HTTPS)

  • Web service URI
  • Server Certificate database, if the URI format is HTTPS
  • Client authentication type, if the URI format is HTTPS
  • Message format:

    • XML
    • WS-Trust

Parent topic: Obtain federation configuration data from the partner