SAML 2.0 service provider partner worksheet

SAML 2.0 service provider partner worksheet

If we use SAML 2.0 in our role as an identity provider, add a service provider partner to the federation. Use the following worksheet to gather the necessary information from the partner. Modify this worksheet to reflect the specific information that we need from the partner and ask the partner to complete that modified worksheet. If your service provider (SP) partner supports multiple assertion consumer (ACS) service endpoints, the SAML2 identity provider supports multiple ACS endpoints for the partner, in a SP-initiated single sign-on flow from that SP partner. The support is effective once we add the SP partner into the SAML2 identity provider federation. Depending on the ACS URL specified in the authentication request message, the identity provider processes it as needed.

Select Federation Description Your value

Federation name The name of the federation to which we are adding the partner.

Import metadata Description Your value

Metadata file Name and path of file obtained from the identity provider partner containing the configuration information of the partner.

Single sign-on settings Description Your value

Web Browser Single Sign-On profile Details for the SAML 2.0 Web Browser Single Sign-On profile. Multiple profiles can be added. Binding type and URL for the profile that we are adding.

Attributes in the SAML assertions Attributes to include in the assertion. The source attributes must be created first.

Include the following attribute types in the SAML assertions (a "*" means include all types) Types of attributes to include in the assertion. The asterisk (*), which is the default setting, indicates that all of the attribute types will be included in the assertion.

Time, in seconds, that an idle session for the partner remains valid Time, in seconds, that an idle session for the partner remains valid. Default is 3600 seconds.

Include federation ID when performing alias service operations. Whether the key for indexing into the alias service combines the federation ID with the partner Provider ID when performing alias service operations. This feature is useful in scenarios where two or more federations, that use persistent name identifiers, import the same partner metadata.

SSL server validation for SOAP endpoints Description Your value

Select Server Validation Certificate Public key for the certificate that shows during SSL communication with the partner. You and the partner must agree which certificate to use. We must have already obtained the certificate and added it to your truststore.

Certificate database Select the database where the certificate is stored.

Certificate label Name of the certificate to use for server validation. If not provided, all certificates in the specified certificate database will be trusted.

SSL Client Authentication for SOAP endpoints Description Your value

Client authentication information

No authentication
Basic authentication

Username
Password

Client certificate authentication

Certificate to present to the server of the identity provider.
This certificate is the certificate that you and your identity provider partner agreed to present.

If the partner requires mutual authentication, we must know which type to use. Select No authentication if the partner does not require authentication. If it is basic authentication, we need a user name and password. If it is client certificate authentication, we need the certificate that you and the partner have agreed to use. If we need a certificate, be sure that we have agreed with the partner where it comes from. Obtain and import it into the appropriate keystore. One of the following options:

No authentication
Basic authentication information:

Username:
Password:

Client certificate authentication information:

Certificate database
Certificate label

Access Policy Description Your value

Enable access policy Whether to enable access policy. If we enable access policy, we must select one of the policies that we defined. If access policy is enabled on both the federation configuration and the partner configuration, the partner configuration takes effect.

Identity Mapping Options Description Your value

Identity mapping options

Use the identity mapping configured for this partner's federation.
Use JavaScript transformation for identity mapping
Use an external web service for identity mapping
The type of identity mapping to use with this partner. We can choose to use the identity mapping configured for this partner's federation. Or, we can choose to override the identity mapping configured for this partner's federation. If we choose JavaScript for mapping, on a subsequent panel, we are asked to select the JavaScript file to use.
If we choose an external web service, on a subsequent panel, we are asked to provide the following information:

URI format (HTTP or HTTPS)
Web service URI
Server Certificate database (HTTPS)
Client authentication (HTTPS)
Message format:

XML
WS-Trust

Message Extensions Description Your value

SAML Message Extension options:

No message extensions (default)
Use Javascript to add message extensions
Use the federation configurations (Partner only)
If we configure the federation with a message extension rule, every time a SAML message is written, the rule is invoked in order to gather any extensions which need to be included. The mapping rule is invoked with context information about the federation and partner, as well as the kind of message being sent.
The mapping rule context is available in a variable ‘context’. For documentation on this object see the on box javadoc for the class JSMessageExtensionContext.
If Javascript extensions are enabled, a subsequent dialogue allows selection of the mapping rule. Traditional identity mapping rules with the category SAML_2_0 are filtered from the view, as identity mapping rules are not compatible with extension rules. There is a rule available out of the box, which contains information and examples.

After completing this worksheet, continue with the steps in Manage federation partners.
Parent topic: Obtain federation configuration data from the partner

Single sign-on settings	Description	Your value
Web Browser Single Sign-On profile	Details for the SAML 2.0 Web Browser Single Sign-On profile. Multiple profiles can be added.	Binding type and URL for the profile that we are adding.
Attributes in the SAML assertions	Attributes to include in the assertion. The source attributes must be created first.
Include the following attribute types in the SAML assertions (a "*" means include all types)	Types of attributes to include in the assertion. The asterisk (*), which is the default setting, indicates that all of the attribute types will be included in the assertion.
Time, in seconds, that an idle session for the partner remains valid	Time, in seconds, that an idle session for the partner remains valid. Default is 3600 seconds.
Include federation ID when performing alias service operations.	Whether the key for indexing into the alias service combines the federation ID with the partner Provider ID when performing alias service operations. This feature is useful in scenarios where two or more federations, that use persistent name identifiers, import the same partner metadata.

SSL server validation for SOAP endpoints	Description	Your value
Select Server Validation Certificate	Public key for the certificate that shows during SSL communication with the partner. You and the partner must agree which certificate to use. We must have already obtained the certificate and added it to your truststore.
Certificate database	Select the database where the certificate is stored.
Certificate label	Name of the certificate to use for server validation. If not provided, all certificates in the specified certificate database will be trusted.