7.3 Managing Trusted Providers

The procedure for establishing trust between providers begins with obtaining metadata for the trusted provider. If you are using the NetIQ Identity Server, protocol-specific metadata is available via a URL.

  1. In the Administration Console, click Devices > Identity Servers > Servers > Edit > [Protocol].

    For the protocol, select Liberty, SAML 1.1 or SAML 2.0.

  2. Select one of the following actions:

    New: Launches the Create Trusted Identity Provider Wizard or the Create Trusted Service Provider Wizard, depending on your selection. See one of the following for more information:.

    Delete: Allows you to delete the selected identity or service provider.

    Enable: Enables the selected identity or service provider.

    Disable: Disables the selected identity or service provider. When a provider is disabled, the server does not load the definition. The definition is not deleted, and at a future time, the provider can be enabled.

IMPORTANT:When selecting which protocol to use, be aware of logout behavior of the SAML 1.1 protocol. The SAML 2.0 and Liberty 1.2 protocols define a logout mechanism whereby the service provider sends a logout command to the trusted identity provider when a user logs out at a service provider. SAML 1.1 does not provide such a mechanism. For this reason, when a logout occurs at the SAML 1.1 service provider, no logout occurs at the trusted identity provider. A valid session is still running at the identity provider, and no credentials need to be entered. In order to log out at both providers, the user must navigate to the identity provider that authenticated him to the SAML 1.1 service provider and log out manually.

7.3.1 Creating a Trusted Service Provider for SAML 2.0

You can configure the Identity Server to trust a service provider or an identity provider.

  • When you create a trusted identity provider, you are allowing that identity provider to authenticate the user and the Identity Server acts as a service provider.

  • When you create a trusted service provider, you are configuring the Identity Server to provide authentication for the service provider and the Identity Server acts as an identity provider.

Both of these types of trust relationships require the identity provider to establish a trusted relationship with the service provider and the service provider to establish a trusted relationship with the identity provider.

Prerequisites

Before you can create a trusted provider, you must complete the following tasks:

  • Imported the trusted root of the provider’s SSL certificate into the NIDP trust storeFor instructions, see Section 1.4.4, Managing the Keys, Certificates, and Trust Stores..

  • Shared the trusted root of the SSL certificate of your Identity Server with the other provider so that the administrator can imported it into the provider’s trust store.

  • Obtained the metadata URL from the other provider or an XML file with the metadata.

  • Shared the metadata URL of your Identity Server with the other provider or sent an XML file with the metadata.

  • Enabled the protocol. Click Devices > Identity Servers > Edit, and on the Configuration page, verify that the required protocol in the Enabled Protocols section has been enabled.

Procedure

  1. In the Administration Console, click Devices > Identity Servers > Edit > [Protocol].

    For the protocol, click SAML 2.0.

  2. Click New, then click Service Provider.

    Trusted Service Provider

    NOTE:By default, the Provider Type > General is selected. You can configure an Identity Server to trust a service provider to establish federation with external service providers. For more information on pre-configured metadata for Google Applications, Office 365, and Salesforce.com, see Section 7.20, Sample Configurations.

  3. Select one of the following sources for the metadata:

    Metadata URL: Specify the metadata URL for a trusted provider. The system retrieves protocol metadata by using the specified URL.

    Examples of metadata URLs for an Identity Server acting as a trusted provider with an IP address 10.1.1.1:

    • Liberty: http://10.1.1.1:8080/nidp/idff/metadata

    • Liberty: https://10.1.1.1:8443/nidp/idff/metadata

    • SAML 2.0: http://10.1.1.1:8080/nidp/saml2/metadata

    • SAML 2.0: https://10.1.1.1:8443/nidp/saml2/metadata

    • OIOSAML: http://10.1.1.1/nidp/saml2/metadata_oiosaml

    • OIOSAML: https://10.1.1.1/nidp/saml2/metadata_oiosaml

    The default values nidp and 8080 are established during product installation; nidp is the Tomcat application name. If you have set up SSL, you can use https and port 8443.

    If your Identity Server and Administration Console are on different machines, use HTTP to import the metadata. If you are required to use HTTPS with this configuration, you must import the trusted root certificate of the provider into the trust store of the Administration Console. You need to use the Java keytool to import the certificate into the cacerts file in the security directory of the Administration Console.

    Linux: /opt/novell/java/jre/lib/security

    Windows Server 2008: \Program Files (x86)\Novell\jre\lib\security

    If you do not want to use HTTP and you do not want to import a certificate into the Administration Console, you can use the Metadata Text option. In a browser, enter the HTTP URL of the metadata. View the text from the source page, save the source metadata, then paste it into the Metadata Text option.

    Metadata Text: An editable field in which you can paste copied metadata text from an XML document, assuming you obtained the metadata via e-mail or disk and are not using a URL. If you copy metadata text from a Web browser, you must copy the text from the page source.

