4.2.2 Service Provider Brokering

The Service Provider Brokering (SP Brokering) feature enables Identity Server to act as a federation gateway or a service provider broker. This federation gateway allows you to connect to different protocols such as Liberty, SAML 1.1, and SAML 2.0. You can use SP Brokering with the Intersite Transfer service of the identity provider. Intersite Transfer service enables authentication at a trusted service provider.SP Brokering helps companies establish trust between identity providers and their service providers that support different federation protocols. For example, an identity provider that supports SAML 2.0 can provide authentication to a Liberty or SAML 1.1 service provider by using SP broker.

SP Brokering helps reduce the number of trust relationships between an identity provider and their service provider. For example, identity providers can now provide authentication to their service providers by establishing a single trust relationship instead of multiple trust relationships. Similarly, a service provider must establish a single trust relationship with SP Broker to receive authentication from several identity providers.

You can control the authentication flow between several identity providers and service providers in a federation circle by allowing the administrator to configure policies that control Intersite Transfers. For example, an administrator can configure a policy with SP Broker that allows only certain users from an identity provider to be authenticated at a given service provider.

An Intersite Transfer URL has the following format: https://<identity provider>/idpsend?PID=<Service Provider ID>&TARGET=<final_destination_URL>

This Intersite Transfer URL consists of three parts:

  • https://<identity provider>: The user can authenticate at the identity provider.

  • /idpsend?PID=<Service Provider ID>: Authentication occurs at the service provider represented by the service provider ID at the identity provider.

  • &TARGET=<final_destination_URL>: The user is finally redirected to the specified target URL associated with the service provider.

A web page is created with many Intersite Transfer URLs for each combination of identity provider, service provider, and the target application.

For more information about the Intersite Transfer Service, see Section 2.7.10, Using the Intersite Transfer Service.

This following illustration explains the flow of providing access to the target URL by using SP Brokering:

Web Page (User Portal): A web page (user portal) is created with a list of URLs called Brokered URLs, which provide access to various target applications.

Originating Identity Providers: The Originating Identity Provider is the identity provider with which the user credentials are stored for authentication. The Origin IDP must be configured as a Liberty/SAML1.1/SAML2.0 trusted identity provider in the SP Broker.

Federation Gateway or SP Broker: The Federation Gateway or SP Broker is a Access Manager identity provider that can be configured to control the authentication between several Origin IDPs and Allowed SPs in a federation circle.

Allowed Service Provider: The Allowed SP is the service provider in which the SP Broker provides authentication. The allowed SP must be configured as a Liberty/SAML1.1/SAML2.0 trusted service provider on SP Broker.

Target Application: The target application is the application running on a web sever that is protected by the service provider.

Broker URL: A Broker URL is a specially designed Intersite Transfer URL, which consists of four parts. You can click the brokered URL, which results in the following:

  1. You must authenticate with the Originating IDP (https://idp1.com/idpsend).

  2. The Origin IDP causes an authentication to occur at the SP Broker (?PID=SPBroker).

  3. The SP Broker causes an authentication to occur at the allowed SP (TARGET=https://spbroker.com/idpsend?PID=SP1).

  4. You are redirected to the target application (?TARGET=TARGET1).

SP Brokering requests are the Intersite Transfers resulting from brokered URLs processed on the SP Broker. The SP Broker can control the brokering requests before providing an authentication to the service provider. The SP Broker enforces the policies configured by the administrator by either causing the authentication at the service provider or by denying the request.

The SP Broker provides the following options to configure policies that control SP brokering requests:

  1. A set of SAML 1.1, SAML 2.0 and Liberty trusted identity providers and trusted service providers can be configured as a brokering group. The brokering request is allowed only if the Origin identity provider and Allowed service provider belong to the same brokering group. Brokering Request is not allowed from an Origin identity provider of one group to an Allowed service provider of another group.

