SAML 2.0 identity provider worksheet

SAML 2.0 identity provider worksheet

If we are the identity provider in the federation and use SAML 2.0, record your configuration information in the following tables.

Federation protocol Description Your value
Federation name The name to give this federation. The name must not contain any ASCII control characters or special characters except hyphen and underscore.
SAML 2.0 Protocol to use in the federation. SAML 2.0

Template Description Your value

Quick Connect
SAML 2.0
Choose Quick Connect to quickly set up an identity provider federation to work with partner templates to assist with establishment federations to well-known partners. Choose SAML 2.0 to use the full set of configuration options. The template cannot be changed after a federation is created.

General Description Your value
Company name The name of the company creating this provider.
Provider ID Identifies Provider to the partner. Default is poc _server_URL/federation_name/saml20.
Role Your role is either Identity Provider or Service Provider. An identity provider vouches for the identity of the end user. The Identity Provider authenticates the user and provides an authentication token to the service provider. A service provider provides a service to end users. In most cases, service providers do not authenticate users, but instead request authentication decisions from an identity provider. We cannot change the role after a federation is created. Identity provider

Point of contact server Description Your value
URL The endpoint URL of the poc server, which is a reverse proxy server configured in front of the runtime listening interfaces. The format is: http[s]://hostname[:portnumber]/[junction]/sps

Profile selection Description Your value

Web Browser Single Sign-on
Name Identifier Management
Single Logout
Profile for the federation. The Web Browser Single Sign-on profile must be selected by default. We cannot clear this selection.

Sets Description Your value

HTTP Artifact
HTTP POST
HTTP Redirect
Choice of binding depends on the type of messages sent. For example, an authentication request message can be sent from a service provider to an identity provider. The response message can be sent from an identity provider to a service provider by using either HTTP POST or HTTP artifact. A pair of partners in a federation does not need to use the same binding.
Default NameID format Processing rules for the NameID value if one of the following items is true:

The format attribute is not set
The format attribute is set to urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
Formats:

urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
urn:oasis:names:tc:SAML:2.0:nameid-format:transient

Time, in seconds, before the issue date that an assertion is considered valid Require the partner to sign SAML validations. You will validate the signature on the incoming SAML assertions.
Time, in seconds, the assertion is valid before being issued Require the partner to validate the signature on SAML authentication requests. You will sign the outgoing SAML authentication requests.
Require consent to federate Requires the identity provider to present a page to the user verifying the federation request.
Enable ECP Check this check box to enable the ECP profile.
Add Session State Headers Add or delete a Session State Header. Multiple headers can be added. Specify the name of the Session State Header that we are adding in the field.
Require signature on incoming SAML assertions Require the partner to sign SAML assertions. You will validate the signature on the incoming SAML assertions.
Require outgoing SAML authentication requests to be signed Require the partner to validate the signature on SAML authentication requests. You will sign the outgoing SAML authentication requests.

Sets Description Your value

HTTP Artifact
HTTP POST
HTTP Redirect
HTTP SOAP
Choice of binding depends on the type of messages sent. A pair of partners in a federation does not need to use the same binding.
Message signatures. Outgoing SAML messages that require a signature:

Name identifier management requests
Name identifier management responses
Whether you will sign the outgoing SAML name identifier management requests and responses.

Sets Description Your value

HTTP Artifact
HTTP POST
HTTP Redirect
HTTP SOAP
Choice of binding depends on the type of messages sent. A pair of partners in a federation does not need to use the same binding.
Outgoing SAML messages that require a signature:

Single logout requests
Single logout responses
Whether you will sign the outgoing SAML logout requests and responses.
Exclude session index Whether to exclude session index in the single logout request. If selected, the logout request message sent out from this Identity Provider will exclude session index. When the Service Provider receives this logout request, it will log out all the sessions for the current user. The Identity Provider will log out only the current user session locally. This setting is used on the identity provider only.
ResponseLocation Optional

Signatures Description Your value
Certificate database Database where the signing certificate is stored
Certificate label Name of the certificate to use for signing.
Include the following KeyInfo elements Determine which KeyInfo elements to include in the digital signature for a SAML message or assertion.

X509 certificate data

Whether we want the BASE64 encoded certificate data to be included with the signature. The default action is to include the X.509 certificate data.

X509 Subject Name

Whether we want the subject name to be included with the signature. The default action is to exclude the X.509 subject name.

X509 Subject Key Identifier

Whether we want the X.509 subject key identifier to be included with the signature. The default action is to exclude the subject key identifier.

X509 Subject Issuer Details

Whether we want the issuer name and the certificate serial number to be included with the signature. The default action is to exclude the X.509 subject issuer details.

Public key

Whether to have the public key be included with the signature. The default action is to exclude the public key.

Signatures Description Your value
Certificate database Database where the encryption certificate is stored
Certificate label Name of the certificate to use for encryption.

Message settings Description Your value
Message Lifetime in seconds An integer value specifying the length of time, in seconds, that a message is valid. Default is 300.
Artifact Lifetime in seconds The length of time, in seconds, that an artifact is considered valid. This field is only valid when HTTP artifact binding has been enabled. The default value is 120.
Session Timeout in seconds The length of time, in seconds, the session remains valid. The default value is 7200.
Outgoing messages that require a signature:

Artifact requests
Artifact responses
Whether you will sign the outgoing SAML artifact requests and responses.
Message issuer format Format attribute of the Issuer of the SAML message.
Message issuer name qualifier Name qualifier attribute of the Issuer of the SAML message.

