5.2.2 Service Provider Brokering

The Service Provider Brokering (SP Brokering) feature enables Identity Server to act as a federation gateway or a service provider broker. This federation gateway allows you to connect to different protocols such as Liberty, SAML 1.1, and SAML 2.0. You can use SP Brokering with the Intersite Transfer service of the identity provider. Intersite Transfer service enables authentication at a trusted service provider.SP Brokering helps companies establish trust between identity providers and their service providers that support different federation protocols. For example, an identity provider that supports SAML 2.0 can provide authentication to a Liberty or SAML 1.1 service provider by using SP broker.

SP Brokering helps reduce the number of trust relationships between an identity provider and their service provider. For example, identity providers can now provide authentication to their service providers by establishing a single trust relationship instead of multiple trust relationships. Similarly, a service provider must establish a single trust relationship with SP Broker to receive authentication from several identity providers.

You can control the authentication flow between several identity providers and service providers in a federation circle by allowing the administrator to configure policies that control Intersite Transfers. For example, an administrator can configure a policy with SP Broker that allows only certain users from an identity provider to be authenticated at a given service provider.

An Intersite Transfer URL has the following format: https://<identity provider>/idpsend?PID=<Service Provider ID>&TARGET=<final_destination_URL>

This Intersite Transfer URL consists of three parts:

  • https://<identity provider>: The user can authenticate at the identity provider.

  • /idpsend?PID=<Service Provider ID>: Authentication occurs at the service provider represented by the service provider ID at the identity provider.

  • &TARGET=<final_destination_URL>: The user is finally redirected to the specified target URL associated with the service provider.

A web page is created with many Intersite Transfer URLs for each combination of identity provider, service provider, and the target application.

For more information about the Intersite Transfer Service, see Section 3.9.11, Using the Intersite Transfer Service.

This following illustration explains the flow of providing access to the target URL by using SP Brokering:

Web Page (User Portal): A web page (user portal) is created with a list of URLs called Brokered URLs, which provide access to various target applications.

Originating Identity Providers: The Originating Identity Provider is the identity provider with which the user credentials are stored for authentication. The Origin IDP must be configured as a Liberty/SAML1.1/SAML2.0 trusted identity provider in the SP Broker.

Federation Gateway or SP Broker: The Federation Gateway or SP Broker is a Access Manager identity provider that can be configured to control the authentication between several Origin IDPs and Allowed SPs in a federation circle.

Allowed Service Provider: The Allowed SP is the service provider in which the SP Broker provides authentication. The allowed SP must be configured as a Liberty/SAML1.1/SAML2.0 trusted service provider on SP Broker.

Target Application: The target application is the application running on a web sever that is protected by the service provider.

Broker URL: A Broker URL is a specially designed Intersite Transfer URL, which consists of four parts. You can click the brokered URL, which results in the following:

  1. You must authenticate with the Originating IDP (https://idp1.com/idpsend).

  2. The Origin IDP causes an authentication to occur at the SP Broker (?PID=SPBroker).

  3. The SP Broker causes an authentication to occur at the allowed SP (TARGET=https://spbroker.com/idpsend?PID=SP1).

  4. You are redirected to the target application (?TARGET=TARGET1).

SP Brokering requests are the Intersite Transfers resulting from brokered URLs processed on the SP Broker. The SP Broker can control the brokering requests before providing an authentication to the service provider. The SP Broker enforces the policies configured by the administrator by either causing the authentication at the service provider or by denying the request.

The SP Broker provides the following options to configure policies that control SP brokering requests:

  1. A set of SAML 1.1, SAML 2.0 and Liberty trusted identity providers and trusted service providers can be configured as a brokering group. The brokering request is allowed only if the Origin identity provider and Allowed service provider belong to the same brokering group. Brokering Request is not allowed from an Origin identity provider of one group to an Allowed service provider of another group.

