5.2 Configuring Federated Authentication

1. In the Administration Console, click Devices > Identity Servers > Brokering.

2. The Brokering tab allows you to create new Groups as well as display the configured Groups.The Display Brokering Groups page displays the list of groups configured.

   You can also create, delete, enable, and disable the brokering group on this page.

3. The Display Brokering Groups page displays the following information for each group:

   Group Name: Specifies a unique name to identify the group. When you click on the hyperlink, you can view the Group Details page, where the Group configuration such as name and list of Identity Providers and Service Providers can be modified.

   Enabled: A check mark indicates that brokering is enabled for the group by applying theconfigured rules. A blank means that brokering is disabled.

   Identity Providers: Display the total number of Liberty/SAML1.1/SAML2 IDPs assigned to this group.

   Service Providers: Display the total number of Liberty/SAML1.1/SAML2 SPs assigned to this group.

   Brokering Rules: If the rules are not configured, then “No Rules Config” is displayed. The default rule allows for brokering between any IDP to any SP in the group. If new rules are configured, then the first rule name is displayed along with the count of total rules.

1. In the Administration Console, click Devices > Identity Servers > Brokering or click Devices > Identity Servers > Edit > SAML 2.0 > Trusted Providers > > (Broker Identity under the Service Providers list) >Intersite Transfer Service.

2. ID: Specify the ID value of the target.

3. Target: Specify the URL of the page that you want to display to users when they authenticate with an Intersite Transfer URL.The behavior of this option is influenced by the Allow any target option. If you are using the target ID as part of the Intersite Transfer URL and did not specify a target in the URL, you need to specify the target in this field. For example, if you enter the target URL as it appears below, then it will be displayed when you select Allow Any Target option.

   https://login.company1.com:8443/nidp/saml2/idpsend?id=217ID&TARGET=https%3A%2F%2FSPBROKER1.labs.blr.novell.com%3A8443%2Fnidp%2Fsaml2%2Fidpsend%3FPID%3Dhttps%3A%2F%2Flogin.partner2B.com%3A8443%2Fnidp%2Fsaml2%2Fmetadata%26TARGET%3Dhttps%3A%2F%2Fpartner2b.com 
   

4. Allow any Target: Select this option to use the target that was specified in the Intersite Transfer URL. If this option is not selected, the target value in the Intersite Transfer URL is ignored and you can see the URL specified in the Target option.

1. In the Administration Console, click Devices > Identity Servers > Shared Settings >Attribute Sets > Mapping >New. The Add Attribute Mapping window displays.

2. Select the local attribute name from the drop-down list

3. Enter the remote attribute name for the selected local attribute.

4. Click OK to add the remote attribute name. The newly added attribute displays in the Mapping list.

5. In the Administration Console, click Devices > Identity Servers > Edit > SAML 2.0 > Trusted Providers > (Broker Identity under the Identity Providers list) > Configuration > Attributes.

6. Select the role from drop-down list in the Attribute set.

7. Using the arrows map the attributes in the Send with Authentication and Available List.

8. Click Apply to map the set role and attribute of the origin Identity Provider.

1. In the Administration Console, click Devices > Identity Servers > Shared Settings >Attribute Sets > Mapping >New. The Add Attribute Mapping window displays.

2. Select the local attribute name from the drop-down list

3. Enter the remote attribute name for the selected local attribute.

4. Click OK to add the remote attribute name. The newly added attribute displays in the Mapping list.

5. In the Administration Console, click Devices > Identity Servers > Edit > SAML 2.0 > Service Providers > (Broker Identity under the Service Providers list) > Configuration > Attributes.

6. Select the role from drop-down list in the Attribute set.

7. Using the arrows map the attributes in the Send with Authentication and Available List.

8. Click Apply to map and set the attribute changes to the selected role of the target Identity Service Provider.

1. In the Administration Console, click Devices > Identity Servers > Shared Settings >Attribute Sets > Mapping >New. The Add Attribute Mapping window displays.

2. Select the local attribute name from the drop-down list

3. Enter the remote attribute name for the selected local attribute.

4. Click OK to add the remote attribute name. The newly added attribute displays in the Mapping list.

5. In the Administration Console, click Devices > Identity Servers > Brokering or click Devices > Identity Servers > Edit > SAML 2.0 > Service Providers > (Broker Identity under the Service Providers list) > Configuration > Attributes.

6. Select the role from drop-down list in Attribute set.

7. Using the arrows map the attributes in Send with Authentication and Available List.

8. Click Apply to set the role and configure the attribute mappings.

To configure user provisioning:

1. In the Administration Console, click Devices > Identity Servers > Servers > Edit > Liberty [or SAML 2.0] > [Identity Provider] > User Identification.

2. Click the Provisioning settings icon.

3. Select the required attributes from the Available Attributes list and move them to the Attributes list.

   Required attributes are those used in the creation of a user name, or that are required when creating the account.

4. Click Next.

5. Select optional attributes from the Available Attributes list and move them to the Attributes list.

   This step is similar to selecting required attributes. However, the user provisioning request creates the user account whether or not the optional attributes exist on the service provider.

6. Click Next.

7. Define how to create the username.

   You can specify whether users are prompted to create their own usernames or whether the system automatically creates usernames. Selecting an attribute for the username segments from the required attributes list improves the chances that a new username is successfully created.

   Maximum length: The maximum length of the user name. This value must be between 1 and 50.

   Prompt for user name: Enables users to create their own usernames.

   Automatically create user name: Specifies that the system creates usernames. You can configure the segments for the system to use when creating usernames and configure how the names are displayed.

   For example, if you are using the required attributes of Common First Name and Common Last Name, a username for Adam Smith might be generated as A.Smith_02, as shown in the following illustration:

   

   Use the following settings to specify how this is accomplished:

   • Segment 1: The required attribute to use as the first segment for the user name. The values displayed in this drop-down menu correspond to the required attributes you selected. For example, you might select Common First Name to use for Segment 1.

   • Length: The length of the first attribute segment. For example, if you selected Common First Name for the Segment 1 value, setting the length to 1 specifies that the system uses the first letter of the Common First Name attribute. Therefore, Adam Smith would be ASmith.

   • Junction: The type of junction to use between the attributes of the user name. If a period is selected, Adam Smith would display as A.Smith.

   • Segment 2: The required attribute to use as the second segment for the user name. The values displayed in this drop-down menu correspond to the required attributes you selected. For example, you might select Common Last Name to use for Segment 2.

   • Length: The length of the second attribute segment. For example, if you selected Common Last Name for the Segment 2 value, you might set the length to All, so that the full last name is displayed. However, the system does not allow more than 20 characters for the length of segment 2.

   • Ensure name is unique: Applies a suffix to the colliding name until a unique name is found, if using attributes causes a collision with an existing name. If no attributes are provided, or the lengths for them are 0, and this option is selected, the system creates a unique name.

8. Click Next.

9. Specify password settings.

   Use this page to specify whether to prompt the user for a password or to create a password automatically.

   Min. password length: The minimum length of the password.

   Max. password length: The maximum length of the password.

   Prompt for password: Prompts the user for a password.

   Automatically create password: Specifies whether to automatically create passwords.

10. Click Next.

11. Specify the user store and context in which to create the account.

    User Store: The user store in which to create the new user account.

    Context: The context in the user store you want accounts created.

    The system creates the user within a specific context; however, uniqueness is not guaranteed across the directory.

    Delete user provisioning accounts if federation is terminated: Specifies whether to automatically delete the provisioned user account at the service provider if the user terminates his or her federation between the identity provider and service provider.