    Manual Entry: Allows you to enter metadata values manually. When you select this option, the system displays the page to enter the required details. See Editing a SAML 2.0 Service Provider’s Metadata.

    Metadata Repositories: Allows you to configure several identity and/or service providers using a multi-entity metadata file available in a central repository. For more information about creating Identity and/or Service Providers see, Section 7.3.4, Creating Identity Providers and Service Providers.

  4. In the Name option, specify a name by which you want to refer to the provider.

  5. Click Next.

  6. Review the metadata certificates and click Finish. The system displays the trusted provider on the protocol page.

    Trusted provider list
  7. Click OK, then update the Identity Server.

    The wizard allows you to configure the required options and relies upon the default settings for the other federation options. For information about how to configure the default settings and how to configure the other available options, see Section 7.4, Modifying a Trusted Provider.

7.3.2 Creating a Trusted Service Provider for SAML 1.1 and Liberty

Before you can create a trusted service provider, you must complete the following tasks:

  • Imported the trusted root of the provider’s SSL certificate into the NIDP trust store. For instructions, see Section 1.4.4, Managing the Keys, Certificates, and Trust Stores.

  • Shared the trusted root of the SSL certificate of your Identity Server with the service provider so that the administrator can imported it into the service provider’s trust store.

  • Obtained the metadata URL from the service provider, an XML file with the metadata, or the information required for manual entry. For more information about the manual entry option, see Section 7.9.4, Editing a SAML 1.1 Service Provider’s Metadata.

  • Shared the metadata URL of your Identity Server with the service provider or an XML file with the metadata.

  • Enabled the protocol. Click Devices > Identity Servers > Edit, and on the Configuration page, verify that the required protocol in the Enabled Protocols section has been enabled.

To create a service provider:

  1. In the Administration Console, click Devices > Identity Servers > Edit > SAML 1.1 or Liberty.

  2. Click New, then click Service Provider.

  3. In the Name option, specify a name by which you want to refer to the provider.

  4. Select one of the following sources for the metadata:

    Metadata URL: Specify the metadata URL for a trusted provider. The system retrieves protocol metadata using the specified URL. Examples of metadata URLs for an Identity Server acting as a service provider with an IP address of 10.1.1.1:

    http://10.1.1.1:8080/nidp/saml/metadata
    https://10.1.1.1:8443/nidp/saml/metadata
    

    The default values nidp and 8080 are established during product installation; nidp is the Tomcat application name. If you have set up SSL, you can use https and port 8443.

    If your Identity Server and Administration Console are on different machines, use HTTP to import the metadata. If you are required to use HTTPS with this configuration, you must import the trusted root certificate of the provider into the trust store of the Administration Console. You need to use the Java keytool to import the certificate into the cacerts file in the security directory of the Administration Console.

    Linux: /opt/novell/java/jre/lib/security

    Windows Server 2008: \Program Files (x86)\Novell\jre\lib\security

    If you do not want to use HTTP and you do not want to import a certificate into the Administration Console, you can use the Metadata Text option. In a browser, enter the HTTP URL of the metadata. View the text from the source page, save the source metadata, then paste it into the Metadata Text option.

    Metadata Text: Paste the copied metadata text from an XML document, assuming you obtained the metadata via e-mail or disk and are not using a URL. If you copy metadata text from a Web browser, you must copy the text from the page source.

    Manual Entry: Allows you to enter metadata values manually. When you select this option, the system displays the Enter Metadata Values page. See Editing a SAML 1.1 Service Provider’s Metadata.

    Metadata Repositories: Allows you to configure several identity and/or service providers using a multi-entity metadata file available in a central repository. For more information about creating Identity and/or Service Providers see, Section 7.3.4, Creating Identity Providers and Service Providers.

  5. Click Next.

  6. Review the metadata certificates, then click Finish.

  7. Click OK, then update the Identity Server.

    The wizard allows you to configure the required options and relies upon the default settings for the other options. For information about how to configure the default settings and how to configure the other available options, see Section 7.4, Modifying a Trusted Provider.

7.3.3 Creating a Trusted Identity Provider

Before you can create a trusted identity provider, you must complete the following tasks:

  • Imported the trusted root of the provider’s SSL certificate into the NIDP trust store. For instructions, see Section 1.4.4, Managing the Keys, Certificates, and Trust Stores.

  • Shared the trusted root of the SSL certificate of your Identity Server with the identity provider so that the administrator can imported it into the identity provider’s trust store.

  • Obtained the metadata URL from the identity provider, an XML file with the metadata, or the information required for manual entry. For more information about the manual entry option, see Section 7.9.3, Editing a SAML 1.1 Identity Provider’s Metadata.

  • Shared the metadata URL of your Identity Server with the identity provider or an XML file with the metadata.

  • Enabled the protocol. Click Devices > Identity Servers > Edit, and on the Configuration page, verify that the required protocol in the Enabled Protocols section has been enabled.