  2. In a brokering group, a set of brokering rules can be configured that provides granular control on the brokering requests. For example, a brokering rule can be configured to deny a brokering request from an Origin identity provider to an Allowed service provider, if the user satisfies a certain condition at the SP Broker.

SP brokering is enabled on Identity Server only if at least one brokering group is enabled. If an Intersite Transfer request is received with neither the origin identity provider nor the Allowed service provider in any of the brokering group, the request is treated as a regular Intersite Transfer and SP brokering controls are not applied.

This chapter provides information about configuring the Access Manager SP Brokering functionalities, various deployment scenarios, and associated configuration details.

Functionalities

  • Defines logical groups for Brokering

    • Brokering happens only among the group members. For example, Brokering of User Group1 users to Application 2 is not allowed.

    • A trusted provider is present in more than one group. For example, common partner is configured as a trusted service provider in the broker. The common partner is part of both Broker Group-1 and Broker Group-2.

  • All the brokering rules apply within a group.

    • The brokering rules defines the origin Identity Server, Service Provider and the application target.

    • The brokering rule is attached to any role or a specific Identity Server role is defined at Broker Identity Server.

    • The brokering rules are based on prioritized list.

Brokering Flow

Figure 5-8 Brokering Group Configuration

The Brokering Group configuration image provides information about how the Identity Provider Brokering group is configured with Service Provider Brokering Group.

  1. Identify the Company and Partners’ Identity Providers.

    • Company 1 Brokering Group is configured with their Identity Server.

    • 1a is the partner of Company 1 Brokering Group configured with Service Provider Brokering Group that is Novell Identity Server.

  2. The federation is established between the company and partners’ Identity Provider and the Service Provider Brokering Group that is Novell Identity Server.

    • Company 1 Brokering Group is configured with their Service Provider Brokering Group that is Novell Identity Server.

    • 2a is the partner of Company 1 Brokering Group configured with Service Provider Brokering Group that is Novell Identity Server.

  3. Create a new brokering group.

    The Service Provider manages the brokering group based on roles.

    • Roles based on Identity Provider authentication.

    • Roles based on Service Provider brokering authentication.

    • Assign the Identity Providers and Service Providers.

  4. Using Liberty, SAML 1.1, and SAML 2.0 protocols define policies and do the intersite transfer around the Service Provider Brokering feature.

  5. Using the Brokering Service construct URLs.

  6. Construct URL for each Identity Provider and Service Provider pair.

Figure 5-9 Brokering Group Flow

Identity Server is being shared to provide Service Provider brokering to a set of logical customers. Company 1 has one partner. All the trusted providers are configured at one broker Identity Server

  1. User clicks on URL1. The browser send a request to https://idp.customer1.com/nidp/saml2/idpsend?PID=https://brokeridp.verizon.com/nidp/saml2/metadata&ID=partner1-sp-id&TARGET=https://www.partnerapp.partner1.com

  2. Customer Identity Provider prompts the user for credentials if not already logged in. User logs in at Customer-1-IDP. The Identity Provider then performs an inter site transfer to Identity Provider Broker. This involves creating an sp-assertion-consumer-URL request and redirects the user to the following URL which eventually lands at Broker Identity Providers’ Assertion Consumer URL https://brokeridp.abc.com/nidp/saml2/sp_assertion_consumer

  3. POST contents will include SAML Artifact = <artifact> and RelayState=https://brokeridp.abc.com/nidp/saml2/?idpsend=partner1-sp-id&TARGET=https://www.partnerapp.partner1.com

  4. The service provider assertion consumer URL processing includes a hook to enforce broker rules.

    • From the Artifact, it finds the trusted provider that it is receiving the artifact from origin trusted provider.

    • If the RelayState contains IDPsend, then it finds the target trusted provider from the RelayState and also finds the target.

    • Using origin trusted provider, the group to which this brokering request belongs is found and a search is made for the policies representing origin trusted provider, target trusted provider and brokering service provider.