12. Click Finish.

13. Click OK twice, then update the Identity Server.

1. In the Administration Console, click Devices > Identity Servers > Edit > SAML 2.0 > Profiles.

2. Configure the following fields for identity providers and identity consumers (service providers):

   Artifact Resolution: Specify whether to enable artifact resolution for the identity provider and identity consumer.

   The assertion consumer service at the service provider performs a back-channel exchange with the artifact resolution service at the identity provider. Artifacts are small data objects pointing to larger SAML protocol messages. They are designed to be embedded in URLs and conveyed in HTTP messages.

   Login: Specifies the communication channel to use when the user logs in. Select one or more of the following:

   • Post: A browser-based method used when the SAML requester and responder need to communicate using an HTTP user agent. This occurs, for example, when the communicating parties do not share a direct path of communication. You also use this when the responder requires user interaction in order to fulfill the request, such as when the user must authenticate to it.

   • Redirect: A browser-based method that uses HTTP 302 redirects or HTTP GET requests to communicate requests from this identity site to the service provider. SAML messages are transmitted within URL parameters.

   Single Logout: Specifies the communication channel to use when the user logs out. Select one or more of the following:

   • HTTP Post: A browser-based method used when the SAML requester and responder need to communicate by using an HTTP user agent. This occurs, for example, when the communicating parties do not share a direct path of communication. You also use this when the responder requires user interaction in order to fulfill the request, such as when the user must authenticate to it.

   • HTTP Redirect: A browser-based method that uses HTTP 302 redirects or HTTP GET requests to communicate requests from this identity site to the service provider. SAML messages are transmitted within URL parameters.

   • SOAP: Uses SOAP back channel over HTTP messaging to communicate requests from this identity provider to the service provider.

     NOTE:If Show logged out providers option is enabled with HTTP Post profile, logout request from service provider does not complete. This is due to the difference in the HTTP method used in the logout request. It is recommended to use HTTP Redirect method when Show logged out providers option is enabled.

   Name Management: Specifies the communication channel for sharing the common identifiers for a user between identity and service providers. When an identity provider has exchanged a persistent identifier for the user with a service provider, the providers share the common identifier for a length of time. When either the identity or service provider changes the format or value to identify the user, the system can ensure that the new format or value is properly transmitted. Select one or more of the following:

   • HTTP Post: A browser-based method used when the SAML requester and responder need to communicate using an HTTP user agent. This occurs, for example, when the communicating parties do not share a direct path of communication. You also use this when the responder requires user interaction in order to fulfill the request, such as when the user must authenticate to it.

   • HTTP Redirect: A browser-based method that uses HTTP 302 redirects or HTTP GET requests to communicate requests from this identity site to the service provider. SAML messages are transmitted within URL parameters.

   • SOAP: Uses SOAP back channel over HTTP messaging to communicate requests from this identity provider to the service provider.

3. Click OK, then update the Identity Server.

4. (Conditional) If you have set up trusted providers and have modified these profiles, the providers need to reimport the metadata from this Identity Server.

1. In the Administration Console, click Devices > Identity Servers > Edit > [Protocol].

   For the protocol, click SAML 2.0.

2. Click New, then click Service Provider.

   NOTE:By default, the Provider Type > General is selected. You can configure an Identity Server to trust a service provider to establish federation with external service providers. For more information on pre-configured metadata for Google Applications, Office 365, and Salesforce.com, see Section 5.2.11, Configuring Authentication Through Federation for Specific Providers.

3. Select one of the following sources for the metadata:

   Metadata URL: Specify the metadata URL for a trusted provider. The system retrieves protocol metadata by using the specified URL.

   Examples of metadata URLs for an Identity Server acting as a trusted provider with an IP address 10.1.1.1:

   • Liberty: http://10.1.1.1:8080/nidp/idff/metadata

   • Liberty: https://10.1.1.1:8443/nidp/idff/metadata

   • SAML 2.0: http://10.1.1.1:8080/nidp/saml2/metadata

   • SAML 2.0: https://10.1.1.1:8443/nidp/saml2/metadata

   • OIOSAML: http://10.1.1.1/nidp/saml2/metadata_oiosaml

   • OIOSAML: https://10.1.1.1/nidp/saml2/metadata_oiosaml

   The default values nidp and 8080 are established during product installation; nidp is the Tomcat application name. If you have set up SSL, you can use https and port 8443.

   If your Identity Server and Administration Console are on different machines, use HTTP to import the metadata. If you are required to use HTTPS with this configuration, you must import the trusted root certificate of the provider into the trust store of the Administration Console. You need to use the Java keytool to import the certificate into the cacerts file in the security directory of the Administration Console.

   Linux: /opt/novell/java/jre/lib/security

   Windows Server 2008: \Program Files (x86)\Novell\jre\lib\security

   If you do not want to use HTTP and you do not want to import a certificate into the Administration Console, you can use the Metadata Text option. In a browser, enter the HTTP URL of the metadata. View the text from the source page, save the source metadata, then paste it into the Metadata Text option.

   Metadata Text: An editable field in which you can paste copied metadata text from an XML document, assuming you obtained the metadata via e-mail or disk and are not using a URL. If you copy metadata text from a Web browser, you must copy the text from the page source.

   Manual Entry: Allows you to enter metadata values manually. When you select this option, the system displays the page to enter the required details. See Editing a SAML 2.0 Service Provider’s Metadata.

   Metadata Repositories: Allows you to configure several identity and/or service providers using a multi-entity metadata file available in a central repository. For more information about creating Identity and/or Service Providers see, Creating Identity Providers and Service Providers.

4. In the Name option, specify a name by which you want to refer to the provider.

5. Click Next.

6. Review the metadata certificates and click Finish. The system displays the trusted provider on the protocol page.

7. Click OK, then update the Identity Server.

   The wizard allows you to configure the required options and relies upon the default settings for the other federation options. For information about how to configure the default settings and how to configure the other available options, see Section 3.9.4, Modifying a Trusted Provider.

1. Click on Devices > Identity Servers > Edit > > SAML2.0.

2. Click on configured service provider.

3. Go to Options > Step Up Authentication contracts and select the contracts from the Available contracts list.

1. In the Administration Console, click Devices > Identity Servers > Edit > SAML 2.0 > [Service Provider] > Metadata.

   You can reimport the metadata (see Step 2) or edit it (see Step 3).

2. To reimport the metadata, click Reimport on the View page.

   Follow the on-screen instructions to complete the steps in the wizard.

3. To edit the metadata manually, click Edit.

4. Fill in the following fields:

   Provider ID: (Required) Specifies the SAML 2.0 metadata unique identifier for the provider. For example, https://<dns>:8443/nidp/saml2/metadata. Replace <dns> with the DNS name of the provider.

   In the metadata, this is the entityID value.

   Metadata expiration: Specifies the date upon which the metadata is no longer valid.

   Want assertion to be signed: Specifies that authentication assertions from the trusted provider must be signed.

   Artifact consumer URL: Specifies where the partner receives incoming SAML artifacts. For example, https://<dns>:8443/nidp/saml2/spassertion_consumer. Replace <dns> with the DNS name of the provider.

   In the metadata, this URL value is found in the AssertionConsumerService section of the metadata.

   Post consumer URL: Specifies where the partner receives incoming SAML POST data. For example, https://<dns>:8443/nidp/saml2/spassertion_consumer. Replace <dns> with the DNS name of the provider.

   In the metadata, this URL value is found in the AssertionConsumerService section of the metadata.

   Service Provider: Specifies the public key certificate used to sign SAML data. You can browse to locate the service provider certificate.

