SAML 2.0 identity provider partner worksheet

If we use SAML 2.0 in our role as a service provider, add an identity provider partner to the federation.

Use the following worksheet to gather the necessary information from the partner. Modify this worksheet to reflect the specific information that we need from the partner and ask the partner to complete that modified worksheet.

Select Federation Description Your value
Federation name The name of the federation to which we are adding the partner.  

Import metadata Description Your value
Metadata file The name and path of the file obtained from the partner, containing their configuration information  

Single sign-on settings Description Your value
Web Browser Single Sign-On profile Details for the SAML 2.0 Web Browser Single Sign-On profile. Multiple profiles can be added. Profile details
SAML assertion attributes Attributes to include in the STSUniversalUser. The source attributes must be created first.  
Force authentication to achieve account linkage Specify if a user is forced to authenticate at the service provider to perform account linkage. This event occurs if a SAML response is received with an unknown alias in the service provider.  
Include federation ID when performing alias service operations Whether the key for indexing into the alias service combines the federation ID with the partner Provider ID when performing alias service operations. This feature is useful in scenarios where two or more federations, that use persistent name identifiers, import the same partner metadata.  
Username to be used for anonymous users Use this name identifier to access a service through an anonymous identity. The user name entered here is one the service provider recognizes as a one-time name identifier for a legitimate user in the local user registry. This feature gives users access to a resource on the service provider without establishing a federated identity. This feature is useful in scenarios where the service provider does not need to know the identity of the user account but must only know the identity provider has authenticated (and can vouch for) the user.  
Map unknown name identifiers to the anonymous username The service provider can map an unknown persistent name identifier alias to the anonymous user account.  
Create multiple attribute statements in the Universal User Select this check box to keep multiple attribute statements in the groups they were received in. This option might be necessary if the custom identity mapping rules are written to operate on one or more specific groups of attribute statements. If this check box is not selected, multiple attribute statements are arranged into a single group (AttributeList) in the STSUniversalUser document.  

SSL server validation for SOAP endpoints Description Your value
Select Server Validation Certificate Public key for the certificate that shows during SSL communication with the partner. You and the partner must agree which certificate to use. We must have already obtained the certificate and added it to your truststore.  
Certificate database Select the database where the certificate is stored.  
Certificate label Name of the certificate to use for server validation. If not provided, all certificates in the specified certificate database will be trusted.  

SSL Client Authentication for SOAP endpoints Description Your value
Client authentication information

  • No authentication
  • Basic authentication

    • Username
    • Password

  • Client certificate authentication

    • Certificate to present to the server of the identity provider.

      This certificate is the certificate that you and your identity provider partner agreed to present.

If the partner requires mutual authentication, we must know which type to use.

Select No authentication if the partner does not require authentication.

If it is basic authentication, we need a user name and password.

If it is client certificate authentication, we need the certificate that you and the partner have agreed to use. If we need a certificate, be sure that we have agreed with the partner where it comes from. Obtain and import it into the appropriate keystore.

One of the following options:

  • No authentication
  • Basic authentication information:

    • Username:
    • Password:

  • Client certificate authentication information:

    • Certificate database
    • Certificate label

Identity Mapping Options Description Your value
Identity mapping options

  • Use the identity mapping configured for this partner's federation.
  • Use JavaScript transformation for identity mapping
  • Use an external web service for identity mapping

The type of identity mapping to use with this partner. We can choose to use the identity mapping configured for this partner's federation. Or, we can choose to override the identity mapping configured for this partner's federation. If we choose JavaScript for mapping, on a subsequent panel, we are asked to select the JavaScript file to use.If we choose an external web service, on a subsequent panel, we are asked to provide the following information:

  • URI format (HTTP or HTTPS)

  • Web service URI
  • Server Certificate database, if the URI format is HTTPS
  • Client authentication type, if the URI format is HTTPS
  • Message format:

    • XML
    • WS-Trust

Message Extensions Description Your value
SAML Message Extension options:

  • No message extensions (default)
  • Use Javascript to add message extensions
  • Use the federation configurations (Partner only)

If we configure the federation with a message extension rule, every time a SAML message is written, the rule is invoked in order to gather any extensions which need to be included. The mapping rule is invoked with context information about the federation and partner, as well as the kind of message being sent.

The mapping rule context is available in a variable ‘context’. For documentation on this object see the on box javadoc for the class JSMessageExtensionContext.

If Javascript extensions are enabled, a subsequent dialogue allows selection of the mapping rule.

Traditional identity mapping rules with the category SAML_2_0 are filtered from the view, as identity mapping rules are not compatible with extension rules. There is a rule available out of the box, which contains information and examples.

After completing this worksheet, continue with the steps in Manage federation partners.

Parent topic: Obtain federation configuration data from the partner