SAML 2.0 service provider worksheet

SAML 2.0 service provider worksheet

If we are the service provider in the federation and use SAML 2.0, use this worksheet to record your configuration information.

Federation protocol Description Your value

Federation name The name to give this federation. The name must not contain any ASCII control characters or special characters except hyphen and underscore.

Protocol for this federation: Protocol to use in the federation. SAML 2.0.

Template Description Your value

Template: Choose Quick Connect to quickly set up an identity provider federation to work with partner templates to assist with establishment federations to well-known partners. Choose SAML 2.0 to use the full set of configuration options. The template cannot be changed after a federation is created. SAML 2.0

General information Description Your value

Company name The name of the company creating this provider.

Provider ID A unique identifier that identifies the provider to its partner provider. Default is point_of_contact _server_URL/federation_name/saml20.

Role Your role is either Identity Provider or Service Provider. An identity provider vouches for the identity of the end user. The Identity Provider authenticates the user and provides an authentication token to the service provider. A service provider provides a service to end users. In most cases, service providers do not authenticate users, but instead request authentication decisions from an identity provider. We cannot change the role after a federation is created. Service provider

Point of contact server Description Your value

Point of contact server URL The endpoint URL of the point of contact server. The point of contact server is a reverse proxy server configured in front of the runtime listening interfaces. The format is
http[s]://hostname[:portnumber]/[junction]/sps

Profile selection Description Your value

SAML 2.0 profile options:

Web Browser Single Sign-on
Name Identifier Management
Single Logout
Profile for the federation. The Web Browser Single Sign-on profile must be selected by default. We cannot clear this selection. For information about profiles, see SAML profiles.

Sets Description Your value

Bindings:

HTTP Artifact
HTTP POST
HTTP Redirect
Choice of binding depends on the type of messages sent. For example, an authentication request message can be sent from service provider to an identity provider. The response message can be sent from an identity provider to a service provider by using either HTTP POST or HTTP artifact. A pair of partners in a federation does not need to use the same binding.

NameID format Processing rules for the NameID value if the format attribute is not set, or if the format attribute is set to...
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
urn:oasis:names:tc:SAML:2.0:nameid-format:transient

Enable ECP Check this check box to enable the ECP profile.

Require signature on incoming SAML assertions Require the partner to sign SAML assertions. You will validate the signature on the incoming SAML assertions.

Require outgoing SAML authentication requests to be signed Require the partner to validate the signature on SAML authentication requests. You will sign the outgoing SAML authentication requests.

Sets Description Your value

Bindings:

HTTP Artifact
HTTP POST
HTTP Redirect
HTTP SOAP
Choice of binding depends on the type of messages sent. A pair of partners in a federation does not need to use the same binding.

Message signatures Select which outgoing SAML messages require a signature:

Name identifier management requests
Name identifier management responses
Whether you will sign the outgoing SAML name identifier management requests and responses.

Sets Description Your value

Bindings:

HTTP Artifact
HTTP POST
HTTP Redirect
HTTP SOAP
Choice of binding depends on the type of messages sent. A pair of partners in a federation does not need to use the same binding.

Message signatures Select which outgoing SAML messages require a signature:

Single logout requests
Single logout responses
Whether you will sign the outgoing SAML logout requests and responses.

Signatures Description Your value

Certificate database Select the database where the signing certificate is stored

Certificate label Name of the certificate to use for signing.

Include the following KeyInfo elements Determine which KeyInfo elements to include in the digital signature for a SAML message or assertion.

X509 certificate data

Specify whether we want the BASE64 encoded certificate data to be included with your signature. The default action is to include the X.509 certificate data.

X509 Subject Name

Specify whether we want the subject name to be included with your signature. The default action is to exclude the X.509 subject name.

X509 Subject Key Identifier

Specify whether we want the X.509 subject key identifier to be included with your signature. The default action is to exclude the subject key identifier.

X509 Subject Issuer Details

Specify whether we want the issuer name and the certificate serial number to be included with your signature. The default action is to exclude the X.509 subject issuer details.

Public key

Specify whether we want the public key to be included with your signature. The default action is to exclude the public key.

Signatures Description Your value

Certificate database Select the database where the encryption certificate is stored

Certificate label Name of the certificate to use for encryption.

Message settings Description Your value

Message Lifetime in seconds An integer value specifying the length of time, in seconds, that a message is valid. Default is 300.