5. Click Finish.

1. In the Administration Console, click Devices > Identity Servers > Edit > SAML 2.0 > [Identity Provider] > Authentication Card > Authentication Request.

2. Configure the name identifier format:

   Persistent: A persistent identifier federates the user profile on the identity provider with the user profile on the service provider. It remains intact between sessions.

   The persistent identifier is saved to the user data store and hides the user’s identity to prevent tracking of user activities across different relying parties.

   • After authentication: Specifies that the persistent identifier can be sent after the user has authenticated (logged in) to the service provider. When you set only this option, users must log in locally. Because the user is required to authenticate locally, you do not need to set up user identification.

   • During authentication: Specifies that the persistent identifier can be sent when the user selects the authentication card of the identity provider. Typically, a user is not authenticated at the service provider when this selection is made. When the identity provider sends a response to the service provider, the user needs to be identified on the service provider. If you enable this option, ensure that you configure a user identification method. See Selecting a User Identification Method for Liberty or SAML 2.0.

   Transient: Specifies that a transient identifier, which expires between sessions, can be sent.

   Unspecified: Allows either a persistent or a transient identifier to be sent.

3. Select one of the following options for the Requested By option:

   Do not specify: Specifies that the identity provider can send any type of authentication to satisfy a service provider’s request, and instructs a service provider to not send a request for a specific authentication type or contract.

   Use Types: Specifies that authentication types should be used.

   Select the type of comparison (for more information, see Understanding Comparison Contexts):

   • Exact: Indicates that the class or type specified in the authentication statement must be an exact match to at least one contract.

   • Minimum: Indicates that the contract must be as strong as the class or type specified in the authentication statement.

   • Better: Indicates the contract that must be stronger than the class or type specified in the authentication statement.

   • Maximum: Indicates that contract must as strong as possible without exceeding the strength of at least one of the authentication contexts specified.

   Select the types from the Available types field to specify which type to use for authentication between trusted service providers and identity providers. Standard types include Name/Password, X.509, Token, and so on.

   Use Contracts: Specifies that authentication contracts should be used.

   Select the type of comparison (for more information, see Understanding Comparison Contexts):

   • Exact: Indicates that the class or type specified in the authentication statement must be an exact match to at least one contract.

   • Minimum: Indicates that the contract must be as strong as the class or type specified in the authentication statement.

   • Better: Indicates the contract that must be stronger than the class or type specified in the authentication statement.

   • Maximum: Indicates that contract must as strong as possible without exceeding the strength of at least one of the authentication contexts specified.

   Select the contract from the Available contracts list. For a contract to appear in the Available contracts list, the contract must have the Satisfiable by External Provider option enabled. To use the contract for federated authentication, the contract’s URI must be the same on the identity provider and the service provider. For information about contract options, see Section 5.1.4, Configuring Authentication Contracts.

   Most third-party identity providers do not support contracts.

4. Configure the options:

   Response protocol binding: Select Artifact or Post or Let IDP Decide. Artifact and Post are the two methods for transmitting assertions between the authenticating system and the target system.

   If you select Let IDP Decide, the binding is selected based on the profile that is enabled at Identity Provider and the binding selected in the service provider.

   NOTE:The post binding can be configured to be sent as a compressed option. Perform the following steps to achieve this:

   1. Open the nidpconfig.properties file located in /opt/novell/nam/idp/webapps/nidp/WEB-INF/classes.

   2. Modify the following:

      SAML2_POST_DEFLATE_TRUSTEDPROVIDERS: Enter trusted providerʹs name, metadata URI, or provider ID. You can specify multiple trusted providers in a comma separated format. These are the trusted providers who expect SAML2 POST messages in deflated format. In other words, this provider has to send deflated SAML2 POST messages to the listed trusted providers.

      IS_SAML2_POST_INFLATE: Specify True, if this provider will receive deflated SAML2 POST messages from its trusted providers.

   3. Restart the Identity Server by using this command: /etc/init.d/novell-idp restart.

   Allowable IDP proxy indirections: Specifies whether the trusted identity provider can proxy the authentication request to another identity provider. A value of None specifies that the trusted identity provider cannot redirect an authentication request. Values 1-5 determine the number of times the request can be proxied. Select Let IDP Decide to let the trusted identity provider decide how many times the request can be proxied

   Force authentication at Identity Provider: Specifies that the trusted identity provider must prompt users for authentication, even if they are already logged in.

   Use automatic introduction: Attempts single sign-on to this trusted identity provider by automatically sending a passive authentication request to the identity provider. (A passive requests does not prompt for credentials.) The identity provider sends one of the following authentication responses:

   • When the federated user is authenticated at the identity provider: The identity provider returns an authentication response indicating that the user is authenticated. The user gains access to the service provider without entering credentials (single sign-on).

   • When the federated user is not authenticated at the identity provider: The identity provider returns an authentication response indicating that the user is not logged in. The user can then select a card for authentication, including the card for the identity provider. If the user selects the identity provider card, an authentication request is sent to the identity provider. If the credentials are valid, the user is also authenticated to the service provider.

   IMPORTANT:Enable the Use automatic introduction option only when you are confident the identity provider will be up. If the server is down and does not respond to the authentication request, the user gets a page-cannot-be-displayed error. Local authentication is disabled because the browser is never redirected to the login page.

   This option should be enabled only when you know the identity provider is available 99.999% of the time or when the service provider is dependent upon this identity provider for authentication.

5. Click OK twice, then update the Identity Server.

1. In the Administration Console, click Devices > Identity Servers > Edit > SAML 2.0 > [Service Provider] > Authentication Response.

2. Select the binding method.

   If the request from the service provider does not specify a response binding, you need to specify a binding method to use in the response. Select Artifact to provide an increased level of security by using a back-channel means of communication between the two servers. Select Post to use HTTP redirection for the communication channel between the two servers. If you select Post, you might want to require the signing of the authentication requests. See Configuring the General Identity Provider Options.

   NOTE:The post binding can be configured to be sent as a compressed option. Perform the following steps to achieve this:

   1. Open the nidpconfig.properties file located in /opt/novell/nam/idp/webapps/nidp/WEB-INF/classes.

   2. Modify the following:

      SAML2_POST_DEFLATE_TRUSTEDPROVIDERS: Enter trusted providerʹs name, metadata URI, or provider ID. You can specify multiple trusted providers in a comma separated format. These are the trusted providers who expect SAML2 POST messages in deflated format. In other words, this provider has to send deflated SAML2 POST messages to the listed trusted providers.

      IS_SAML2_POST_INFLATE: Specify True, if this provider will receive deflated SAML2 POST messages from its trusted providers.

   3. Restart the Identity Server by using this command: /etc/init.d/novell-idp restart.

3. Specify the identity formats that the Identity Server can send in its response. Select the box to choose one or more of the following:

   • Persistent: Specifies that a persistent identifier, which is written to the directory and remains intact between sessions, can be sent.

   • Transient: Specifies that a transient identifier, which expires between sessions, can be sent.

   • E-mail: Specifies that an e-mail attribute can be used as the identifier.

   • Kerberos: Specifies that a Kerberos token can be used as the identifier.

   • X509: Specifies that an X.509 certificate can be used as the identifier.

   • Unspecified: Specifies that an unspecified format can be used and any value can be used. The service provider and the identity provider need to agree on the value that is placed in this identifier.

4. Use the Default button to select the name identifier that the Identity Server should send if the service provider does not specify a format.

   If you select E-mail, Kerberos, x509, or unspecified as the default format, you should also select a value. See Step 5.

