10.5 Modifying a WS Federation Service Provider

This section explains how to modify a WS Federation service provider after it has been created. Section 10.3.2, Creating a Service Provider for WS Federation explains the steps required to create the service provider. You can modify the following configuration details:

10.5.1 Renaming the Service Provider

  1. In the Administration Console, click Devices > Identity Servers > Edit > WS Federation > [Service Provider].

  2. In the Name field, specify a new name for the service provider.

  3. Click OK twice, then update the Identity Server.

10.5.2 Configuring the Attributes Sent with Authentication

When the Identity Server creates its response for the service provider, it uses the attributes listed on the Attributes page. The response needs to contain the attributes that the service provider requires. If you do not own the service provider, you need to contact the administrator of the service provider and negotiate which attributes you need to send in the response. The service provider can then use these attributes to identify the user, to create policies, to match user accounts, or if it allows provisioning, to create a user account on the service provider.

  1. In the Administration Console, click Devices > Identity Servers > Edit > WS Federation > [Service Provider] > Attributes.

  2. (Conditional) To create an attribute set, select New Attribute Set from the Attribute Set drop-down menu.

    An attribute set is a group of attributes that can be exchanged with the trusted provider. For example, you can specify that the local attribute of any attribute in the Liberty profile (such as Informal Name) matches the remote attribute specified at the service provider.

    1. Specify a set name, then click Next.

    2. On the Define Attributes page, click New.

    3. Select a local attribute.

    4. Specify the name of the remote attribute.

    5. For the namespace, specify http://schemas.xmlsoap.org/claims.

    6. Click OK.

    7. To add other attributes to the set, repeat Step 2.b through Step 2.e.

    8. Click Finish.

  3. Select an attribute set.

  4. Select attributes that you want to send from the Available list, and move them to the left side of the page.

  5. (Conditional) If you created a new attribute set, it must be enabled for STS.

    For more information, see Enabling the Attribute Set.

  6. Click OK, then update the Identity Server.

10.5.3 Modifying the Authentication Response

When the Identity Server sends its response to the service provider, the response can contain an identifier for the user. If you do not own the service provider, you need to contact the administrator of the service provider and negotiate whether the user needs to be identified and how to do the identification. If the service provider is going to use an attribute for user identification, that attribute needs to be in the attributes sent with authentication. See Section 10.5.2, Configuring the Attributes Sent with Authentication.

To select the user identification method to send in the response:

  1. In the Administration Console, click Devices > Identity Servers > Edit > WS Federation > [Service Provider] > Authentication Response.

  2. For the format, select one of the following:

    Unspecified: Specifies that the SAML assertion contains an unspecified name identifier.

    E-mail: Specifies that the SAML assertion contains the user’s e-mail address for the name identifier.

    X509: Specifies that the SAML assertion contains an X.509 certificate for the name identifier.

  3. For the value, select an attribute that matches the format. For the Unspecified format, select the attribute that the service provider expects.

    The only values available are from the attribute set that you have created for WS Federation.

  4. To specify that this Identity Server must authenticate the user, disable the Use proxied requests option. When the option is disabled and the Identity Server cannot authenticate the user, the user is denied access.

    When this option is enabled, the Identity Server checks to see if other identity providers can satisfy the request. If one or more can, the user is allowed to select which identity provider performs the authentication. If a proxied identity provider performs the authentication, it sends the response to the Identity Server. The Identity Server then sends the response to the service provider.

  5. Click OK twice, then update the Identity Server.

10.5.4 Viewing the WS Service Provider Metadata

You can view the metadata of the ADFS server, edit it, and view information about the signing certificate.

  1. In the Administration Console, click Devices > Identity Servers > Edit > WS Federation > [Service Provider] > Metadata.

    The following values need to be configured accurately:

    ID: This is provider ID. This is the value that the ADFS server provides to the Identity Server in the realm parameter of the query string. This value is specified in the Properties of the Trust Policy page on the ADFS server. The parameter label is Federation Service URI. The default value is urn:federation:treyresearch.

    sloUrl: This is the sign-on URL. This URL is listed in the Properties of the Trust Policy on the ADFS server. The label is Federation Services endpoint URL. The default value is https://adfsresource.treyresearch.net/adfs/ls/.

    ssoUrl: This is the logout URL. The default value is https://adfsresource.treyresearch.net/adfs/ls/. The ADFS server makes no distinction between the login URL and the logout URL.

    If the values do not match the ADFS values, you need to edit the metadata.

  2. To edit the metadata, click Edit. For configuration information, see Section 10.5.5, Editing the WS Service Provider Metadata.

  3. To view information about the signing certificate, click Certificates.

  4. Click OK twice.

10.5.5 Editing the WS Service Provider Metadata

You can view the metadata of the ADFS server and edit metadata.

  1. In the Administration Console, click Devices > Identity Servers > Edit > WS Federation > [Service Provider] > Metadata > Edit.

  2. Configure the following fields:

    Provider ID: This is provider ID. This is the value that the ADFS server provides to the Identity Server in the realm parameter of the query string. This value is specified in the Properties of the Trust Policy page on the ADFS server. The parameter label is Federation Service URI. The default value is urn:federation:treyresearch.

    Sign-on URL: This is the sloUrl. This URL is listed in the Properties of the Trust Policy on the ADFS server. The label is Federation Services endpoint URL. The default value is https://adfsresource.treyresearch.net/adfs/ls/.

    Logout URL: This is the ssoUrl. The default value is https://adfsresource.treyresearch.net/adfs/ls/. The ADFS server makes no distinction between the login URL and the logout URL.

  3. If you need to import a new signing certificate, click the Browse button and follow the prompts.

  4. To view information about the signing certificate, click Certificates.

  5. Click OK twice, then update the Identity Server.