    • At this time, only role is unknown. A decision can be taken if the brokering is allowed between origin trusted provider and target tested provider for a particular target or not. If it is allowed then it is proceeded to the next step of artifact resolution.

    • after this request needs further processing of role enforcement which will be known only after an assertion is received from customer identity provider, a flag is set on the Novell identity provider session object. This flag (Broker_role_enforcement) is checked during assertion processing.

  5. Artifact resolution happens at customer identity server.

  6. Artifact resolution response is sent to the broker identity server which contains the assertion.

  7. A new hook is made in the assertion processing.

    • If Broker_role_enforcement flag is set on the session, then Roles are identified for this userBroker rules are again enforced for the Roles.

    • If the brokering is not allowed for the Role an error message is displayed at the browser. Otherwise the browser is redirected back to the Broker Identity Server (to itself) with the following URL https://brokeridp.verizon.com/nidp/saml2/?idpsend=partner1-sp-id&TARGET=https://www.partnerapp.partner1.com

    • Intersite transfer is now made to the DSP with the following URL https://partner.idp.com/nidp/saml2/spassertion_consumer

    • The POST message contains SAML Artifact and RelayState (which contains the target URL).

  8. The partner service provider verifies the artifact over SOAP back channel with broker identity servers.

  9. Broker Identity Servers resolves the artifact and sends the assertion.

  10. Partner Service Providers redirects the browser to the target URL (https://www.partnerapp.partner1.com). It sets its cookie on the browser during the redirection. At this time the user has a valid authenticated session on Partner Service Provider.

  11. The Partnerapp.partner1.com validates the session and provides access to the user.

Deployment Scenarios

Configuring Trusted Providers at One Broker Identity Server

Identity Server is shared among two sets of logical customers to provide Service Provider brokering feature.

  • The Company 1 Brokering Group consists of Company 1 and Partner 1 logical customers.

  • The Company 2 Brokering Group consists of Company 2 and Partner 2 logical customers.

Brokering Across Group is not Allowed

The brokering feature is not allowed among different company groups.

The brokering is not allowed between the logical customers of Company 1 Brokering Group and Company 2 Brokering Group.

Brokering Within Group is Allowed

The brokering feature is allowed among different partners of the company group.

Brokering is allowed between the brokering groups such as COmpany 1 Brokering Group and Company 2 Brokering Group.

  • Role based brokering is allowed among Company 1 and Partner 1 logical customers.

  • Role based brokering is allowed among Company 2 and Partner 2 logical customers.

Brokering Within a Group Based On Groups and Members

The brokering feature is allowed among different partners based on roles and groups authentication of the company.

Configuring a Brokering for Authorization of Service Providers

Authorization rules for authorizing service provider requests must be configured from the Access Manager Brokering page. To configure authorization policy, configure the broker rule policy. Ensure that the service providers are configured to the local Identity Server that will be evaluated during authorization. Figure 5-10 displays the sample configuration.

Figure 5-10 SAMl2 Service Provider Initiated Authorization Rule Configuration

Creating and Viewing Brokering Groups

Identity Server cluster configuration provides a Brokering tab that you can use to configure the groups and generate brokered URLs.

  1. Click Devices > Identity Servers > Brokering.

  2. The Brokering tab allows you to create new Groups as well as display the configured Groups.The Display Brokering Groups page displays the list of groups configured.

    You can also create, delete, enable, and disable the brokering group on this page.

  3. The Display Brokering Groups page displays the following information for each group:

    Group Name: Specifies a unique name to identify the group. When you click on the hyperlink, you can view the Group Details page, where the Group configuration such as name and list of Identity Providers and Service Providers can be modified.

    Enabled: A check mark indicates that brokering is enabled for the group by applying the configured rules. A blank means that brokering is disabled.

    Identity Providers: Display the total number of Liberty/SAML1.1/SAML2 IDPs assigned to this group.

