11.3 Creating and Viewing Brokering Groups

The identity server cluster configuration provides a Brokering tab that you can use to configure the groups and generate brokered URLs.

  1. In the Administration Console, click Devices > Identity Servers > Brokering.

  2. The Brokering tab allows you to create new Groups as well as display the configured Groups.The Display Brokering Groups page displays the list of groups configured.

    You can also create, delete, enable, and disable the brokering group on this page.

  3. The Display Brokering Groups page displays the following information for each group:

    Group Name: Specifies a unique name to identify the group. When you click on the hyperlink, you can view the Group Details page, where the Group configuration such as name and list of Identity Providers and Service Providers can be modified.

    Enabled: A check mark indicates that brokering is enabled for the group by applying theconfigured rules. A blank means that brokering is disabled.

    Identity Providers: Display the total number of Liberty/SAML1.1/SAML2 IDPs assigned to this group.

    Service Providers: Display the total number of Liberty/SAML1.1/SAML2 SPs assigned to this group.

    Brokering Rules: If the rules are not configured, then “No Rules Config” is displayed. The default rule allows for brokering between any IDP to any SP in the group. If new rules are configured, then the first rule name is displayed along with the count of total rules.

11.3.1 Creating a Brokering Group

When a brokering group is created while grouping the brokering feature, following rules are applicable:

  • Brokering is not allowed among different company groups.

    The brokering is not allowed between the logical customers of Company 1 Brokering Group and Company 2 Brokering Group.

  • Brokering is allowed among different partners of the company group.

    Brokering is allowed between the brokering groups of Company 1 Brokering Group and Company 2 Brokering Group.

    • Role based brokering is allowed among Company 1 and Partner 1 logical customers.

    • Role based brokering is allowed among Company 2 and Partner 2 logical customers.

  • Brokering is allowed among different partners based on roles and groups authentication of the company.

To create a new broker group follow these steps:

  1. In the Administration Console, click Devices > Identity Servers > Brokering.

  2. Click New. The Creating Brokering Group page displays.

  3. Perform the following actions in the fields:

    Display Name: Specify the brokering group display name.

    Selected IDPs: Select at least one trusted IDP using navigation button.

    Selected SPs: Select at least one trusted SP using navigation button.

    Available Trusted IDPs: Displays Liberty/SAML1.1/SAML2.0 trusted IDP configured on the given IDP cluster (idp_cluster1).

    Available Trusted SPs: Displays Liberty/SAML1.1/SAML2.0 Trusted Service Providers configured on the given Identity Provider Cluster (idp_cluster1).

  4. Click Finish to complete creation of the brokering group creation.

11.3.2 Configuring Trusted Identity Providers and Service Providers

You can configure the rules between the trusted identity providers and service providers by configuring rules, roles, and actions. You can view the configured rules, create new, delete the existing rule, edit the rules, enable and disable the configured rules.

You can configure the service providers and identity providers for all of the protocols in the Identity Server, which are configured in the identity server cluster. Using the brokering group, you can view the list of available service providers and identity providers in the selection box. Using the arrow keys, configure the trusted identity providers and trusted service providers for the respective brokering group.

  1. In the Administration Console, click Devices > Identity Servers > Brokering Group Name. The Configuration page displays the Trusted Providers, Brokering rules, Construct URL and Rule Validation tabs.

  2. Click Trusted Providers tab.

  3. Specify the display name and configure the brokering groups.

    Display Name: Specify the display name of the configuring brokering group.

    Select IDPs: Configure the selected identity providers using the arrow keys from the available trusted IDPs.

    Available Trusted IDPs: Configure the available trusted identity providers using the arrow keys from Selected Identity Providers selection box.

    Selected SPs: Configure the selected service providers using the arrow keys from the Available Trusted Service Providers selection box.

    Available Trusted SPs: Configure the available trusted service providers using the arrow keys from the Selected Service Providers selection box.

