WS-Federation federation properties

WS-Federation federation properties

To configure a WS-Federation federation, specify values for a set of properties. The properties in this list describe the inputs that provide when we use the LMI wizard to configure a federation. Most properties are specified for both identity provider and service provider federations. The exceptions are described below.

Identity provider only

Time, in seconds, before the issue date that an assertion is considered valid
Time, in seconds, the assertion is valid before being issued

Service provider only

Enable one-time assertion use enforcement

Federation properties

Federation name The name to give this federation. The name must not contain any ASCII control characters or special characters except hyphen and underscore.
Select the protocol for this federation WS-Federation
Select the template Choose SharePoint to quickly set up an identity provider federation to work with partner templates to assist with establishment federations to SharePoint partners. Choose WS-Federation to use the full set of configuration options.
Company name The name of the company creating this provider.
Role Your role is either Identity Provider or Service Provider. An identity provider vouches for the identity of the user. The Identity Provider authenticates the user and provides an authentication token to the service provider. A service provider provides a service to users. In most cases, service providers do not authenticate users, but instead request authentication decisions from an identity provider. We cannot change the role after a federation is created. When we use the SharePoint template, the Role field is not displayed because the Identity Provider role is automatically set. SharePoint deployments do not use Service Provider federations.
Point of contact server URL The endpoint URL of the point of contact server, which is a reverse proxy server configured in front of the runtime listening interfaces. The format is:
http[s]://hostname[:portnumber]/[junction]/sps

For example...
https://test.com/isam/sps.

To view the reverse proxy configuration, see Reverse proxy instance management.
Enable one-time assertion use enforcement Service provider configuration only. Whether to use the assertion or token only one time. We can select or clear this option.
Time, in seconds, before the issue date that an assertion is considered valid Identity provider configuration only. Default value 300 seconds. There is no minimum or maximum enforced.
Time, in seconds, the assertion is valid before being issued Identity provider configuration only. An integer value that specifies the number of seconds the assertion remains valid. Default is 300 seconds.
Identity mapping Identity mapping options

Do not perform identity mapping
Use JavaScript transformation for identity mapping
Use an external web service for identity mapping

The mapping specifies how to create an assertion containing attributes mapped from a local user account. If we configure a service provider, this mapping specifies how to match an assertion from the partner to the local user accounts. If we choose JavaScript for mapping, on a subsequent page, we are asked to select the JavaScript file to use. If we choose an external web service, on a subsequent page, we are asked to provide the following information:

URI format (HTTP or HTTPS)
Web service URI
Server Certificate database (HTTPS)
Client authentication type (HTTPS)
Message format:

XML
WS-Trust

Parent topic: Create a WS-Federation federation

Federation name	The name to give this federation. The name must not contain any ASCII control characters or special characters except hyphen and underscore.
Select the protocol for this federation	WS-Federation
Select the template	Choose SharePoint to quickly set up an identity provider federation to work with partner templates to assist with establishment federations to SharePoint partners. Choose WS-Federation to use the full set of configuration options.
Company name	The name of the company creating this provider.
Role	Your role is either Identity Provider or Service Provider. An identity provider vouches for the identity of the user. The Identity Provider authenticates the user and provides an authentication token to the service provider. A service provider provides a service to users. In most cases, service providers do not authenticate users, but instead request authentication decisions from an identity provider. We cannot change the role after a federation is created. When we use the SharePoint template, the Role field is not displayed because the Identity Provider role is automatically set. SharePoint deployments do not use Service Provider federations.
Point of contact server URL	The endpoint URL of the point of contact server, which is a reverse proxy server configured in front of the runtime listening interfaces. The format is: http[s]://hostname[:portnumber]/[junction]/sps For example... https://test.com/isam/sps. To view the reverse proxy configuration, see Reverse proxy instance management.
Enable one-time assertion use enforcement	Service provider configuration only. Whether to use the assertion or token only one time. We can select or clear this option.
Time, in seconds, before the issue date that an assertion is considered valid	Identity provider configuration only. Default value 300 seconds. There is no minimum or maximum enforced.
Time, in seconds, the assertion is valid before being issued	Identity provider configuration only. An integer value that specifies the number of seconds the assertion remains valid. Default is 300 seconds.
Identity mapping	Identity mapping options Do not perform identity mapping Use JavaScript transformation for identity mapping Use an external web service for identity mapping The mapping specifies how to create an assertion containing attributes mapped from a local user account. If we configure a service provider, this mapping specifies how to match an assertion from the partner to the local user accounts. If we choose JavaScript for mapping, on a subsequent page, we are asked to select the JavaScript file to use. If we choose an external web service, on a subsequent page, we are asked to provide the following information: URI format (HTTP or HTTPS) Web service URI Server Certificate database (HTTPS) Client authentication type (HTTPS) Message format: XML WS-Trust