    Service Providers: Display the total number of Liberty/SAML1.1/SAML2 SPs assigned to this group.

    Brokering Rules: If the rules are not configured, then “No Rules Config” is displayed. The default rule allows for brokering between any IDP to any SP in the group. If new rules are configured, then the first rule name is displayed along with the count of total rules.

Creating a Brokering Group

You can create Broker Group and configure rules for the selected groups. Enter the name of the group and select the trusted providers using the arrow navigation button.

To create a new broker group follow these steps:

  1. Click Devices > Identity Servers > Brokering.

  2. Click New. The Creating Brokering Group page displays.

  3. Specify the following details:

    Display Name: Brokering group display name.

    Selected IDPs: At least one trusted IDP using navigation button.

    Selected SPs: At least one trusted SP using navigation button.

    Available Trusted IDPs: Displays Liberty/SAML1.1/SAML2.0 trusted IDP configured on the given IDP cluster (idp_cluster1).

    Available Trusted SPs: Displays Liberty/SAML1.1/SAML2.0 Trusted Service Providers configured on the given Identity Provider Cluster (idp_cluster1).

  4. Click Finish to complete creation of the brokering group creation.

Configuring Trusted Identity Providers and Service Providers

You can configure the rules between the trusted identity providers and service providers by configuring rules, roles, and actions. You can view the configured rules, create new, delete the existing rule, edit the rules, enable and disable the configured rules.

You can configure the service providers and identity providers for all of the protocols in Identity Server, which are configured in Identity Server cluster. Using the brokering group, you can view the list of available service providers and identity providers in the selection box. Using the arrow keys, configure the trusted identity providers and trusted service providers for the respective brokering group.

  1. Click Devices > Identity Servers > Brokering Group Name. The Configuration page displays the Trusted Providers, Brokering rules, Construct URL and Rule Validation tabs.

  2. Click Trusted Providers tab.

  3. Specify the display name and configure the brokering groups.

    Display Name: Specify the display name of the configuring brokering group.

    Select IDPs: Configure the selected identity providers using the arrow keys from the available trusted IDPs.

    Available Trusted IDPs: Configure the available trusted identity providers using the arrow keys from Selected Identity Providers selection box.

    Selected SPs: Configure the selected service providers using the arrow keys from the Available Trusted Service Providers selection box.

    Available Trusted SPs: Configure the available trusted service providers using the arrow keys from the Selected Service Providers selection box.

  4. Click OK to continue and the configured service providers and identity providers details are displayed in the Brokering page.

  5. Click Finish to complete the rules configuration for the brokering group.

  6. Click Apply to see the configuration changes.

NOTE:When you log out from Access Gateway device, then the logout is not propagated on the other Identity Servers if you have SAML 1.1 as one of the trusted provider in the brokering group.

Configuring Brokering Rules

You can create, edit, delete, enable, and the disable brokering rules.

  1. Click Devices > Identity Servers > Brokering.

  2. Click the existing or newly created Brokering Group hyperlink.

  3. Click Rules. The Brokering Group Rules page is displayed.

    Name: Displays the rule name of the brokering group.

    Enabled: Displays the status of the brokering group rule.

    Identity Providers: Displays the number of identity providers configured to the brokering group.

    Service Providers: Displays the number of service providers configured to the brokering group.

    Priority: Displays the brokering group rule priority number.

    Actions: Displays the configured brokering group rule action status either as permit or deny.

    Role Conditions: Displays the brokering group role condition, such as manager and emplyee , configured on the rule page.

  4. Click OK to continue and display the configured brokering group rule details on the Brokering Rules page.

  5. Click Apply to see the brokering rule configuration changes.

Creating a Brokering Rule

You can configure the rules to the created brokering groups.

  1. Click Devices > Identity Servers > Brokering.

  2. Click the existing or newly created Brokering Group hyperlink.

  3. Click Rules. The Creating Brokering Group page displays.

    Rule Name: Specify the name of the rule.