  4. Click OK to continue and the configured service providers and identity providers details are displayed in the Brokering page.

  5. Click Finish to complete the rules configuration for the brokering group.

  6. Click Apply to see the configuration changes.

NOTE:When you log out from the Access Gateway device, then the logout is not propagated on the other Identity Servers if you have SAML 1.1 as one of the trusted provider in the brokering group.

11.3.3 Creating and Viewing Brokering Rules

You can create, edit, delete, enable, and the disable brokering rules.

  1. In the Administration Console, click Devices > Identity Servers > Brokering.

  2. Click the existing or newly created Brokering Group hyperlink.

  3. Click Rules tab. The Brokering Group Rules page is displayed.

    Name: Displays the rule name of the brokering group.

    Enabled: Displays the status of the brokering group rule.

    Identity Providers: Displays the number of identity providers configured to the brokering group.

    Service Providers: Displays the number of service providers configured to the brokering group.

    Priority: Displays the brokering group rule priority number.

    Actions: Displays the configured brokering group rule action status either as permit or deny.

    Role Conditions: Displays the brokering group role condition, such as manager and emplyee , configured on the rule page.

  4. Click OK to continue and display the configured brokering group rule details on the Brokering Rules page.

  5. Click Apply to see the brokering rule configuration changes.

Creating a Brokering Rule

You can configure the rules to the created brokering groups.

  1. In the Administration Console, click Devices > Identity Servers > Brokering.

  2. Click the exisitng or newly created Brokering Group hyperlink.

  3. Click the Rules tab.The Creating Brokering Group page displays.

    Rule Name: Specify the name of the rule.

    Rule Priority: Select the rule priority from the drop-down list.

    NOTE:The default rule specified during creation of the group has a priority of 1. Additional rules can be added, and existing rules can be deleted or modified. You can use the Edit Rules Page to modify the priority of the rules.

    Origin IDP: Displays all Identity Servers or one or more Identity Servers that are available in the group.

    Allowed SP: Displays all service providers or one or more service providers that are available in the group.

    Role Conditions: Displays the brokering group role condition such as manager and emplyee , configured on the rule page.

    Actions: Select the Permit or Deny action radio button for the rule you configure to the brokering group.

  4. Click Finish to complete configuration of rules for the brokering group.

Deleting a Brokering Rule

  1. In the Administration Console, click Devices > Identity Servers > Edit > Brokering > (Brokering Group in the Brokering Group list) > Rules.

  2. Select the check box of the brokering group rule you want to delete, then click Delete. A message is displayed as “Delete selected brokering rule(s)?”.

  3. Click OK to continue.

  4. Click Cancel to discard the changes.

Enabling a Brokering Rule

  1. In the Administration Console, click Devices > Identity Servers > Edit > Brokering > (Brokering Group in the Brokering Group list) > Rules.

  2. Select the check box of the brokering group rule you want to enable.

  3. Click Enable.The selected brokering group is enabled.

Disabling a Brokering Rule

  1. In the Administration Console, click Devices > Identity Servers > EditBrokering > (Brokering Group in the Brokering Group list) > Rules.

  2. Select the check box of the brokering group you want to disable from the brokering group rule configuration.

  3. Click Disable. The selected brokering group is disabled.

Editing Brokering Rules

You can edit the group rules in the Brokering page.

  1. In the Administration Console, click Devices > Identity Servers > Edit > Brokering.

  2. Click the existing or newly created brokering group hyperlink.

  3. Click Rules tab.

  4. Click the Brokering Rules hyperlink to edit the information. The Edit Brokering Rule page displays the information. You can also edit the information.

You can edit all the fields and modify the information on the Create Brokering Rule page. For more information on create brokering rule, see Creating a Brokering Rule

11.3.4 Constructing Brokering URLs

The Construct URL page helps you to create a URL, which you use in your application to navigate to your trusted partners.

You can generate the URL according to the origin and allowed service provider Identity Servers.