Artifact Lifetime in seconds The length of time, in seconds, that an artifact is considered valid. This field is only valid when HTTP artifact binding has been enabled. The default value is 120.

Session Timeout in seconds The length of time, in seconds, the session remains valid. The default value is 7200.

Select which outgoing messages require a signature:

Artifact requests
Artifact responses
Whether you will sign the outgoing SAML artifact requests and responses.

Message issuer format Format attribute of the Issuer of the SAML message.

Message issuer name qualifier Name qualifier attribute of the Issuer of the SAML message.

Identity mapping Description Your value

Identity mapping options

Use JavaScript transformation for identity mapping
Use an external web service for identity mapping

If we configure an identity provider, this mapping specifies how to create an assertion containing attributes mapped from a local user account. If we configure a service provider, this mapping specifies how to match an assertion from the partner to the local user accounts. If we choose JavaScript for mapping, on a subsequent panel, we are asked to select the JavaScript file to use.If we choose an external web service, on a subsequent panel, we are asked to provide the following information:

URI format (HTTP or HTTPS)
Web service URI
Server Certificate database. (URI format is HTTPS)
Client authentication type, (URI format is HTTPS)
Message format:

XML
WS-Trust

Message Extensions Description Your value

SAML Message Extension options:

No message extensions (default)
Use Javascript to add message extensions
If we configure the federation with a message extension rule, every time a SAML message is written, the rule is invoked in order to gather any extensions which need to be included. The mapping rule is invoked with context information about the federation and partner, as well as the kind of message being sent. The mapping rule context is available in a variable ‘context’. For documentation on this object see the on box javadoc for the class JSMessageExtensionContext. If Javascript extensions are enabled, a subsequent dialogue allows selection of the mapping rule. Traditional identity mapping rules with the category SAML_2_0 are filtered from the view, as identity mapping rules are not compatible with extension rules. There is a rule available out of the box, which contains information and examples.

After completing the tables, continue with the instructions in Create and modify a federation.
Parent topic: Gather the federation configuration information

Federation protocol	Description	Your value
Federation name	The name to give this federation. The name must not contain any ASCII control characters or special characters except hyphen and underscore.
Protocol for this federation:	Protocol to use in the federation.	SAML 2.0.

General information	Description	Your value
Company name	The name of the company creating this provider.
Provider ID	A unique identifier that identifies the provider to its partner provider. Default is point_of_contact _server_URL/federation_name/saml20.
Role	Your role is either Identity Provider or Service Provider. An identity provider vouches for the identity of the end user. The Identity Provider authenticates the user and provides an authentication token to the service provider. A service provider provides a service to end users. In most cases, service providers do not authenticate users, but instead request authentication decisions from an identity provider. We cannot change the role after a federation is created.	Service provider

Sets	Description	Your value
Bindings: HTTP Artifact HTTP POST HTTP Redirect	Choice of binding depends on the type of messages sent. For example, an authentication request message can be sent from service provider to an identity provider. The response message can be sent from an identity provider to a service provider by using either HTTP POST or HTTP artifact. A pair of partners in a federation does not need to use the same binding.
NameID format	Processing rules for the NameID value if the format attribute is not set, or if the format attribute is set to... urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified	urn:oasis:names:tc:SAML:2.0:nameid-format:persistent urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress urn:oasis:names:tc:SAML:2.0:nameid-format:transient
Enable ECP	Check this check box to enable the ECP profile.
Require signature on incoming SAML assertions	Require the partner to sign SAML assertions. You will validate the signature on the incoming SAML assertions.
Require outgoing SAML authentication requests to be signed	Require the partner to validate the signature on SAML authentication requests. You will sign the outgoing SAML authentication requests.

Signatures	Description	Your value
Certificate database	Select the database where the encryption certificate is stored
Certificate label	Name of the certificate to use for encryption.

Message settings	Description	Your value
Message Lifetime in seconds	An integer value specifying the length of time, in seconds, that a message is valid. Default is 300.
Artifact Lifetime in seconds	The length of time, in seconds, that an artifact is considered valid. This field is only valid when HTTP artifact binding has been enabled. The default value is 120.
Session Timeout in seconds	The length of time, in seconds, the session remains valid. The default value is 7200.
Select which outgoing messages require a signature: Artifact requests Artifact responses	Whether you will sign the outgoing SAML artifact requests and responses.
Message issuer format	Format attribute of the Issuer of the SAML message.
Message issuer name qualifier	Name qualifier attribute of the Issuer of the SAML message.