    Rule Priority: Select the rule priority from the drop-down list.

    NOTE:The default rule specified during creation of the group has a priority of 1. Additional rules can be added, and existing rules can be deleted or modified. You can use the Edit Rules Page to modify the priority of the rules.

    Origin IDP: Displays all Identity Servers or one or more Identity Servers that are available in the group.

    Allowed SP: Displays all service providers or one or more service providers that are available in the group.

    Role Conditions: Displays the brokering group role condition such as manager and employee, configured on the rule page.

    Actions: Select the Permit or Deny action radio button for the rule you configure to the brokering group.

    NOTE:By default, Access Manager allows any role. If you want to allow access to only particular roles, configure a permit condition for roles with higher priority and configure a deny condition in which no roles are defined with lower priority.

  4. Click Finish to complete configuration of rules for the brokering group.

Deleting a Brokering Rule

  1. Click Devices > Identity Servers > Edit > Brokering > (Brokering Group in the Brokering Group list) > Rules.

  2. Select the check box of the brokering group rule you want to delete, then click Delete. A message is displayed as “Delete selected brokering rule(s)?”.

  3. Click OK to continue.

Enabling a Brokering Rule

  1. Click Devices > Identity Servers > Edit > Brokering > (Brokering Group in the Brokering Group list) > Rules.

  2. Select the check box of the brokering group rule you want to enable.

  3. Click Enable.The selected brokering group is enabled.

Disabling a Brokering Rule

  1. Click Devices > Identity Servers > Edit > Brokering > (Brokering Group in the Brokering Group list) > Rules.

  2. Select the check box of the brokering group you want to disable from the brokering group rule configuration.

  3. Click Disable. The selected brokering group is disabled.

Editing Brokering Rules

You can edit the group rules in the Brokering page.

  1. Click Devices > Identity Servers > Edit > Brokering.

  2. Click the existing or newly created brokering group hyperlink.

  3. Click Rules tab.

  4. Click the Brokering Rules hyperlink to edit the information. The Edit Brokering Rule page displays the information. You can also edit the information.

You can edit all the fields and modify the information about the Create Brokering Rule page. For more information about create brokering rule, see Creating a Brokering Rule

Constructing Brokering URLs

The Construct URL page helps you to create a URL, which you use in your application to navigate to your trusted partners.

You can generate the URL according to the origin and allowed service provider Identity Servers.

  1. Click Devices > Identity Servers > Brokering.

  2. Click the existing or newly created brokering group hyperlink.

  3. Click Construct URL.

    IDP Type: Select the Identity Provider type from the drop-down list. The three types of IDP in the drop-down list are Local IDP, Access Manager IDP, and Other IDP. If you select Access Manager IDP as the IDP type, then you can select the Origin IDP from the drop-down list. If you select Other IDP as the IDP type, you can enter the Origin IDP URL and you can select the Origin IDP from the drop-down list.

    Origin IDP: The Origin identity providers are the trusted providers. The drop-down list displays all the trusted providers created for the specific Access Manager brokering group. Select the Origin IDP from the drop-down list.

    NOTE:If the Origin IDP drop-down list does not list any trusted providers, it is because a local Identity Server exists as a trusted provider. To resolve this, add another Identity Server to the Access Manager brokering group

    Origin IDP URL: If you select Other IDP as the IDP type, you can enter the Origin IDP URL manually. The <OriginIDPURL> represents (protocol :// domain : port / path ? querystring).

    Provider Parameter Name: If you select Other IDP as the IDP Type, you can enter the trusted provider parameter ID. For more information about Intersite Transfer Service target for a service provider, see Configuring an Intersite Transfer Service Target for a Service Provider

    Target Parameter Name: If you select Other IDP as the IDP type, you can enter the target provider parameter name manually.

