This section explains how to use the SAML 1.1 protocol to set up the trust with internal and external identity providers, service providers, and Embedded Service Providers (ESPs). Topics include:
You can configure the methods of communication that are available at the server for requests and responses sent between providers. These settings affect the metadata for the server and must be determined prior to publishing to other sites.
Profiles control what methods of communication are available at the server for the SAML 1.1 protocol. These settings affect the metadata for the server and must be determined prior to publishing to other sites. If you have set up trusted providers, and then modify these profiles, the trusted providers need to reimport the metadata from this Identity Server.
Click Devices > Identity Servers > Edit > SAML 1.1 > Profiles.
Configure the following fields:
Login: Specifies the communication channel when the user logs in. Select one or more of these methods for the identity provider and the identity consumer:
The Artifact binding provides an increased level of security by using the back channel for communication between the two servers during authentication.
The Post method uses HTTP redirection to accomplish communication between servers.
The Post method is enabled by default and you are not able to modify the default settings.The Post profile creates a metadata that includes only a Post binding on the Service Provider. If you have the default setup, then always both Artifact and Post options are enabled. If both the options are enabled, then by default Artifact binding is used. If Artifact binding is disabled or removed, only Post method is used.
Source ID: Displays the hexadecimal ID generated by Identity Server for the SAML 1.1 service provider. This is a required value when establishing trust with a service provider.
Click OK, then update Identity Server.
(Conditional) If you have set up trusted providers and have modified the profile, these providers need to reimport the metadata from this Identity Server.
Liberty and SAML 1.1 have the same security options for the SOAP back channel for both identity and service providers. See Configuring Communication Security for Liberty
You can specify the name identifier and its format when Identity Server sends an authentication response. You can also restrict the use of the assertion.
When an identity provider sends an assertion, the assertion can be restricted to an intended audience. The intended audience is defined to be any abstract URI in SAML 1.1. The URL reference can also identify a document that describes the terms and conditions of audience membership.
Click Devices > Identity Servers > Edit > SAML 1.1 > [Service Provider] > Authentication Response.
To specify a name identifier format, select one of the following:
E-mail: Specifies that an e-mail attribute can be used as the identifier.
X509: Specifies that an X.509 certificate can be used as the identifier.
Unspecified: Specifies that an unspecified format can be used and any value can be used. The service provider and the identity provider need to agree on what value is placed in this identifier.
To specify the format of the name identifier, select an attribute.
The available attributes depend upon the attributes that you have selected to send with authentication (see the Attributes page for the service provider).
To configure an audience, click New.
Specify the SAML Audience URL value.
The Provider ID, which can be used for the audience, is displayed on the Edit page for the metadata.
You can manually set the assertion validity time for the SAML service provider in the Assertion Validity field to accommodate clock skew between the service provider and SAML Identity Server (IDP).
Click OK twice, then update Identity Server.
For more information about Options, see Defining Options for a SAML 2.0 Service Provider
Click Devices > Identity Servers > Servers > Edit > SAML 1.1 > Service Provider > Options.
Select the required step up authentication contracts from the Available Contracts list and move them to the Selected Contracts list. These selected contracts will be used to provide the step up authentication for the service provider.
Click OK.
When you create an identity provider, you must also configure an authentication card. After it is created, you can modify it.
Click Devices > Identity Servers > Edit > SAML 1.1 > [Identity Provider] > Authentication Card.
Modify the values in one or more of the following fields:
ID: If you have need to reference this card outside of the user interface, specify an alphanumeric value here. If you do not assign a value, Identity Server creates one for its internal use. The internal value is not persistent. Whenever Identity Server is rebooted, it can change. A specified value is persistent.
Text: Specify the text that is displayed on the card to the user. This value, in combination with the image, must identify to the users, which provider they are logging into.
Login URL: Specify an Intersite Transfer Service URL.The URL has the following format, where idp.sitea.novell.com is the DNS name of the identity provider, idp.siteb.novell.com is the name of the service provider, and idp.siteb.novell.com:8443/nidp/app specifies the URL that you want to users to access after a successful login.
NOTE:The PID in the login URL must exactly match the entity ID specified in the metadata.
https://idp.sitea.novell.com:8443/nidp/saml/idpsend?PID=https://idp.siteb.novell.com:8443/nidp/saml/metadata&TARGET=https://idp.siteb.novell.com:8443/nidp/app
For more information, see Specifying the Intersite Transfer Service URL for the Login URL Option.
If your identity provider is a Access Manager Identity Server and you know the ID specified for the target, you can use the following simplified format for the Login URL:
<URL for site a>?id=<ID of target>
https://idp.sitea.novell.com:8443/nidp/saml/idpsend?id=206test
The target and the target ID are specified in the service provider configuration at the identity provider. See Configuring an Intersite Transfer Service Target for a Service Provider.
Image: Specify the image to be displayed on the card. Select the image from the drop-down list. To add an image to the list, click <Select local image>.
Show Card: Determine whether the card is shown to the user, which allows the user to select and use the card for authentication. If this option is not selected, the card is only used when a service provider makes a request for the card.
Click OK twice, then update Identity Server.