  2. In a brokering group, a set of brokering rules can be configured that provides granular control on the brokering requests. For example, a brokering rule can be configured to deny a brokering request from an Origin identity provider to an Allowed service provider, if the user satisfies a certain condition at the SP Broker.

SP brokering is enabled on Identity Server only if at least one brokering group is enabled. If an Intersite Transfer request is received with neither the origin identity provider nor the Allowed service provider in any of the brokering group, the request is treated as a regular Intersite Transfer and SP brokering controls are not applied.

This chapter provides information about configuring the Access Manager SP Brokering functionalities, various deployment scenarios, and associated configuration details.

Configuring a SP Broker

This section describes how to configure the origin identity provider to act as a SP Broker or a federation hub and also control authentications provided by the Origin identity providers to their Allowed service providers.

Prerequisites

  1. Identify the Origin identity providers and their Allowed service providers. For example, Company 1 establishes a business partnership with Partner 1, at which Company 1 users can access the application of Partner 1. In this case, identity provider at Company 1, is now the Origin identity provider and Allowed service provider is the service provider at Partner 1, and controls access to its applications.

  2. Identify the federation protocols supported by the Origin identity providers and their Allowed service providers. Access Manager Identity Provider supports SP brokering for SAML 2.0, Liberty, or SAML 1.1 federations.

  3. Identify whether Persistent or Transient federations needs to be established between Company 1 and Partner 1. For Persistent federation, the user that is authenticated at the Origin identity provider must be mapped to a valid user at their Allowed service provider. For Transient federation, the user is provided with a temporary identity at the Allowed service provider.

    Configuration Flow

    The following diagram depicts the various configuration steps involved in enabling the SP Brokering feature assuming SP Brokering is enabled between Company 1 and Partner 1:

Step 1: Establish Federation at Origin Identity Providers to SP Broker

  1. The SP Broker must be configured as the service provider at origin identity provider of Company 1.

    For more information, see Creating a SAML 1.1 Service Provider.

    If Access Manager identity provider is the Origin identity provider, refer.

    For more information, see Creating a Trusted Service Provider.

    Step 1a: Establish Federation at Allowed Service Providers to SP Broker

The SP Broker must be configured as the identity provider at the allowed service provider of Partner 1.

For more information, see Creating a Trusted Identity Provider.

If Access Manager identity provider is the allowed service provider, refer.

For more information, see Creating a Trusted Service Provider.

NOTE:Step 1 must be repeated for each of the origin identity provider in the federation circle and step 1a must be repeated for each of the allowed service provider in the federation circle.

Step 2: Establish Federations at SP Broker for Origin Identity Providers and their Allowed Service Providers

At the SP Broker, configure origin identity provider of Company 1 as the identity provider. The federation protocol (SAML 1.1/ SAML 2.0/ Liberty) and the federation type (Persistent or Transient) must match the federation protocol and federation type that is used for the respective origin identity provider in the step 1 above.

For more information, see Creating a SAML 1.1 Service Provider, Creating a Liberty Service Provider, and Creating a Trusted Service Provider.

Step 2a:

At the SP Broker, configure the allowed service provider of Partner 1 as the service provider. The federation protocol (SAML 1.1/ SAML2.0/ Liberty) and the federation type (Persistent or Transient) must match the federation protocol and the federation type that is used for the respective allowed service provider in the Step1a above.

For more information, see Creating a Trusted Identity Provider.

For more information, see Creating a Trusted Service Provider.

NOTE:Step 2 must be repeated for each of the origin identity provider in the federation circle and Step 2a must be repeated for each of the allowed service provider in the federation circle.

Step 3: Configure the Attribute to be Cached at the SP Broker (Optional)

If the target applications require user information, then this information must be passed along with the authentication by the origin identity provider. At the SP Broker, these attributes that are received at the authentication must be cached and sent to the allowed service provider during authentication.

For more information, see Configuring the Attributes Obtained at Authentication.

For more information, see Configuring the Attributes Sent with Authentication.