    Allowed SP: The allowed service providers are the selected service providers of the trusted roviders. The drop-down list displays all the service providers created for the specific brokering group. Select the service providers from the drop-down list.

    Target URL: Specify the target URL for the specific trusted providers and service provider pair. This URL will be appended to the login URL. Click Generate to generate the login URL

    Login URL: The login URL consists of Origin IDP URL and the target URL.

  4. Click Cancel to close the Construct URL page.

Validating Brokering Rules

The rule validation page helps you to validate the Origin identity providers and the allowed service provider rule according to the role associated with the respective trusted partners.

  1. Click Devices > Identity Servers > Brokering.

  2. Click on the existing or newly created brokering group hyperlink.

  3. Click the Rule Validation tab.

    Origin IDP: The Origin identity providers are the trusted providers. The drop-down list displays all the trusted providers created for the specific Access Manager brokering group. Select the Origin identity providers from the drop-down list.

    Allowed SP: The Allowed SPs are the selected SPs of the trusted providers. The drop-down list displays all the service providers created for the specific brokering group. Select the service providers from the drop-down list

    Role: Specify the role you want to validate for the selected Origin identity trusted providers and allowed SP. Click the Validate Rule.

    A list is displayed according to the rule validation for the selected trusted providers, role, and permission.

    Name: Displays the role name of the selected trusted providers.

    Identity Providers: Displays the identity provider name.

    Service Providers: Displays the service provider name.

    Priority: In ascending order, displays the priority number of the rule validation of the selected trusted providers.

    Action: Displays the permission action for validation of the selected trusted providers rule validation.

    Role Conditions: Displays the role conditions for the selected trusted providers rule validation. Denial takes precedence over Permit.

    Evaluate State: Displays the role conditions evaluate state for the selected trusted providers rule validation. You can see diffferent evaluation states in the role conditions.

    Pass 1: If the rule matches the Origin identity provider, allowed service provider or any roles mentioned.

    Pass2: If the rule matches the Origin identity provider, allowed service provider or any specific role mentioned.

    Ignored: If the rule does not match either Pass 1 or Pass 2 .

    Not Executed: The default state of all the roles.

    NOTE:If the rule has the evaluate State as Pass 1 action as Deny, then the remaining rules are in the non-executed state.

    After a rule has the evaluate state as Pass 2, regardless of the action, the remaining rules are in the non-executed state.

    The rules before Pass 1, must have the evaluate state of Ignored. All these ignored rules must have the role condition as Any, without specifying any role condition.

    Pass 1 evaluation stops, as soon as a match for the Origin identity provider and allowed service provider is found with specific to some role condition.

  4. Click Cancel to close the Rule Validation page.

Generating the Brokering URLs by Using an ID and Target in the Intersite Transfer Service

You can generate the brokering URL’s using the ID of the target. You can use this value to simplify the Intersite Transfer Service URL that must be configured at the service provider. For more information, see Configuring an Intersite Transfer Service Target for a Service Provider.

  1. Click Devices > Identity Servers > Brokering or click Devices > Identity Servers > Edit > SAML 2.0 > Trusted Providers > > (Broker Identity under the Service Providers list) >Intersite Transfer Service.

  2. ID: Specify the ID value of the target.

  3. Target: Specify the URL of the page that you want to display to users when they authenticate with an Intersite Transfer URL.The behavior of this option is influenced by the Allow any target option. If you are using the target ID as part of the Intersite Transfer URL and did not specify a target in the URL, you need to specify the target in this field. For example, if you enter the target URL as it appears below, then it will be displayed when you select Allow Any Target option.

    https://login.company1.com:8443/nidp/saml2/idpsend?id=217ID&TARGET=https%3A%2F%2FSPBROKER1.labs.blr.novell.com%3A8443%2Fnidp%2Fsaml2%2Fidpsend%3FPID%3Dhttps%3A%2F%2Flogin.partner2B.com%3A8443%2Fnidp%2Fsaml2%2Fmetadata%26TARGET%3Dhttps%3A%2F%2Fpartner2b.com

  4. Allow any Target: Select this option to use the target that was specified in the Intersite Transfer URL. If this option is not selected, the target value in the Intersite Transfer URL is ignored and you can see the URL specified in the Target option.

