7.11 Defining Options for Liberty or SAML 2.0

According to the Single Logout Profile in OASIS SAML V2.0 profiles, session users should use a front channel binding. This profile is initiated to maximize the likelihood that the session authority can successfully propagate the logout to all users.

7.11.1 Defining Options for SAML 2.0 Identity Provider

  1. In Administration Console, click Devices > Identity Servers > Servers > Edit > SAML 2.0 > Identity Provider > Options.

  2. OIOSAML Compliance: Enable this option to make Identity Provider OIOSAML compliant.

  3. Enable Front Channel Logout: After this option is enabled, the Service Provider initiates a logout at the Identity Provider by using the HTTP Redirect method.

7.11.2 Defining Options for Liberty or SAML 2.0 Service Provider

NetIQ Access Manager can be used as an identity provider for several service providers.You can configure a specific authentication contract that is required for a Service provider. If more than one authentication contract is configured for a service provider, the contract having minimum level will be selected.

When providing authentication to a service provider, the identity server ensures that the user is authenticated by the required contract. When a user is not authenticated or when user is authenticated, but the authenticated contracts do not satisfy the required contracts, user will be prompted to authenticate with required contract. This is called step up authentication.

If no required contract is configured, then the default contract is executed.

NOTE:This step up authentication is supported only for Intersite Transfer Service (identity provider initiated) requests.

To Define Options for Liberty Service Provider

  1. In the Administration Console, click Devices > Identity Servers > Servers > Edit > Liberty > Service Provider > Options.

  2. Select the required step up authentication contracts from the Available contracts list and move them to the Selected contracts list. This is to provide the step up authentication for the service provider.

  3. Click OK.

To Define Options for SAML 2.0 Service Provider

  1. In Administration Console, click Devices > Identity Servers > Servers > Edit > SAML 2.0 > Service Provider > Options.

  2. OIOSAML Compliance: Enable this option to make the service provider OIOSAML compliant. The OIOSAML attribute set is automatically populated with the required attributes to send with authentication after selecting this check box.

  3. Select the required step up authentication contracts from the Available contracts list and move them to the Selected contracts list. This is to provide the step up authentication for the service provider.

  4. Click New. Specify the Property Name as Extensions and Property Value as <samlp:Extensions><OnBehalfOf xmlns="https://idporten.difi.no/idporten-extensions">interaktor</OnBehalfOf></samlp:Extensions> in the Add Property window. Access Manager acting as SAML 2.0 service provider, will now make a onbehalfof authentication request using SAML extensions.

  5. Click OK.

7.11.3 Defining Options for Liberty Identity Provider

  1. In Administration Console, click Devices > Identity Servers > Servers > Edit > Liberty or SAML 2.0 > Identity Provider > Options.

  2. Enable Front Channel Logout: After this option is enabled, Service Provider initiates a logout at the Identity Provider by using the HTTP Redirect method.

  3. Configure Front Channel Logout for Access Gateway Initiated Logout: In addition to enabling the front channel logout, add the following parameters at the NESP web.xml and restart tomcat:

    Add the following parameters in the web.xml below the ldapLoadThreshold context param:

    <context-param> <param-name>forceESPSLOHTTP</param-name> <param-value>true</param-value> </context-param>

    To restart tomcat:

    Linux: Enter the following command:/etc/init.d/novell-idp restart

    Windows: Enter the following commands:net stop Tomcat7net start Tomcat7