Step 4: Create Brokering Group for the Federation Circle with the Origin Identity Providers and their Allowed Service Providers

Create a new brokering group in the SP Broker. Company 1 identity provider and Partner 1 service provider must be selected as the origin identity provider and their allowed service provider.

For more information, see Creating a Brokering Group.

The SP Brokering is enabled when at least one brokering group is enabled. Origin identity providers and their allowed service providers can either be added while creating the brokering group or added/deleted by editing the brokering group.

Step 5: Create Brokering Rules for the Brokering Group

Create brokering rules that provide granular control on the brokering requests. For example, a brokering rule can be configured which can deny a brokering request from an origin identity provider to an Allowed service provider, if the user satisfies a certain role at the SP Broker.

For more information, see Configuring Brokering Rules.

To use roles in the brokering rules, identity role policies must be configured on Access Manager identity provider acting as an SP Broker. Roles can be associated for the user at the SP Broker according to the various parameters that include roles sent by the origin identity provider, attribute values sent from the identity provider.

For more information, see Section 10.2.2, Enabling Role-Based Access Control.

Several rules can be configured for a brokering group. To help administrators understand how the rules are applied, a Rule Validation user interface is provided under each brokering group.

For more information, see Validating Brokering Rules.

Step 6: Create and Configure Brokering URLs

The users at Company 1 are provided with a portal page containing URLs to access the applications at the service provider of Partner 1. These URLs are called Brokering URLs and are designed to pass through the SP Broker. The URLs consists of information that are embedded and a tool is provided to construct these URLs. The administrator can create URLs from a given origin identity provider to their allowed service provider to access a given target application specified by a target URL. The URLs constructed are placed in the users’ portal page.

For more information, see Constructing Brokering URLs.

Configuring a Brokering for Authorization of Service Providers

Authorization rules for authorizing service provider requests must be configured from the Access Manager Brokering page. To configure authorization policy, configure the broker rule policy. Ensure that the service providers are configured to the local Identity Server that will be evaluated during authorization. Figure 4-8 displays the sample configuration.

Figure 4-8 SAMl2 Service Provider Initiated Authorization Rule Configuration

Creating and Viewing Brokering Groups

Identity Server cluster configuration provides a Brokering tab that you can use to configure the groups and generate brokered URLs.

  1. Click Devices > Identity Servers > Brokering.

  2. The Brokering tab allows you to create new Groups as well as display the configured Groups.The Display Brokering Groups page displays the list of groups configured.

    You can also create, delete, enable, and disable the brokering group on this page.

  3. The Display Brokering Groups page displays the following information for each group:

    Group Name: Specifies a unique name to identify the group. When you click on the hyperlink, you can view the Group Details page, where the Group configuration such as name and list of Identity Providers and Service Providers can be modified.

    Enabled: A check mark indicates that brokering is enabled for the group by applying the configured rules. A blank means that brokering is disabled.

    Identity Providers: Display the total number of Liberty/SAML1.1/SAML2 IDPs assigned to this group.

    Service Providers: Display the total number of Liberty/SAML1.1/SAML2 SPs assigned to this group.

    Brokering Rules: If the rules are not configured, then “No Rules Config” is displayed. The default rule allows for brokering between any IDP to any SP in the group. If new rules are configured, then the first rule name is displayed along with the count of total rules.

Creating a Brokering Group

When a brokering group is created while grouping the brokering feature, following rules are applicable:

  • Brokering is not allowed among different company groups.

    The brokering is not allowed between the logical customers of Company 1 Brokering Group and Company 2 Brokering Group.

  • Brokering is allowed among different partners of the company group.

    Brokering is allowed between the brokering groups of Company 1 Brokering Group and Company 2 Brokering Group.

    • Role based brokering is allowed among Company 1 and Partner 1 logical customers.

    • Role based brokering is allowed among Company 2 and Partner 2 logical customers.

  • Brokering is allowed among different partners based on roles and groups authentication of the company.

To create a new broker group follow these steps:

  1. Click Devices > Identity Servers > Brokering.

  2. Click New. The Creating Brokering Group page displays.

  3. Specify the following details:

    Display Name: Brokering group display name.

