You can specify default values for how the system processes user stores and authentication contracts. The default contract is executed when users access the system without a specified contract, and when Access Gateway is configured to use any authentication.
Additional default contracts can be specified for well-known authentication types that might be required by a service provider. These contracts are executed when a request for a specific authentication type comes from a service provider.
Click Devices > Identity Servers > Edit > Local > Defaults.
Configure the following fields as necessary:
User Store: Specifies the default user store for local authentication. If you selected <Default User Store> when configuring an authentication method, the system uses the user store you specify here.
Authentication Contract: Specifies the default authentication contract to be used when users access Identity Server directly or a protected resource is configured to use Any Contract. If you create a new contract and specify it as the default, ensure that you update Access Gateway configuration if it has protected resources configured to use Any Contract.
Authentication Type: Specifies the default authentication contracts to be used for each authentication type. When a service provider requests a specific authentication type, rather than a contract, the identity provider uses the authentication contract specified here for the requested authentication type. For more information, see Specifying Authentication Types.
Click OK.
Update Identity Server.
Trusted service providers can send Identity Server an authentication request that contains a request for a contract or authentication type. When the request is for an authentication type, Identity Server must translate the type to a contract before authenticating the user. You can use the Authentication Type section of the Defaults page to specify a contract to use for the common types (classes).
Identity Server has not implemented all possible types. For types that do not appear on the Defaults page, you can do one of the following:
You can define a contract for the class whose URI matches the requested class type. When the authentication request is received, Identity Server uses the URI to match the request with a contract.
When you create such a contract, you state that the contract is security equivalent to the class that is being requested. See Creating a Contract for a Specific Authentication Type.
You can use the Trust Levels class to assign an authentication level for the requested class. This level is used to rank the requested type. Using the authentication level and the comparison context, Identity Server can determine whether any contracts meet the requirements of the request. If one or more contracts match the request, the user is presented with the appropriate authentication prompts.
For configuration information, see Configuring the Trust Levels Class.
The following steps explain how to create a contract that matches what a trusted service provider is asking for in its authentication request.
Click Devices > Identity Servers > Edit > Local > Contracts.
To create a new contract, click New.
Fill in the following fields:
Display name: Specifies the name of the authentication contract.
URI: Specifies a value that uniquely identifies the contract from all other contracts. This value must match what the service provider is sending in its authentication request for the type.
Authentication Level: (Optional) Specify a security level or rank for the contract. This value is not used when authentication request sets the comparison type to exact. It is only used when a contract is selected based on a comparison of authentication levels.
If the service provider sets the comparison type to minimum, the authentication level can be the same or higher. If the comparison type is set to better, the authentication level must be higher.
Methods: Select the method that matches the class or type you specified in the URI.
The other fields for the contract are not requirements of the authentication request and can be configured to meet the requirements of Identity Server. For information about these fields, see Section 4.1.4, Configuring Authentication Contracts.
Click Next.
Configure an authentication card for the contract.
For information about these fields, see Configuring Authentication Contracts.
Click Finish > OK.
Update Identity Server.