   IMPORTANT:If you have configured the identity provider to allow a user matching expression to fail and still allow authentication by selecting the Do nothing option, you need to select Transient identifier format as the default value. Otherwise the users who fail the matching expression are denied access. To view the identity provider configuration, see Defining User Identification for Liberty and SAML 2.0.

5. Specify the value for the name identifier.

   The persistent and transient formats are generated automatically. For the others, you can select an attribute. The available attributes depend upon the attributes that you have selected to send with authentication (see Configuring the Attributes Obtained at Authentication). If you do not select a value for the E-mail, Kerberos, X509, or Unspecified format, a unique value is automatically generated.

6. To specify that this Identity Server must authenticate the user, disable the Use proxied requests option. When the option is disabled and the Identity Server cannot authenticate the user, the user is denied access.

   When this option is enabled, the Identity Server checks to see if other identity providers can satisfy the request. If one or more can, the user is allowed to select which identity provider performs the authentication. If a proxied identity provider performs the authentication, it sends the response to the Identity Server. The Identity Server then sends the response to the service provider.

7. When the Include the Session Timeout attribute in the assertion option is enabled, the Identity Server sends the Identity Server session time out value to the service provider in the assertion.

8. You can manually set the assertion validity time for the SAML service provider in the Assertion Validity field to accommodate clock skew between the service provider and SAML Identity Server (IDP).

9. Click OK twice, then update the Identity Server.

1. In the Administration Console, click Devices > Identity Servers > Servers > Edit > Liberty or SAML 2.0 > Identity Provider > Options.

2. Click New > Add Properties, then specify the following values:

   Property Name: Specify config.aselect.sessionsync.enabled

   Property Value: Specify true.

3. For session synchronization, add two options, one to enable the session synchronization and the other to provide the URL to which synchronization message should be sent.

   The session synchronization message is sent from the Access Manager Service Provider to the A-Select Identity Provider, in tandem with the Access Gateway ESP's activity update. The session synchronization message is sent only if the user session is active at the Access Gateway portal, which is the ESP to the Access Manager Service Provider. If you log in directly to the Access Manager Service Provider, even if the session is active, the session synchronization message is not sent to the A-Select Identity Provider.

4. Click OK, then update the Identity Server.

1. Open the web.xml file located at:

   Linux: /opt/novell/nam/idp/webapps/nidp/WEB-INF/

   Windows Server 2008: \Program Files (x86)\Novell\Tomcat\webapps\nidp\WEB-INF/

2. Add the following lines to the file:

           <context-param>
                   <param-name>notifysessionTimetoIDP</param-name>
                   <param-value>true</param-value>
           </context-param>
   

   ESP will send a ESP session timeout message then on timeout, the service provider will send a samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol request to the remote Identity provider.

3. Save the file, then copy it to each Identity Server in the cluster.

4. Restart Tomcat on each Identity Server in the cluster using the following command:

   Linux: Enter the following command:

   /etc/init.d/novell-idp restart

   Windows: Enter the following commands:

   net stop Tomcat7

   net start Tomcat7

1. In the Administration Console, click Devices > Identity Servers > Edit > [Protocol] > [Identity Provider] > Authentication Card.

2. Modify the values in one or more of the following fields:

   ID: If you have need to reference this card outside of the user interface, specify an alphanumeric value here. If you do not assign a value, the Identity Server creates one for its internal use. The internal value is not persistent. Whenever the Identity Server is rebooted, it can change. A specified value is persistent.

   Text: Specify the text that is displayed on the card to the user. This value, in combination with the image, should identify to the users, which provider they are logging into.

   Image: Specify the image to be displayed on the card. Select the image from the drop-down list. To add an image to the list, click <Select local image>.

   Show Card: Determine whether the card is shown to the user, which allows the user to select and use the card for authentication. If this option is not selected, the card is only used when a service provider makes a request for the card.

   NOTE:Do not disable the Show Card option for default contracts.

   Passive Authentication Only: Select this option if you do not want the Identity Server to prompt the user for credentials. If the Identity Server can fulfill the authentication request without any user interaction, the authentication succeeds. Otherwise, it fails.

   Satisfies Contract: Select the required contracts from the Available contracts list and move them to the Satisfies contract list. This creates a mapping between external provider class reference to local authentication contracts.

3. Click OK twice, then update the Identity Server.

1. To create multiple service providers from the same identity provider metadata, manually modify the identity provider's metadata's entityID for each service provider. You can import the metadata text that was edited into the Access Manager configuration to create service providers with different entity IDs.

   For more information about how to create a SAML 2.0 service provider, see Creating a Trusted Service Provider for SAML 2.0.

2. In the Administration Console of the SAML 2.0 identity provider, click Devices > Identity Servers > Servers > Edit > SAML 2.0 > Service Provider > Options.

3. Set the SAML2_AVOID_AUDIENCE_RESTRICTION property to true. Setting this property to true avoids audience restriction in the SAML 2.0 assertion.

4. To avoid the spnamequalifier attribute in nameidentifier of the assertion, do the following:

   1. Go to Access Manager Identity Server of the SAML 2.0 service provider and open the nidpconfig.properties file.

      Linux: /opt/novell/nids/lib/webapp/WEB-INF/classes/nidpconfig.properties

      Windows: Novell\Tomcat\webapps\nidp\WEB-INF\classes\nidpconfig.properties

   2. Add the following:

      SAML2_AVOID_SPNAMEQUALIFIER_TO = <entityID of the service provider>->true

      For example, if you have configured three service provider and you want to avoid sending assertion to the service provider with entity ID "https://<service provider host>:<port>/nidp/saml2/metadata/spnameidentifier2" then add the following entry:

      SAML2_AVOID_SPNAMEQUALIFIER_TO = https://< service provider host>:<port>/nidp/saml2/metadata/spnameidentifier1->true,https://< service provider host>:<port>/nidp/saml2/metadata/spnameidentifier2->true,https://< service provider host>:<port>/nidp/saml2/metadata/spnameidentifier3->true

5. Restart the Identity Server.

1. In the Administration Console, click Devices > Identity Servers > Edit > SAML 1.1 > Profiles.

2. Configure the following fields:

   Login: Specifies the communication channel when the user logs in. Select one or more of these methods for the identity provider and the identity consumer:

   • The Artifact binding provides an increased level of security by using the back channel for communication between the two servers during authentication.

   • The Post method uses HTTP redirection to accomplish communication between servers.

     The Post method is enabled by default and you are not able to modify the default settings.The Post profile creates a metadata that includes only a Post binding on the Service Provider. If you have the default setup, then always both Artifact and Post options are enabled. If both the options are enabled, then by default Artifact binding is used. If Artifcact binding is disabled or removed, only Post method is used.

   Source ID: Displays the hexadecimal ID generated by the Identity Server for the SAML 1.1 service provider. This is a required value when establishing trust with a service provider.

3. Click OK, then update the Identity Server.

4. (Conditional) If you have set up trusted providers and have modified the profile, these providers need to reimport the metadata from this Identity Server.

1. In the Administration Console, click Devices > Identity Servers > Edit > SAML 1.1.

2. Click New, then click Service Provider.

3. In the Name option, specify a name by which you want to refer to the provider.

4. Select one of the following sources for the metadata:

   Metadata URL: Specify the metadata URL for a trusted provider. The system retrieves protocol metadata using the specified URL. Examples of metadata URLs for an Identity Server acting as a service provider with an IP address of 10.1.1.1:

   http://10.1.1.1:8080/nidp/saml/metadata
   https://10.1.1.1:8443/nidp/saml/metadata
   

   The default values nidp and 8080 are established during product installation; nidp is the Tomcat application name. If you have set up SSL, you can use https and port 8443.