    Selected IDPs: At least one trusted IDP using navigation button.

    Selected SPs: At least one trusted SP using navigation button.

    Available Trusted IDPs: Displays Liberty/SAML1.1/SAML2.0 trusted IDP configured on the given IDP cluster (idp_cluster1).

    Available Trusted SPs: Displays Liberty/SAML1.1/SAML2.0 Trusted Service Providers configured on the given Identity Provider Cluster (idp_cluster1).

  4. Click Finish to complete creation of the brokering group creation.

Configuring Trusted Identity Providers and Service Providers

You can configure the rules between the trusted identity providers and service providers by configuring rules, roles, and actions. You can view the configured rules, create new, delete the existing rule, edit the rules, enable and disable the configured rules.

You can configure the service providers and identity providers for all of the protocols in Identity Server, which are configured in Identity Server cluster. Using the brokering group, you can view the list of available service providers and identity providers in the selection box. Using the arrow keys, configure the trusted identity providers and trusted service providers for the respective brokering group.

  1. Click Devices > Identity Servers > Brokering Group Name. The Configuration page displays the Trusted Providers, Brokering rules, Construct URL and Rule Validation tabs.

  2. Click Trusted Providers tab.

  3. Specify the display name and configure the brokering groups.

    Display Name: Specify the display name of the configuring brokering group.

    Select IDPs: Configure the selected identity providers using the arrow keys from the available trusted IDPs.

    Available Trusted IDPs: Configure the available trusted identity providers using the arrow keys from Selected Identity Providers selection box.

    Selected SPs: Configure the selected service providers using the arrow keys from the Available Trusted Service Providers selection box.

    Available Trusted SPs: Configure the available trusted service providers using the arrow keys from the Selected Service Providers selection box.

  4. Click OK to continue and the configured service providers and identity providers details are displayed in the Brokering page.

  5. Click Finish to complete the rules configuration for the brokering group.

  6. Click Apply to see the configuration changes.

NOTE:When you log out from Access Gateway device, then the logout is not propagated on the other Identity Servers if you have SAML 1.1 as one of the trusted provider in the brokering group.

Configuring Brokering Rules

You can create, edit, delete, enable, and the disable brokering rules.

  1. Click Devices > Identity Servers > Brokering.

  2. Click the existing or newly created Brokering Group hyperlink.

  3. Click Rules. The Brokering Group Rules page is displayed.

    Name: Displays the rule name of the brokering group.

    Enabled: Displays the status of the brokering group rule.

    Identity Providers: Displays the number of identity providers configured to the brokering group.

    Service Providers: Displays the number of service providers configured to the brokering group.

    Priority: Displays the brokering group rule priority number.

    Actions: Displays the configured brokering group rule action status either as permit or deny.

    Role Conditions: Displays the brokering group role condition, such as manager and employee, configured on the rule page.

  4. Click OK to continue and display the configured brokering group rule details on the Brokering Rules page.

  5. Click Apply to see the brokering rule configuration changes.

Creating a Brokering Rule

You can configure the rules to the created brokering groups.

  1. Click Devices > Identity Servers > Brokering.

  2. Click the existing or newly created Brokering Group hyperlink.

  3. Click Rules. The Creating Brokering Group page displays.

    Rule Name: Specify the name of the rule.

    Rule Priority: Select the rule priority from the drop-down list.

    NOTE:The default rule specified during creation of the group has a priority of 1. Additional rules can be added, and existing rules can be deleted or modified. You can use the Edit Rules Page to modify the priority of the rules.

    Origin IDP: Displays all Identity Servers or one or more Identity Servers that are available in the group.

    Allowed SP: Displays all service providers or one or more service providers that are available in the group.

    Role Conditions: Displays the brokering group role condition such as manager and employee, configured on the rule page.

    Actions: Select the Permit or Deny action radio button for the rule you configure to the brokering group.