Access Policy Description Your value
Enable access policy If we configure an identity provider, this setting specifies whether to enable access policy. If we enable access policy, we must select one of the policies that we defined. If access policy is enabled on both the federation configuration and the partner configuration, the partner configuration takes effect.

Identity mapping Description Your value
Identity mapping options

Use JavaScript transformation for identity mapping
Use an external web service for identity mapping
If we configure an identity provider, this mapping specifies how to create an assertion containing attributes mapped from a local user account. If we configure a service provider, this mapping specifies how to match an assertion from the partner to the local user accounts. If we choose JavaScript for mapping, on a subsequent panel, we are asked to select the JavaScript file to use. If we choose an external web service, on a subsequent panel, we are asked to provide the following information:

URI format (HTTP or HTTPS)
Web service URI
Server Certificate database, if the URI format is HTTPS
Client authentication type, if the URI format is HTTPS
Message format:

XML
WS-Trust

Message Extensions Description Your value
SAML Message Extension options:

No message extensions (default)
Use Javascript to add message extensions
If we configure the federation with a message extension rule, every time a SAML message is written, the rule is invoked in order to gather any extensions which need to be included. The mapping rule is invoked with context information about the federation and partner, as well as the kind of message being sent. The mapping rule context is available in a variable ‘context’. For documentation on this object see the on box javadoc for the class JSMessageExtensionContext. If Javascript extensions are enabled, a subsequent dialogue allows selection of the mapping rule. Traditional identity mapping rules with the category SAML_2_0 are filtered from the view, as identity mapping rules are not compatible with extension rules. There is a rule available out of the box, which contains information and examples.

After completing the tables, continue with the instructions in Create and modify a federation.
Parent topic: Gather the federation configuration information

Federation protocol	Description	Your value
Federation name	The name to give this federation. The name must not contain any ASCII control characters or special characters except hyphen and underscore.
SAML 2.0	Protocol to use in the federation.	SAML 2.0

General	Description	Your value
Company name	The name of the company creating this provider.
Provider ID	Identifies Provider to the partner. Default is poc _server_URL/federation_name/saml20.
Role	Your role is either Identity Provider or Service Provider. An identity provider vouches for the identity of the end user. The Identity Provider authenticates the user and provides an authentication token to the service provider. A service provider provides a service to end users. In most cases, service providers do not authenticate users, but instead request authentication decisions from an identity provider. We cannot change the role after a federation is created.	Identity provider

Sets	Description	Your value
HTTP Artifact HTTP POST HTTP Redirect	Choice of binding depends on the type of messages sent. For example, an authentication request message can be sent from a service provider to an identity provider. The response message can be sent from an identity provider to a service provider by using either HTTP POST or HTTP artifact. A pair of partners in a federation does not need to use the same binding.
Default NameID format	Processing rules for the NameID value if one of the following items is true: The format attribute is not set The format attribute is set to urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified	Formats: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress urn:oasis:names:tc:SAML:2.0:nameid-format:transient
Time, in seconds, before the issue date that an assertion is considered valid	Require the partner to sign SAML validations. You will validate the signature on the incoming SAML assertions.
Time, in seconds, the assertion is valid before being issued	Require the partner to validate the signature on SAML authentication requests. You will sign the outgoing SAML authentication requests.
Require consent to federate	Requires the identity provider to present a page to the user verifying the federation request.
Enable ECP	Check this check box to enable the ECP profile.
Add Session State Headers	Add or delete a Session State Header. Multiple headers can be added.	Specify the name of the Session State Header that we are adding in the field.
Require signature on incoming SAML assertions	Require the partner to sign SAML assertions. You will validate the signature on the incoming SAML assertions.
Require outgoing SAML authentication requests to be signed	Require the partner to validate the signature on SAML authentication requests. You will sign the outgoing SAML authentication requests.

Sets	Description	Your value
HTTP Artifact HTTP POST HTTP Redirect HTTP SOAP	Choice of binding depends on the type of messages sent. A pair of partners in a federation does not need to use the same binding.
Outgoing SAML messages that require a signature: Single logout requests Single logout responses	Whether you will sign the outgoing SAML logout requests and responses.
Exclude session index	Whether to exclude session index in the single logout request. If selected, the logout request message sent out from this Identity Provider will exclude session index. When the Service Provider receives this logout request, it will log out all the sessions for the current user. The Identity Provider will log out only the current user session locally. This setting is used on the identity provider only.
ResponseLocation Optional

Signatures	Description	Your value
Certificate database	Database where the encryption certificate is stored
Certificate label	Name of the certificate to use for encryption.

Message settings	Description	Your value
Message Lifetime in seconds	An integer value specifying the length of time, in seconds, that a message is valid. Default is 300.
Artifact Lifetime in seconds	The length of time, in seconds, that an artifact is considered valid. This field is only valid when HTTP artifact binding has been enabled. The default value is 120.
Session Timeout in seconds	The length of time, in seconds, the session remains valid. The default value is 7200.
Outgoing messages that require a signature: Artifact requests Artifact responses	Whether you will sign the outgoing SAML artifact requests and responses.
Message issuer format	Format attribute of the Issuer of the SAML message.
Message issuer name qualifier	Name qualifier attribute of the Issuer of the SAML message.