   If your Identity Server and Administration Console are on different machines, use HTTP to import the metadata. If you are required to use HTTPS with this configuration, you must import the trusted root certificate of the provider into the trust store of the Administration Console. You need to use the Java keytool to import the certificate into the cacerts file in the security directory of the Administration Console.

   Linux: /opt/novell/java/jre/lib/security

   Windows Server 2008: \Program Files (x86)\Novell\jre\lib\security

   If you do not want to use HTTP and you do not want to import a certificate into the Administration Console, you can use the Metadata Text option. In a browser, enter the HTTP URL of the metadata. View the text from the source page, save the source metadata, then paste it into the Metadata Text option.

   Metadata Text: Paste the copied metadata text from an XML document, assuming you obtained the metadata via e-mail or disk and are not using a URL. If you copy metadata text from a Web browser, you must copy the text from the page source.

   Manual Entry: Allows you to enter metadata values manually. When you select this option, the system displays the Enter Metadata Values page. See Editing a SAML 1.1 Service Provider’s Metadata.

   Metadata Repositories: Allows you to configure several identity and/or service providers using a multi-entity metadata file available in a central repository. For more information about creating Identity and/or Service Providers see, Creating Identity Providers and Service Providers.

5. Click Next.

6. Review the metadata certificates, then click Finish.

7. Click OK, then update the Identity Server.

   The wizard allows you to configure the required options and relies upon the default settings for the other options. For information about how to configure the default settings and how to configure the other available options, see Section 3.9.4, Modifying a Trusted Provider.

1. In the Administration Console, click Devices > Identity Servers > Edit > SAML 1.1 > [Identity Provider] > Metadata.

   You can reimport the metadata (see Step 2) or edit it (see Step 4).

2. To reimport the metadata from a URL or text, click Reimport on the View page.

   The system displays the Create Trusted Identity Provider Wizard that lets you obtain the metadata. Follow the on-screen instructions to complete the steps in the wizard.

3. Select either Metadata URL or Metadata Text, then fill in the field for the metadata.

4. To edit the metadata manually, click Edit.

5. Fill in the following fields as necessary:

   Supported Version: Specifies the version of SAML that you want to use. You can select SAML 1.0, SAML 1.1, or both SAML 1.0 and SAML 1.1.

   Provider ID: (Required) The SAML 1.1 metadata unique identifier for the provider. For example, https://<dns>:8443/nidp/saml/metadata. Replace <dns> with the DNS name of the provider.

   In the metadata, this is the entityID value.

   Source ID: The SAML Source ID for the trusted provider. The Source ID is a 20-byte value that is used as part of the Browser/Artifact profile. It allows the receiving site to determine the source of received SAML artifacts. If none is specified, the Source ID is auto-generated by using a SHA-1 hash of the site provider ID.

   Metadata expiration: The date upon which the metadata is no longer valid.

   SAML attribute query URL: The URL location where an attribute query is to be sent to the partner. The attribute query requests a set of attributes associated with a specific object. A successful response contains assertions that contain attribute statements about the subject. A SAML 1.1 provider might use the base URL, followed by /saml/soap. For example, https://<dns>:8443/nidp/saml/soap. Replace <dns> with the DNS name of the provider.

   In the metadata, this URL value is found in the AttributeService section of the metadata.

   Artifact resolution URL: The URL location where artifact resolution queries are sent. A SAML artifact is included in the URL query string. The target URL on the destination site the user wants to access is also included on the query string. A SAML 1.1 provider might use the base URL, followed by /saml/soap. For example, https://<dns>:8443/nidp/saml/soap. Replace <dns> with the DNS name of the provider.

   In the metadata, this URL value is found in the ArtifactResolutionService section of the metadata.

6. To specify signing certificate settings, fill in the followi

   ng fields:

   Attribute authority: Specifies the signing certificate of the partner SAML 1.1 attribute authority. The attribute authority relies on the identity provider to provide it with authentication information so that it can retrieve attributes for the appropriate entity or user. The attribute authority must know that the entity requesting the attribute has been authenticated to the system.

   Identity provider: (Required) Appears if you are editing identity provider metadata. This field specifies the signing certificate of the partner SAML 1.1 identity provider. It is the certificate the partner uses to sign authentication assertions.

7. Click OK.

8. On the Identity Servers page, click Update All to update the configuration.

1. In the Administration Console, click Devices > Identity Servers > Edit > SAML 1.1 > [Service Provider] > Metadata.

   You can reimport the metadata (see Step 2) or edit it (see Step 3).

2. To reimport the metadata, click Reimport on the View page.

   Follow the on-screen instructions to complete the steps in the wizard.

3. To edit the metadata manually, click Edit.

4. Fill in the following fields:

   Supported Version: Specifies which version of SAML that you want to use. You can select SAML 1.0, SAML 1.1, or both SAML 1.0 and SAML 1.1.

   Provider ID: (Required) Specifies the SAML 1.1 metadata unique identifier for the provider. For example, https://<dns>:8443/nidp/saml/metadata. Replace <dns> with the DNS name of the provider.

   In the metadata, this is the entityID value.

   Metadata expiration: Specifies the date upon which the metadata is no longer valid.

   Want assertion to be signed: Specifies that authentication assertions from the trusted provider must be signed.

   Artifact consumer URL: Specifies where the partner receives incoming SAML artifacts. For example, https://<dns>:8443/nidp/saml/spassertion_consumer. Replace <dns> with the DNS name of the provider.

   In the metadata, this URL value is found in the AssertionConsumerService section of the metadata.

   Post consumer URL: Specifies where the partner receives incoming SAML POST data. For example, https://<dns>:8443/nidp/saml/spassertion_consumer. Replace <dns> with the DNS name of the provider.

   In the metadata, this URL value is found in the AssertionConsumerService section of the metadata.

   Service Provider: Specifies the public key certificate used to sign SAML data. You can browse to locate the service provider certificate.

5. Click Finish.

1. In the Administration Console, click Devices > Identity Servers > Edit > SAML 1.1 > [Service Provider] > Authentication Response.

2. To specify a name identifier format, select one of the following:

   • E-mail: Specifies that an e-mail attribute can be used as the identifier.

   • X509: Specifies that an X.509 certificate can be used as the identifier.

   • Unspecified: Specifies that an unspecified format can be used and any value can be used. The service provider and the identity provider need to agree on what value is placed in this identifier.

3. To specify the format of the name identifier, select an attribute.

   The available attributes depend upon the attributes that you have selected to send with authentication (see the Attributes page for the service provider).

4. To configure an audience, click New.

5. Specify the SAML Audience URL value.

   The Provider ID, which can be used for the audience, is displayed on the Edit page for the metadata.

6. You can manually set the assertion validity time for the SAML service provider in the Assertion Validity field to accommodate clock skew between the service provider and SAML Identity Server (IDP).

7. Click OK twice, then update the Identity Server.

1. In Administration Console, click Devices > Identity Servers > Servers > Edit > SAML 1.1 > Service Provider > Options.

2. Select the required step up authentication contracts from the Available Contracts list and move them to the Selected Contracts list. These selected contracts will be used to provide the step up authentication for the service provider.

3. Click OK.

1. In the Administration Console, click Devices > Identity Servers > Edit > SAML 1.1 > [Identity Provider] > Authentication Card.

2. Modify the values in one or more of the following fields:

   ID: If you have need to reference this card outside of the user interface, specify an alphanumeric value here. If you do not assign a value, the Identity Server creates one for its internal use. The internal value is not persistent. Whenever the Identity Server is rebooted, it can change. A specified value is persistent.