Transient Federation within SAML 2.0

You need to make the following configuration changes for the transient federations to work from Origin Identity Provider to SP Broker to Target Service Provider.For example, if the Origin Identity Provider is on SAML 1.0 (transient), the SP Broker and the Target Service Provider also must be on transient federation.

Origin Identity Provider Configuration

  1. Go to Edit > SAML2 > Trusted Providers > (Broker IDP under the Service Providers list) > Authentication Response

  2. Enable the Transient Name ID Format and make it as Default.

Broker Identity Provider Configuration

  1. Go to Edit > SAML2 > Trusted Providers > (Origin IDP under the Identity Providers list) > Authentication Card > Authentication Request.

  2. Select the Transient Name ID Format.

  3. Go to Edit > SAML2 > Trusted Providers > (Next hop SP under the Service Providers list) > Authentication Response.

  4. Enable the Transient Name ID Format and make it as Default.

Service Provider Configuration

  1. Go to Edit> SAML2> Trusted Providers > (Broker IDP under the Identity Providers list) > Authentication Card > Authentication Request.

  2. Select the Transient Name ID Format

Assigning the Roles for the Origin IDP users in SP Broker Using the Transient Federation Attributes

You can assign the roles for the origin Identity Provider users in Service Provider Brokering using the attributes of the transient federation. When you login as a transient user the federation is authenticated based on roles.

Origin Identity Provider Attribute Configuration

  1. In Administration Console Dashboard, click Devices > Identity Servers > Brokering or click Devices > Identity Servers > Edit > SAML 2.0 > Trusted Providers > (Broker Identity under the Identity Providers list) > Configuration > Attributes.

  2. Select the Attribute set from the drop-down list.

  3. Select the attribute names in the Available List and move to Send with Authentication list using the arrows.

  4. Click Apply to map and set the attribute changes to the selected role of the origin identity provider.

Target Service Provider Attribute Configuration

  1. In Administration Console Dashboard, click Devices > Identity Servers > Brokering or click Devices > Identity Servers > Edit > SAML 2.0 > Service Providers > (Broker Identity under the Service Providers list) > Configuration > Attributes.

  2. Select the Attribute set from the drop-down list.

  3. Select the attribute names in the Available List and move to Send with Authentication list using the arrows.

  4. Click Apply to map and set the attribute changes to the selected role of the target service provider

Brokering Service Provider Attribute Configuration

The attributes configured in origin identity provider and the target service provider displays the attributes based on the role selected in the brokering service provider attribute configuration available list.

  1. In Administration Console Dashboard, click Devices > Identity Servers > Brokering or click Devices > Identity Servers > Edit > SAML 2.0 > Service Providers > (Broker Identity under the Service Providers list) > Configuration > Attributes.

  2. Select the Attribute set from the drop-down list.

  3. Select the attribute names in the Available List and move to Send with Authentication list using the arrows.

  4. Click Apply to map and set the attribute changes to the selected role of the brokering service provider.

Assigning The Local Roles Based On Remote Roles And Attributes

You are able to configure the attributes based on the roles you select in the Attribute set field. You are able to log in and authenticated based on roles federated in the Origin Identity Provider, Target Service Provider and the Brokering Service Provider configuration.

Origin Identity Provider Role Attribute Configuration

  1. Click Devices > Identity Servers > Shared Settings >Attribute Sets > Mapping >New. The Add Attribute Mapping window displays.

