This section explains how to modify a WS Federation identity provider after it has been created. Section 10.3.1, Creating an Identity Provider for WS Federation explains the steps required to create an identity provider. You can modify the following configuration details:
In the Administration Console, click > > > >
In the field, specify a new name for the trusted provider.
Click twice, then update the Identity Server.
When the Identity Server creates its request to send to the identity provider, it uses the attributes that you have selected. The request asks the identity provider to provide values for these attributes. You can then use these attributes to create policies, to match user accounts, or if you allow provisioning, to create a user account on the service provider.
To select the attributes:
In the Administration Console, click > > > >
(Conditional) To create an attribute set, select from the drop-down menu.
An attribute set is a group of attributes that can be exchanged with the trusted provider. For example, you can specify that the local attribute of any attribute in the Liberty profile (such as Informal Name) matches the remote attribute specified at the service provider.
Select an attribute set.
Select attributes from the list, and move them to the left side of the page.
(Conditional) If you created a new attribute set, it must be enabled for STS.
For more information, see Enabling the Attribute Set.
Click , then update the Identity Server.
The user identification method specifies how to identify the user.
In the Administration Console, click > > > >
Select the contract that can be used for authentication. Fill in the following field:
Satisfies contract: Specifies the contract that is satisfied by the assertion received from the identity provider. WS Federation expects the URI name of the contract to look like a URL, so it rejects all default Access Manager contracts. You must create a contract with a URI that conforms to WS Federation requirements.
For more information on how to create this contract, see Creating a New Authentication Contract.
Specify whether the user can associate (federate) an account at the identity provider (the ADFS server) with an account at Identity Server. Fill in the following field:
Allow federation: Indicates whether account federation is allowed. Enabling this option assumes that a user account exists at the provider or that a method is provided to create an account that can be associated with the user on subsequent logins. If you do not use this feature, authentication is permitted but is not associated with a particular user account.
Select one of the following methods for user identification:
Do nothing: Allows the user to authenticate without creating an association with a user account. This option cannot be used when federation is enabled.
Authenticate: Allows the user to authenticate using a local account.
Allow ‘Provisioning’: Provides a button that the user can click to create an account when the authentication credentials do not match an existing account.
Provision account: Allows a new account to be created for the user when the authenticating credentials do not match an existing user. When federation is enabled, the new account is associated with the user and used with subsequent logins. When federation is not enabled, a new account is created every time the user logs in.
This option requires that you specify a user provisioning method.
Attribute matching: Enables account matching. The service provider can uniquely identify a user in its directory by obtaining specific user attributes sent by the trusted identity provider. This option requires that you specify a user matching method.
Prompt for password on successful match: Specifies whether to prompt the user for a password when the user’s name is matched to an account, to ensure that the account matches.
(Conditional) If you selected a method that requires provisioning ( or ), click the icon and create a provisioning method.
For configuration information, see Section 12.6, Defining the User Provisioning Method.
(Conditional) If you selected as the identification method, click the icon and create a matching method.
For configuration information, see Section 12.1.2, Configuring the Attribute Matching Method for Liberty or SAML 2.0.
Click twice, then update the Identity Server.
You can view the metadata of the ADFS server, edit it, and view information about the signing certificate.
In the Administration Console, click > > > >
The following values need to be configured accurately:
ID: This is provider ID. The ADFS server provides this value to the service provider in the realm parameter in the assertion. You set this value in the of the on the ADFS server. The label is . The default value is urn:federation:adatum.
sloUrl: This is the sign-on URL. This URL is listed in the of the on the ADFS server. The label is .
ssoUrl: This is the logout URL. The default value is https://adfsresource.treyresearch.net/adfs/ls/. The ADFS server makes no distinction between the login URL and the logout URL.
If the values do not match the ADFS values, you need to edit the metadata.
To edit the metadata, click . For configuration information, see Section 10.4.5, Editing the WS Identity Provider Metadata.
To view information about the signing certificate, click .
Click twice.
You can view and edit the metadata of the ADFS server.
In the Administration Console, click > > > >
Configure the following fields:
Provider ID: This is the provider ID. The ADFS server provides this value to the service provider in the realm parameter in the assertion. You set this value in the of the on the ADFS server. The label is . The default value is urn:federation:adatum.
Sign-on URL: This is the sloUrl. This URL is listed in the of the on the ADFS server. The label is .
Logout URL: This is the ssoUrl. The default value is https://adfsresource.treyresearch.net/adfs/ls/. The ADFS server makes no distinction between the login URL and the logout URL.
If you need to import a new signing certificate, click the button and follow the prompts.
To view information about the signing certificate, click .
Click twice, then update the Identity Server.
When you create an identity provider, you must also configure an authentication card. After it is created, you can modify it.
In the Administration Console, click > > > >
Modify the values in one or more of the following fields:
ID: If you have need to reference this card outside of the Administration Console, specify an alphanumeric value here. If you do not assign a value, the Identity Server creates one for its internal use. The internal value is not persistent. Whenever the Identity Server is rebooted, the value can change. A specified value is persistent.
Text: Specify the text that is displayed on the card. This value, in combination with the image, indicates to the users the provider they are logging into.
Image: Specify the image to be displayed on the card. Select the image from the drop-down list. To add an image to the list, click .
Show Card: Determine whether the card is shown to the user, which allows the user to select and use the card for authentication. If this option is not selected, the card is only used when a service provider makes a request for the card.
Passive Authentication Only: Select this option if you do not want the Identity Server to prompt the user for credentials. If the user has already authenticated and the credentials satisfy the requirements of this contract, the user is passively authenticated. If the user’s credentials do not satisfy the requirements of this contract, the user is denied access.
Click twice, then update the Identity Server.
You can configure the assertion validity time for WS Federation Provider (SP) to accommodate clock skew between the Service Provider and SAML IDP Server.
To set the assertion validity for WSFed configuration, add the following parameters in the IDP web.xml and restart tomcat:
Add the following parameters in the web.xml below the ldapLoadThreshold context param:
<context-param>
<param-name>wsfedAssertionValidity</param-name> <param-value>600</param-value> </context-param>
The value 600 which is configurable denotes seconds.
To restart Tomcat:
Linux: Enter the following command:
/etc/init.d/novell-tomcat5 restart
Windows: Enter the following commands:
net stop Tomcat5
net start Tomcat5