   Text: Specify the text that is displayed on the card to the user. This value, in combination with the image, should identify to the users, which provider they are logging into.

   Login URL: Specify an Intersite Transfer Service URL.The URL has the following format, where idp.sitea.novell.com is the DNS name of the identity provider, idp.siteb.novell.com is the name of the service provider, and idp.siteb.novell.com:8443/nidp/app specifies the URL that you want to users to access after a successful login.

   NOTE:The PID in the login URL must exactly match the entity ID specified in the metadata.

   https://idp.sitea.novell.com:8443/nidp/saml/idpsend?PID=https://idp.siteb.novell.com:8443/nidp/saml/metadata&TARGET=https://idp.siteb.novell.com:8443/nidp/app
   

   For more information, see Specifying the Intersite Transfer Service URL for the Login URL Option.

   If your identity provider is a NetIQ Identity Server and you know the ID specified for the target, you can use the following simplified format for the Login URL:

   <URL for site a>?id=<ID of target>
   

   https://idp.sitea.novell.com:8443/nidp/saml/idpsend?id=206test
   

   The target and the target ID are specified in the service provider configuration at the identity provider. See Configuring an Intersite Transfer Service Target for a Service Provider.

   Image: Specify the image to be displayed on the card. Select the image from the drop-down list. To add an image to the list, click <Select local image>.

   Show Card: Determine whether the card is shown to the user, which allows the user to select and use the card for authentication. If this option is not selected, the card is only used when a service provider makes a request for the card.

3. Click OK twice, then update the Identity Server.

1. In the Administration Console, click Devices > Identity Servers > Edit > Liberty > Profiles.

2. Configure the following fields for identity providers and service providers:

   Login: Specifies whether to support Artifact or Post binding for login. Select one or more of the following for the identity provider and the service provider:

   • The Artifact binding provides an increased level of security by using a back channel means of communication between the two servers during authentication.

   • The Post method uses HTTP redirection to accomplish communication between the servers.

   Single Logout: Specifies the communication method to use when the user logs out. Typically, you select both of these options, which enables the identity provider or service provider to accept both HTTP and SOAP requests. SOAP is used if both options are selected, or if the service provider has not specified a preference.

   • HTTP: Uses HTTP 302 redirects or HTTP GET requests to communicate logout requests from this identity site to the service provider.

   • SOAP: Uses SOAP over HTTP messaging to communicate logout requests from this identity provider to the service provider.

   Federation Termination: Specifies the communication channel to use when the user selects to defederate an account. Typically, you select both of these options, which enables the identity provider or service provider to accept both HTTP and SOAP requests. SOAP is the default setting if the service provider has not specified a preference.

   • HTTP: Uses HTTP 302 redirects to communicate federation termination requests from this server.

   • SOAP: Uses SOAP back channel over HTTP messaging to communicate logout requests from this server

   Register Name: Specifies the communication channel to use when the provider supplies a different name to register for the user. Typically, you select both of these options, which enables the identity provider or service provider to accept both HTTP and SOAP requests. SOAP is the default setting if the service provider has not specified a preference.

   • HTTP: Uses HTTP 302 redirects to communicate federation termination requests from this server.

   • SOAP: Uses SOAP back channel over HTTP messaging to communicate logout requests from this server.

3. Click OK, then update the Identity Server.

4. (Conditional) If you have set up trusted providers and have modified the profile, these providers need to reimport the metadata from this Identity Server.

1. In the Administration Console, click Devices > Identity Servers > Edit > Liberty.

2. Click New, then click Service Provider.

3. In the Name option, specify a name by which you want to refer to the provider.

4. Select one of the following sources for the metadata:

   Metadata URL: Specify the metadata URL for a trusted provider. The system retrieves protocol metadata using the specified URL. Examples of metadata URLs for an Identity Server acting as a service provider with an IP address of 10.1.1.1:

   http://10.1.1.1:8080/nidp/saml/metadata
   https://10.1.1.1:8443/nidp/saml/metadata
   

   The default values nidp and 8080 are established during product installation; nidp is the Tomcat application name. If you have set up SSL, you can use https and port 8443.

   If your Identity Server and Administration Console are on different machines, use HTTP to import the metadata. If you are required to use HTTPS with this configuration, you must import the trusted root certificate of the provider into the trust store of the Administration Console. You need to use the Java keytool to import the certificate into the cacerts file in the security directory of the Administration Console.

   Linux: /opt/novell/java/jre/lib/security

   Windows Server 2008: \Program Files (x86)\Novell\jre\lib\security

   If you do not want to use HTTP and you do not want to import a certificate into the Administration Console, you can use the Metadata Text option. In a browser, enter the HTTP URL of the metadata. View the text from the source page, save the source metadata, then paste it into the Metadata Text option.

   Metadata Text: Paste the copied metadata text from an XML document, assuming you obtained the metadata via e-mail or disk and are not using a URL. If you copy metadata text from a Web browser, you must copy the text from the page source.

   Manual Entry: Allows you to enter metadata values manually. When you select this option, the system displays the Enter Metadata Values page. See Editing a SAML 1.1 Service Provider’s Metadata.

   Metadata Repositories: Allows you to configure several identity and/or service providers using a multi-entity metadata file available in a central repository. For more information about creating Identity and/or Service Providers see, Creating Identity Providers and Service Providers.

5. Click Next.

6. Review the metadata certificates, then click Finish.

7. Click OK, then update the Identity Server.

   The wizard allows you to configure the required options and relies upon the default settings for the other options. For information about how to configure the default settings and how to configure the other available options, see Section 3.9.4, Modifying a Trusted Provider.

1. In the Administration Console, click Devices > Identity Servers > Edit > [Protocol].

   For the protocol, select either Liberty or SAML 1.1.

2. Click the name of a provider.

3. On the Trust page, fill in the following field:

   Name: Specify the display name for this trusted provider. The default name is the name you entered when creating the trusted provider.

   For an Embedded Service Provider, the Name option is the only available option on the Trust page.

   The Security section specifies how to validate messages received from trusted providers over the SOAP back channel. Both the identity provider and the service provider in the trusted relationship must be configured to use the same security method.

4. Select one of the following security methods:

   Message Signing: Relies upon message signing using a digital signature.

   Mutual SSL: Specifies that this trusted provider provides a digital certificate (mutual SSL) when it sends a SOAP message.

   SSL communication requires only the client to trust the server. For mutual SSL, the server must also trust the client. For the client to trust the server, the server’s certificate authority (CA) certificate must be imported into the client trust store. For the server to trust the client, the client’s CA certificate must be imported into the server trust store.

   Basic Authentication: Specifies standard header-based authentication. This method assumes that a name and password for authentication are sent and received over the SOAP back channel.

   • Send: The name and password to be sent for authentication to the trusted partner. The partner expects this password for all SOAP back-channel requests, which means that the name and password must be agreed upon.

   • Verify: The name and password used to verify data that the trusted provider sends.

5. Click OK twice.

6. Update the Identity Server.

1. In the Administration Console, click Devices > Identity Servers > Edit > Liberty > [Identity Provider] > Authentication Card > Authentication Request.

2. Configure the federation options:

   Allow Federation: Determines whether federation is allowed. The federation options that control when and how federation occurs can only be configured if the identity provider has been configured to allow federation.

   • After authentication: Specifies that the federation request can be sent after the user has authenticated (logged in) to the service provider. When you set only this option, users must log in locally, then they can federate by using the Federate option on the card in the Login page of the Access Manager User Portal. Because the user is required to authenticate locally, you do not need to set up user identification.