    NOTE:By default, Access Manager allows any role. If you want to allow access to only particular roles, configure a permit condition for roles with higher priority and configure a deny condition in which no roles are defined with lower priority.

  4. Click Finish to complete configuration of rules for the brokering group.

Deleting a Brokering Rule

  1. Click Devices > Identity Servers > Edit > Brokering > (Brokering Group in the Brokering Group list) > Rules.

  2. Select the check box of the brokering group rule you want to delete, then click Delete. A message is displayed as “Delete selected brokering rule(s)?”.

  3. Click OK to continue.

Enabling a Brokering Rule

  1. Click Devices > Identity Servers > Edit > Brokering > (Brokering Group in the Brokering Group list) > Rules.

  2. Select the check box of the brokering group rule you want to enable.

  3. Click Enable.The selected brokering group is enabled.

Disabling a Brokering Rule

  1. Click Devices > Identity Servers > Edit > Brokering > (Brokering Group in the Brokering Group list) > Rules.

  2. Select the check box of the brokering group you want to disable from the brokering group rule configuration.

  3. Click Disable. The selected brokering group is disabled.

Editing Brokering Rules

You can edit the group rules in the Brokering page.

  1. Click Devices > Identity Servers > Edit > Brokering.

  2. Click the existing or newly created brokering group hyperlink.

  3. Click Rules tab.

  4. Click the Brokering Rules hyperlink to edit the information. The Edit Brokering Rule page displays the information. You can also edit the information.

You can edit all the fields and modify the information about the Create Brokering Rule page. For more information about create brokering rule, see Creating a Brokering Rule

Constructing Brokering URLs

The Construct URL page helps you to create a URL, which you use in your application to navigate to your trusted partners.

You can generate the URL according to the origin and allowed service provider Identity Servers.

  1. Click Devices > Identity Servers > Brokering.

  2. Click the existing or newly created brokering group hyperlink.

  3. Click Construct URL.

    IDP Type: Select the Identity Provider type from the drop-down list. The three types of IDP in the drop-down list are Local IDP, Access Manager IDP, and Other IDP. If you select Access Manager IDP as the IDP type, then you can select the Origin IDP from the drop-down list. If you select Other IDP as the IDP type, you can enter the Origin IDP URL and you can select the Origin IDP from the drop-down list.

    Origin IDP: The Origin identity providers are the trusted providers. The drop-down list displays all the trusted providers created for the specific Access Manager brokering group. Select the Origin IDP from the drop-down list.

    NOTE:If the Origin IDP drop-down list does not list any trusted providers, it is because a local Identity Server exists as a trusted provider. To resolve this, add another Identity Server to the Access Manager brokering group

    Origin IDP URL: If you select Other IDP as the IDP type, you can enter the Origin IDP URL manually. The <OriginIDPURL> represents (protocol :// domain : port / path ? querystring).

    Provider Parameter Name: If you select Other IDP as the IDP Type, you can enter the trusted provider parameter ID. For more information about Intersite Transfer Service target for a service provider, see Configuring an Intersite Transfer Service Target for a Service Provider

    Target Parameter Name: If you select Other IDP as the IDP type, you can enter the target provider parameter name manually.

    Allowed SP: The allowed service providers are the selected service providers of the trusted providers. The drop-down list displays all the service providers created for the specific brokering group. Select the service providers from the drop-down list.

    Target URL: Specify the target URL for the specific trusted providers and service provider pair. This URL will be appended to the login URL. Click Generate to generate the login URL

    Login URL: The login URL consists of Origin IDP URL and the target URL.

  4. Click Cancel to close the Construct URL page.

Validating Brokering Rules

The rule validation page helps you to validate the Origin identity providers and the allowed service provider rule according to the role associated with the respective trusted partners.

  1. Click Devices > Identity Servers > Brokering.

  2. Click on the existing or newly created brokering group hyperlink.

  3. Click the Rule Validation tab.

    Origin IDP: The Origin identity providers are the trusted providers. The drop-down list displays all the trusted providers created for the specific Access Manager brokering group. Select the Origin identity providers from the drop-down list.