  1. In the Administration Console, click Devices > Identity Servers > Brokering.

  2. Click the existing or newly created brokering group hyperlink.

  3. Click Construct URL tab.

    IDP Type: Select the Identity Provider type from the drop-down list. The three types of IDP in the drop-down list are Local IDP, Novell IDP, and Other IDP. If you select Novell IDP as the IDP type, then you can select the Origin IDP from the drop-down list. If you select Other IDP as the IDP type, you can enter the Origin IDP URL and you can select the Origin IDP from the drop-down list.

    Origin IDP: The Origin identity providers are the trusted providers. The drop-down list displays all the trusted providers created for the specific Novell brokering group. Select the Origin IDP from the drop-down list.

    Origin IDP URL: If you select Other IDP as the IDP type, you can enter the Origin IDP URL manually. The <OriginIDPURL> represents (protocol :// domain : port / path ? querystring).

    Provider Parameter Name: If you select Other IDP as the IDP Type, you can enter the trusted provider parameter ID. For more information on Intersite Transfer Service target for a service provider, see Section 7.11.4, Configuring an Intersite Transfer Service Target for a Service Provider

    Target Parameter Name: If you select Other IDP as the IDP type, you can enter the target provider parameter name manually.

    Allowed SP: The allowed service providers are the selected service providers of the trusted roviders. The drop-down list displays all the service providers created for the specific brokering group. Select the service providers from the drop-down list.

    Target URL: Specify the target URL for the specific trusted providers and service provider pair. This URL will be appended to the login URL. Click Generate to generate the login URL

    Login URL: The login URL consists of Origin IDP URL and the target URL.

  4. Click Cancel to close the Construct URL page.

11.3.5 Validating Brokering Rules

The rule validation page helps you to validate the Origin identity providers and the allowed service provider rule according to the role associated with the respective trusted partners.

  1. In the Administration Console, click Devices > Identity Servers > Brokering.

  2. Click on the existing or newly created brokering group hyperlink.

  3. Click the Rule Validation tab.

    Origin IDP: The Origin identity providers are the trusted providers. The drop-down list displays all the trusted providers created for the specific Novell brokering group. Select the Origin identity providers from the drop-down list.

    Allowed SP: The Allowed SPs are the selected SPs of the trusted providers. The drop-down list displays all the service providers created for the specific brokering group. Select the service providers from the drop-down list

    Role: Specify the role you want to validate for the selected Origin identity trusted providers and allowed SP. Click the Validate Rule.

    A list is displayed according to the rule validation for the selected trusted providers, role, and permission.

    Name: Displays the role name of the selected trusted providers.

    Identity Providers: Displays the identity provider name.

    Service Providers: Displays the service provider name.

    Priority: In ascending order, displays the priority number of the rule validation of the selected trusted providers.

    Action: Displays the permission action for validation of the selected trusted providers rule validation.

    Role Conditions: Displays the role conditions for the selected trusted providers rule validation. Denial takes precedence over Permit.

    Evaluate State: Displays the role conditions evaluate state for the selected trusted providers rule validation. You can see diffferent evaluation states in the role conditions.

    Pass 1: If the rule matches the Origin identity provider, allowed service provider or any roles mentioned.

    Pass2: If the rule matches the Origin identity provider, allowed service provider or any specific role mentioned.

    Ignored: If the rule does not match either Pass 1 or Pass 2 .

    Not Executed: The default state of all the roles.

    NOTE:If the rule has the evaluate State as Pass 1 action as Deny, then the remaining rules are in the non-executed state.

    After a rule has the evaluate state as Pass 2, regardless of the action, the remaining rules are in the non-executed state.

    The rules before Pass 1, should have the evaluate state of Ignored. All these ignored rules should have the role condition as Any, without specifying any role condition.

    Pass 1 evaluation stops, as soon as a match for the Origin identity provider and allowed service provider is found with specific to some role condition.

  4. Click Cancel to close the Rule Validation page.