   • During authentication: Specifies whether federation can occur when the user selects the authentication card of the identity provider. Typically, a user is not authenticated at the service provider when this selection is made. When the identity provider sends a response to the service provider, the user needs to be identified on the service provider to complete the federation. If you enable this option, ensure that you configure a user identification method. See Selecting a User Identification Method for Liberty or SAML 2.0.

3. Select one of the following options for the Requested By option:

   Do not specify: Specifies that the identity provider can send any type of authentication to satisfy a service provider’s request, and instructs a service provider to not send a request for a specific authentication type or contract.

   Use Types: Specifies that authentication types should be used.

   Select the types from the Available types field to specify which type to use for authentication between trusted service providers and identity providers. Standard types include Name/Password, Secure Name/Password, X509, Token, and so on.

   Use Contracts: Specifies that authentication contracts should be used.

   Select the contract from the Available contracts list. For a contract to appear in the Available contracts list, the contract must have the Satisfiable by External Provider option enabled. To use the contract for federated authentication, the contract’s URI must be the same on the identity provider and the service provider. For information about contract options, see Section 5.1.4, Configuring Authentication Contracts.

   Most third-party identity providers do not use contracts.

4. Configure the options:

   Response protocol binding: Select Artifact or Post or None. Artifact and Post are the two methods for transmitting assertions between the authenticating system and the target system.

   If you select None, you are letting the identity provider determine the binding.

   Identity Provider proxy redirects: Specifies whether the trusted identity provider can proxy the authentication request to another identity provider. A value of None specifies that the trusted identity provider cannot redirect an authentication request. Values 1-5 determine the number of times the request can be proxied. Select Configured on IDP to let the trusted identity provider decide how many times the request can be proxied.

   Force authentication at Identity Provider: Specifies that the trusted identity provider must prompt users for authentication, even if they are already logged in.

   Use automatic introduction: Attempts single sign-on to this trusted identity provider by automatically sending a passive authentication request to the identity provider. (A passive requests does not prompt for credentials.) The identity provider sends one of the following authentication responses:

   • When the federated user is authenticated at the identity provider: The identity provider returns an authentication response indicating that the user is authenticated. The user gains access to the service provider without entering credentials (single sign-on).

   • When the federated user is not authenticated at the identity provider: The identity provider returns an authentication response indicating that the user is not logged in. The user can then select a card for authentication, including the card for the identity provider. If the user selects the identity provider card, an authentication request is sent to the identity provider. If the credentials are valid, the user is also authenticated to the service provider.

   IMPORTANT:Enable the Use automatic introduction option only when you are confident the identity provider will be up. If the server is down and does not respond to the authentication request, the user gets a page-cannot-be-displayed error. Local authentication is disabled because the browser is never redirected to the login page.

   This option should be enabled only when you know the identity provider is available 99.999% of the time or when the service provider is dependent upon this identity provider for authentication.

5. Click OK twice, then update the Identity Server.

1. In the Administration Console, click Devices > Identity Servers > Edit > Liberty > [Service Provider] > Authentication Response.

2. Select the binding method.

   If the request from the service provider does not specify a response binding, you need to specify a binding method to use in the response. Select Artifact to provide an increased level of security by using a back-channel means of communication between the two servers. Select Post to use HTTP redirection for the communication channel between the two servers. If you select Post, you might want to require the signing of the authentication requests. See Configuring the General Identity Provider Options.

3. Specify the identity formats that the Identity Server can send in its response. Select the Use box to choose one or more of the following:

   • Persistent Identifier Format: Specifies a persistent identifier that federates the user profile on the identity provider with the user profile on the service provider. It remains intact between sessions.

   • Transient Identifier Format: Specifies that a transient identifier, which expires between sessions, can be sent.

   If the request from the service provider requests a format that is not enabled, the user cannot authenticate.

4. Use the Default button to specify whether a persistent or transient identifier is sent when the request from the service provider does not specify a format.

5. To specify that this Identity Server must authenticate the user, disable the Use proxied requests option. When the option is disabled and the Identity Server cannot authenticate the user, the user is denied access.

   When this option is enabled, the Identity Server checks to see if other identity providers can satisfy the request. If one or more can, the user is allowed to select which identity provider performs the authentication. If a proxied identity provider performs the authentication, it sends the response to the Identity Server. The Identity Server then sends the response to the service provider.

6. Enable the Provide Discovery Services option if you want to allow the service provider to query the Identity Server for a list of its Web Services. For example, when the option is enabled, the service provider can determine whether the Web Services Framework is enabled and which Web Service Provider profiles are enabled.

7. Click OK twice, then update the Identity Server.

1. In Administration Console, click Devices > Identity Servers > Servers > Edit > Liberty or SAML 2.0 > Identity Provider > Options.

2. Enable Front Channel Logout: After this option is enabled, Service Provider initiates a logout at the Identity Provider by using the HTTP Redirect method.

3. Configure Front Channel Logout for Access Gateway Initiated Logout: In addition to enabling the front channel logout, add the following parameters at the NESP web.xml and restart tomcat:

   Add the following parameters in the web.xml below the ldapLoadThreshold context param:

   <context-param> <param-name>forceESPSLOHTTP</param-name> <param-value>true</param-value> </context-param>

   To restart tomcat:

   Linux: Enter the following command:/etc/init.d/novell-idp restart

   Windows: Enter the following commands:net stop Tomcat7net start Tomcat7

1. In the Administration Console, click Devices > Identity Servers > Edit > Liberty > Web Service Framework.

2. Fill in the following fields:

   Enable Framework: Enables Web Services Framework.

   Axis SOAP Engine Settings: Axis is the SOAP engine that handles all Web service requests and responses. Web services are deployed using XML-based files known as Web service deployment descriptors (WSDD). On startup, Access Manager automatically creates the server-side and client-side configuration for Axis to handle all enabled Web services.

   If you need to override this default configuration, use the Axis Server Configuration WSDD XML field and the Axis Client Configuration WSDD XML field to enter valid WSDD XML. If either or both of these controls contain valid XML, then Access Manager does not automatically create the configuration (server or client) on startup.

3. Click OK.

1. In the Administration Console click Identity Servers > Edit > Liberty > Web Service Provider.

2. Select one of the following actions

   New: To create a new Web service, click New. This activates the Create Web Service Wizard. You can create a new profile only if you have deleted one.

   Delete: To delete an existing profile, select the profile, then click Delete.

   Enable: To enable a profile, select the profile, then click Enable.

   Disable: To disable a profile, select the profile, then click Disable.

   Edit a Policy: To edit the policy associated with a profile, click the Policy link. For configuration information, see Editing Web Service Policies.

   Edit a profile: To edit a profile, click the name of a profile. For information about configuring the details, see Modifying Service and Profile Details for Employee, Custom, and Personal Profiles and Modifying Details for Authentication, Discovery, LDAP, and User Interaction Profiles.

   For information about modifying the description, see Editing Web Service Descriptions.

   The Identity Server comes with the following Web service profile types:

   Authentication Profile: Allows the system to access the roles and authentication contracts in use by current authentications. This profile is enabled by default so that Embedded Service Providers can evaluate roles in policies. This profile can be disabled. When it is disabled, all devices assigned to use this Identity Server cluster configuration cannot determine which roles a user has been assigned, and the devices evaluate policies as if the user has no roles.

   WARNING:Do not delete this profile. In normal circumstances, this profile is used only by the system.

   Credential Profile: Allows users to define information to keep secret. It uses encryption to store the data in the directory the user profile resides in.