    Allowed SP: The Allowed SPs are the selected SPs of the trusted providers. The drop-down list displays all the service providers created for the specific brokering group. Select the service providers from the drop-down list

    Role: Specify the role you want to validate for the selected Origin identity trusted providers and allowed SP. Click the Validate Rule.

    A list is displayed according to the rule validation for the selected trusted providers, role, and permission.

    Name: Displays the role name of the selected trusted providers.

    Identity Providers: Displays the identity provider name.

    Service Providers: Displays the service provider name.

    Priority: In ascending order, displays the priority number of the rule validation of the selected trusted providers.

    Action: Displays the permission action for validation of the selected trusted providers rule validation.

    Role Conditions: Displays the role conditions for the selected trusted providers rule validation. Denial takes precedence over Permit.

    Evaluate State: Displays the role conditions evaluate state for the selected trusted providers rule validation. You can see different evaluation states in the role conditions.

    Pass 1: If the rule matches the Origin identity provider, allowed service provider or any roles mentioned.

    Pass2: If the rule matches the Origin identity provider, allowed service provider or any specific role mentioned.

    Ignored: If the rule does not match either Pass 1 or Pass 2.

    Not Executed: The default state of all the roles.

    NOTE:If the rule has the evaluate State as Pass 1 action as Deny, then the remaining rules are in the non-executed state.

    After a rule has the evaluate state as Pass 2, regardless of the action, the remaining rules are in the non-executed state.

    The rules before Pass 1, must have the evaluate state of Ignored. All these ignored rules must have the role condition as Any, without specifying any role condition.

    Pass 1 evaluation stops, as soon as a match for the Origin identity provider and allowed service provider is found with specific to some role condition.

  4. Click Cancel to close the Rule Validation page.

Generating the Brokering URLs by Using an ID and Target in the Intersite Transfer Service

You can generate the brokering URL’s using the ID of the target. You can use this value to simplify the Intersite Transfer Service URL that must be configured at the service provider. For more information, see Configuring an Intersite Transfer Service Target for a Service Provider.

  1. Click Devices > Identity Servers > Brokering or click Devices > Identity Servers > Edit > SAML 2.0 > Trusted Providers > > (Broker Identity under the Service Providers list) >Intersite Transfer Service.

  2. ID: Specify the ID value of the target.

  3. Target: Specify the URL of the page that you want to display to users when they authenticate with an Intersite Transfer URL.The behavior of this option is influenced by the Allow any target option. If you are using the target ID as part of the Intersite Transfer URL and did not specify a target in the URL, you need to specify the target in this field. For example, if you enter the target URL as it appears below, then it will be displayed when you select Allow Any Target option.

    https://login.company1.com:8443/nidp/saml2/idpsend?id=217ID&TARGET=https%3A%2F%2FSPBROKER1.labs.blr.novell.com%3A8443%2Fnidp%2Fsaml2%2Fidpsend%3FPID%3Dhttps%3A%2F%2Flogin.partner2B.com%3A8443%2Fnidp%2Fsaml2%2Fmetadata%26TARGET%3Dhttps%3A%2F%2Fpartner2b.com 
  4. Allow any Target: Select this option to use the target that was specified in the Intersite Transfer URL. If this option is not selected, the target value in the Intersite Transfer URL is ignored and you can see the URL specified in the Target option.

Assigning The Local Roles Based On Remote Roles And Attributes

You are able to configure the attributes based on the roles you select in the Attribute set field. You are able to log in and authenticated based on roles federated in the Origin Identity Provider, Target Service Provider and the Brokering Service Provider configuration.

Origin Identity Provider Role Attribute Configuration

  1. Click Devices > Identity Servers > Shared Settings >Attribute Sets > Mapping >New. The Add Attribute Mapping window displays.