  2. Select the local attribute name from the drop-down list

  3. Enter the remote attribute name for the selected local attribute.

  4. Click OK to add the remote attribute name. The newly added attribute displays in the Mapping list.

  5. Click Devices > Identity Servers > Edit > SAML 2.0 > Trusted Providers > (Broker Identity under the Identity Providers list) > Configuration > Attributes.

  6. Select the role from drop-down list in the Attribute set.

  7. Using the arrows map the attributes in the Send with Authentication and Available List.

  8. Click Apply to map the set role and attribute of the origin Identity Provider.

Allowed Service Provider Role Attribute Configuration

  1. Click Devices > Identity Servers > Shared Settings >Attribute Sets > Mapping >New. The Add Attribute Mapping window displays.

  2. Select the local attribute name from the drop-down list.

  3. Specify the remote attribute name for the selected local attribute.

  4. Click OK. The newly added attribute displays in the Mapping list.

  5. Click Devices > Identity Servers > Edit > SAML 2.0 > Service Providers > (Broker Identity under the Service Providers list) > Configuration > Attributes.

  6. Select the role from Attribute set.

  7. Using the arrows, map the attributes in the Send with Authentication and Available List.

  8. Click Apply to map and set the attribute changes to the selected role of the target Identity Service Provider.

Brokering Service Provider Role Attribute Configuration

The roles set and the attribute configured in origin identity provider and the target service provider is added and mapped in the brokering service provider attribute configuration.

  1. Click Devices > Identity Servers > Shared Settings >Attribute Sets > Mapping >New. The Add Attribute Mapping window displays.

  2. Select the local attribute name from the drop-down list

  3. Enter the remote attribute name for the selected local attribute.

  4. Click OK to add the remote attribute name. The newly added attribute displays in the Mapping list.

  5. Click Devices > Identity Servers > Brokering or click Devices > Identity Servers > Edit > SAML 2.0 > Service Providers > (Broker Identity under the Service Providers list) > Configuration > Attributes.

  6. Select the role from drop-down list in Attribute set.

  7. Using the arrows map the attributes in Send with Authentication and Available List.

  8. Click Apply to set the role and configure the attribute mappings.

SP Brokering Example

This example explains how SP Brokering works. Let us assume that two companies Digital Airlines and ACME are business partners. There are certain applications that users of both Digital Airlines and ACME require to access.

With SP Brokering, users in Digital Airlines are provided with an intersite transfer URL that allows users to authenticate at Digital Airlines, set the assertion at ACME, and give access to the target application. With this approach, users do not need to choose from different authentication cards.

The following diagram depicts the SP Brokering workflow:

Workflow:

  1. A user is authenticated at Digital Airlines identity provider. The user clicks Broker URL. Digital Airlines checks if this user is authenticated. If not, it asks for user credentials and authenticates the user.

  2. Digital Airlines identity provider processes an intersite URL and creates an assertion for SP Broker (Access Manager Identity Server).

  3. SP Broker receives the assertion and validates that this assertion is received from a trusted identity provider.

  4. SP Broker checks if the trusted identity provider and the service provider (available in the target URL) belong to the same group. SP Broker denies the request if both do not belong to same group.

  5. SP Broker sends a request to Digital Airlines identity provider to resolve the artifact.

  6. SP Broker receives the SAML assertion from Digital Airlines identity provider and caches attributes/roles received. SP Broker applies any Role policies that have been enabled.

  7. SP Broker performs intersite transfer. In the processing of intersite transfer, SP Broker checks if this user was a result of SP Brokering (step 4 earlier). SP Broker enforces the SP Brokering rules check: if any of the rules result in deny, an error page is displayed.

  8. SP Broker creates an assertion for ACME.

  9. ACME sends a request to SP Broker to resolve the artifact.

  10. ACME receives the SAML assertion from the SP Broker along with roles/attributes.

  11. ACME sends a redirect to the final target URL. (Note: Redirect happens from ACME’s ESP to ACME’s identity provider where the user is already authenticated.)

  12. The user accesses the target application.