   Custom Profile: Used to create custom attributes for general use.

   Discovery: Allows requesters to discover where the resources they need are located. Entities can place resource offerings in a discovery resource, allowing other entities to discover them. Resources might be a personal profile, a calendar, travel preferences, and so on.

   Employee Profile: Allows you to manage employment-related information and how the information is shared with others. A company address book that provides names, phones, office locations, and so on, is an example of an employee profile.

   LDAP Profile: Allows you to use LDAP attributes for and general use.

   Personal Profile: Allows you to manage personal information and to determine how to share that information with others. A shopping portal that manages the user’s account number is an example of a personal profile.

   User Interaction: Allows you to set up a trusted user interaction service, used for identity services that must interact with the resource owner to get information or permission to share data with another Web service consumer. This profile enables a Web service consumer and Web service provider to cooperate in redirecting the resource owner to the Web service provider and back to the Web service consumer.

3. Click OK.

4. On the Servers page, update the Identity Server.

1. In the Administration Console, click Devices > Identity Servers > Edit > Liberty > Web Service Providers.

2. Click Credential Profile.

3. On the Credential Profile Details page, fill in the following fields as necessary:

   Display name: The name you want to display for the Web service.

   Have Discovery Encrypt This Service’s Resource Ids: Specify whether the Discovery Service encrypts the resource IDs. A resource ID is an identifier used by Web services to identify a user. The Discovery Service returns a list of resource IDs when a trusted service provider queries for the services owned by a given user. The Discovery Service has the option of encrypting the resource ID or sending it unencrypted. Encrypting resource IDs is disabled by default.

4. Under Credential Profile Settings, enable the following option if necessary:

   Allow End Users to See Credential Profile: Specify whether to display or hide the Credential Profile in the Access Manager User Portal. Profiles are viewed on the My Profile page, where the user can modify his or her profile.

5. Specify how you want to control and store secrets:

   1. To locally control and store secrets, configure the following fields:

      Encryption Password Hash Key: (Required) Specify the password that you want to use as a seed to create the encryption algorithm. To increase the security of the secrets, ensure that you change the default password to a unique alphanumeric value.

      Preferred Encryption Method: Specify the preferred encryption method. Select the method that complies with your security model:

      • Password Based Encryption With MD5 and DES: MD5 is an algorithm that is used to verify data integrity. Data Encryption Standard (DES) is a widely used method of data encryption that uses a private key.

      • DES: Data Encryption Standard (DES) is a widely used method of data encryption that uses a private key. Like other private key cryptographic methods, both the sender and the receiver must know and use the same private key.

      • Triple DES: A variant of DES in which data is encrypted three times with standard DES by using two different keys.

   2. Specify where to store secret data. (For more information about setting up a user store for secret store, see Configuring a User Store for Secrets.)

      • To have the secrets stored in the configuration database, do not configure the list in the Extended Schema User Store References section. You only need to configure the fields in Step 5.a.

      • To store the secrets in your LDAP user store, click New in Extended Schema User Store References and configure the following fields:

        User Store: Select a user store where secret data is stored.

        Attribute Name: Specify the LDAP attribute of the User object that can be used to store the secrets. When a user authenticates by using the user store specified here, the secret data is stored in an XML document of the specified attribute of the user object. This attribute should be a single-valued case ignore string that you have defined and assigned to the user object in the schema.

        NOTE:Do not use this LDAP attribute in Policy configuration as shared secrets. Instead you create the shared secrets attributes. The Shared secret attributes are populated in the configured LDAP attribute, and are used by policy for mapping. For more information about how to create shared secret, see Section 6.5, Form Fill Policies.

      • To use Novell SecretStore to remotely store secrets, click New under Novell Secret Store User Store References.

        Click the user store that you have configured for SecretStore.

        Secure LDAP must be enabled between the user store and the Identity Server to add this user store reference.

   3. Click OK twice.

6. On the Identity Server page, update the Identity Server.

1. In the Administration Console, click Devices > Identity Servers > Edit > Liberty > Web Service Provider > [Profile] > Custom Attribute Names.

2. Click the data item name to view the customized attribute names.

3. Click New to create a new custom name.

4. Type the name and select a language.

5. Click OK.

6. On the Custom Attribute Names page, click OK.

7. On the Web Service Provider page, click OK.

8. Update the Identity Server configuration on the Servers page.

1. In the Administration Console, click Devices > Identity Servers > Edit > Liberty > Web Service Consumers

   The following general settings configure time limits and processing speed:

   Protocol Timeout (seconds): Limits the time the transport protocol allows.

   Provider Timeout (seconds): Limits the request processing at the Web service provider. This value must always be equal to or greater than the Protocol Timeout value.

   Attribute Cache Enabled: A subsystem of the Web service consumer that caches attribute data that the Web service consumer requests. For example, if the Web service consumer has already requested a first name attribute from a Web service provider, the Web service consumer does not need to request the attribute again. This setting improves performance when enabled. However, you can disable this option to increase system memory.

2. Specify how and when the identity provider interacts with the user:

   Always Allow Interaction: Allows interaction to take place between users and service providers.

   Never Allow Interaction: Never allows interaction between users and service providers.

   Always Allow Interaction for Permissions, Never for Data: Allows interaction for permissions, never for data.

   Maximum Allowed Interaction Time: Specifies the allowed time (in seconds).

3. To specify the allowable methods that a Web service provider can use for user interaction, click one of the following options:

   Redirect to a User Interaction Service: Allows the Web service consumer to redirect the user agent to the Web service provider to ask questions. After the Web service provider has obtained the information it needs, it can redirect the user back to the Web service consumer.

   Call a Trusted User Interaction Service: Allows the Web service provider to trust the Web service consumer to act as proxy for the resource owner.

4. Under Security Settings, fill in the following fields:

   WSS Security Token Type: Instructs the Web service consumer/requestor how to place the token in the security header as outlined in the Liberty ID-WSF Security Mechanisms.

   Signature Algorithm: The signature algorithm to use for signing the payload.

5. Click OK, then update the Identity Server configuration as prompted.

1. In the Administration Console, click Devices> Identity Servers > Edit > Liberty >LDAP Attribute Mapping.

2. Select one of the following actions:

   New: Allows you create an LDAP attribute mapping. Select from the following types:

   • One to One: Maps a single Liberty attribute to a single LDAP attribute. See Configuring One-to-One Attribute Maps.

   • Employee Type: Maps the Employee Type attribute to an LDAP attribute, then maps the possible Liberty values to LDAP values. See Configuring Employee Type Attribute Maps.

   • Employee Status: Maps the Employee Status attribute to an LDAP attribute, then maps the possible Liberty values to LDAP values. See Configuring Employee Status Attribute Maps.

   • Postal Address: Maps the Postal Address attribute to either multiple LDAP attributes or a delimited LDAP attribute. See Configuring Postal Address Attribute Maps.

   • Contact Method: Maps the Contact Method attribute to multiple LDAP attributes. See Configuring Contact Method Attribute Maps.

   • Gender: Maps the Gender attribute to an LDAP attribute, then maps the possible Liberty values to LDAP values. See Configuring Gender Attribute Maps.

   • Marital Status: Maps the Marital Status attribute to an LDAP attribute, then maps the possible Liberty values to LDAP values. See Configuring Marital Status Attribute Maps.

   Delete: Deletes the selected mapping.

   Enable: Enables the selected mapping.

   Disable: Disables the selected mapping. When the mapping is disabled, the server does not load the definition. However, the definition is not deleted.

3. Click OK, then update the Identity Server.