  2. Select the local attribute name from the drop-down list

  3. Enter the remote attribute name for the selected local attribute.

  4. Click OK to add the remote attribute name. The newly added attribute displays in the Mapping list.

  5. Click Devices > Identity Servers > Edit > SAML 2.0 > Trusted Providers > (Broker Identity under the Identity Providers list) > Configuration > Attributes.

  6. Select the role from drop-down list in the Attribute set.

  7. Using the arrows map the attributes in the Send with Authentication and Available List.

  8. Click Apply to map the set role and attribute of the origin Identity Provider.

Allowed Service Provider Role Attribute Configuration

  1. Click Devices > Identity Servers > Shared Settings >Attribute Sets > Mapping >New. The Add Attribute Mapping window displays.

  2. Select the local attribute name from the drop-down list.

  3. Specify the remote attribute name for the selected local attribute.

  4. Click OK. The newly added attribute displays in the Mapping list.

  5. Click Devices > Identity Servers > Edit > SAML 2.0 > Service Providers > (Broker Identity under the Service Providers list) > Configuration > Attributes.

  6. Select the role from Attribute set.

  7. Using the arrows, map the attributes in the Send with Authentication and Available List.

  8. Click Apply to map and set the attribute changes to the selected role of the target Identity Service Provider.

Brokering Service Provider Role Attribute Configuration

The roles set and the attribute configured in origin identity provider and the target service provider is added and mapped in the brokering service provider attribute configuration.

  1. Click Devices > Identity Servers > Shared Settings >Attribute Sets > Mapping >New. The Add Attribute Mapping window displays.

  2. Select the local attribute name from the drop-down list

  3. Enter the remote attribute name for the selected local attribute.

  4. Click OK to add the remote attribute name. The newly added attribute displays in the Mapping list.

  5. Click Devices > Identity Servers > Brokering or click Devices > Identity Servers > Edit > SAML 2.0 > Service Providers > (Broker Identity under the Service Providers list) > Configuration > Attributes.

  6. Select the role from drop-down list in Attribute set.

  7. Using the arrows map the attributes in Send with Authentication and Available List.

  8. Click Apply to set the role and configure the attribute mappings.

SP Brokering Example

This example explains how SP Brokering works. Let us assume that two companies Digital Airlines and ACME are business partners. There are certain applications that users of both Digital Airlines and ACME require to access.

With SP Brokering, users in Digital Airlines are provided with an intersite transfer URL that allows users to authenticate at Digital Airlines, set the assertion at ACME, and give access to the target application. With this approach, users do not need to choose from different authentication cards.

The following diagram depicts the SP Brokering workflow:

Workflow:

  1. A user is authenticated at Digital Airlines identity provider. The user clicks Broker URL. Digital Airlines checks if this user is authenticated. If not, it asks for user credentials and authenticates the user.

  2. Digital Airlines identity provider processes an intersite URL and creates an assertion for SP Broker (Access Manager Identity Server).

  3. SP Broker receives the assertion and validates that this assertion is received from a trusted identity provider.

  4. SP Broker checks if the trusted identity provider and the service provider (available in the target URL) belong to the same group. SP Broker denies the request if both do not belong to same group.

  5. SP Broker sends a request to Digital Airlines identity provider to resolve the artifact.

  6. SP Broker receives the SAML assertion from Digital Airlines identity provider and caches attributes/roles received. SP Broker applies any Role policies that have been enabled.

  7. SP Broker performs intersite transfer. In the processing of intersite transfer, SP Broker checks if this user was a result of SP Brokering (step 4 earlier). SP Broker enforces the SP Brokering rules check: if any of the rules result in deny, an error page is displayed.

  8. SP Broker creates an assertion for ACME.

  9. ACME sends a request to SP Broker to resolve the artifact.

  10. ACME receives the SAML assertion from the SP Broker along with roles/attributes.

  11. ACME sends a redirect to the final target URL. (Note: Redirect happens from ACME’s ESP to ACME’s identity provider where the user is already authenticated.)

  12. The user accesses the target application.