To create an identity provider:

  1. In the Administration Console, click Devices > Identity Servers > Servers > Edit > SAML 1.1.

  2. Click New, then click Identity Provider.

  3. In the Name option, specify a name by which you want to refer to the provider.

  4. Select one of the following sources for the metadata:

    Metadata URL: Specify the metadata URL for a trusted provider. The system retrieves protocol metadata using the specified URL. Examples of metadata URLs for an Identity Server acting as an identity provider with an IP address of 10.1.1.1:

    http://10.1.1.1:8080/nidp/saml/metadata
    https://10.1.1.1:8443/nidp/saml/metadata
    

    The default values nidp and 8080 are established during product installation; nidp is the Tomcat application name. If you have set up SSL, you can use https and port 8443.

    If your Identity Server and Administration Console are on different machines, use HTTP to import the metadata. If you are required to use HTTPS with this configuration, you must import the trusted root certificate of the provider into the trust store of the Administration Console. You need to use the Java keytool to import the certificate into the cacerts file in the security directory of the Administration Console.

    The cacerts file is located at:

    Linux: /opt/novell/java/jre/lib/security

    Windows Server 2008: \Program Files (x86)\Novell\jre\lib\security

    If you do not want to use HTTP and you do not want to import a certificate into the Administration Console, you can use the Metadata Text option. In a browser, enter the HTTP URL of the metadata. View the text from the source page, save the source metadata, then paste it into the Metadata Text option.

    Metadata Text: An editable field in which you can paste copied metadata text from an XML document, assuming you obtained the metadata via e-mail or disk and are not using a URL. If you copy metadata text from a Web browser, you must copy the text from the page source.

    Manual Entry: Allows you to enter metadata values manually. When you select this option, the system displays the Enter Metadata Values page. See Editing a SAML 1.1 Identity Provider’s Metadata.

    Metadata Repositories: Allows you to configure several identity and/or service providers using a multi-entity metadata file available in a central repository. For more information about creating Identity and/or Service Providers see, Section 7.3.4, Creating Identity Providers and Service Providers.

  5. Click Next.

  6. Review the metadata certificates, then click OK.

  7. Configure an authentication card to use with this identity provider. Fill in the following fields:

    ID: (Optional) Specify an alphanumeric value that identifies the card. If you need to reference this card outside of the Administration Console, you need to specify a value here. If you do not assign a value, the Identity Server creates one for its internal use

    Text: Specify the text that is displayed on the card to the user.

    Login URL: Specify an Intersite Transfer Service URL.The URL has the following format, where idp.sitea.novell.com is the DNS name of the identity provider and idp.siteb.novell.com is the name of the service provider:

    NOTE:The PID in the login URL must exactly match the entity ID specified in the metadata.

    https://idp.sitea.novell.com:8443/nidp/saml/idpsend?PID=https://idp.siteb.novell.com:8443/nidp/saml/metadata&TARGET=https://idp.siteb.novell.com:8443/nidp/app
    

    For more information, see Specifying the Intersite Transfer Service URL for the Login URL Option.

    Image: Specify the image to be displayed on the card. Select the image from the drop down list. To add an image to the list, click <Select local image>.

    Show Card: Determine whether the card is shown to the user, which allows the user to select and use the card for authentication. If this option is not selected, the card is only used when a service provider makes a request for the card.

  8. Click Finish. The system displays the trusted provider on the protocol page.

  9. Update the Identity Server.

    The wizard allows you to configure the required options and relies upon the default settings for the other options. For information about how to configure the default settings and how to configure the other available options, see Section 7.4, Modifying a Trusted Provider.

7.3.4 Creating Identity Providers and Service Providers

  1. In the Administration Console, click Devices > Identity Servers > Edit > [Protocol].

    For the protocol, click SAML 1.1 or SAML 2.0.

  2. Click New, then click Identity Provider or Service Provider.

  3. Select Metadata Repositories from the Source drop down list and select the repository name from the Repository field.

  4. Select the entities to add SAML 1.1 or SAML 2.0 as Identity or Service Providers and click Finish.

    The entities that are already assigned to the cluster have the details displayed in the Assigned to Cluster column.

The default settings of identity and service providers when you import the metadata repository are as follows:

  • SAML 1.1 Identity Provider

    • No contracts associated to Satisfiable list of IDP

    • No image selected for the IDP card

    • Login URL will be empty with Show card disabled.

    • No attribute set associated

  • SAML 1.1 Service Provider

    • No contracts associated to Satisfiable list of SP

    • No Attribute set associated

  • SAML 2.0 Identity Provider

    • Persistent Federation as the Name Identifier

    • Post Binding

    • No contracts associated to Satisfiable list of IDP

    • No image selected for the IDP card

    • No Attribute set associated

  • SAML 2.0 Service Provider

    • No contracts associated to Satisfiable list of SP

    • Post Binding

    • No Attribute set associated