To establish trust between Site A and Site B, you must perform two tasks:
The providers must trust certificates of each other. You need to import the trusted root certificate of Site B to Site A.
You must import the metadata of Site B to Site A. The metadata allows Site A to verify that Site B is truly Site B when Site B sends a request to Site A.
Perform the following steps to import the certificate and the metadata:
Log in to Administration Console for Site A.
The configuration for Site A can be created in the same Administration Console as Site B; it cannot be configured to be a cluster member of Site B.
Import the trusted root certificate of Site B into the NIDP trust store of Site A:
Click Devices > Identity Servers > Edit > Security > NIDP Trust Store.
In the Trusted Roots section, click Auto-Import From Server.
Specify the following details:
Field |
Description |
---|---|
Server IP/DNS |
Specify the IP address or DNS name of Site B. For Site B in Figure A-2, specify the following value: idp.siteb.example.com |
Server Port |
Specify 8443. |
Click OK, then specify an alias for the certificate (for example, SiteB).
You will get two certificate options: Root CA Certificate and Server certificate. Select Root CA Certificate.
Examine the trusted root that is selected for you.
If the trusted root is part of a chain, ensure that you select the parent and all intermediate trusted roots.
Click OK.
The trusted root certificate of Site B is added to the NIDP trust store.
Click Close.
Click Devices > Identity Servers, then update Identity Server.
Wait for the health status to return to green.
Configure a service provider for Site A:
Click Identity Servers > Edit > Liberty [or SAML 2.0 or SAML 1.1].
Click New, select Service Provider.
Specify the following details:
Fields |
Description |
---|---|
Name |
Specify a name for the provider. If you plan on configuring more than one protocol, include the protocol as part of the name, such as, SiteB_Liberty |
Metadata URL |
Specify the URL of the Liberty metadata on Site B. For Site B in Figure A-2, specify the following: http://idp.siteb.example.com:8080/nidp/idff/metadata This example uses port 8080 to avoid any potential certificate problems that occur when Identity Server and Administration Console are installed on separate machines. |
SAML 2.0 |
If you are using SAML 2.0, the metadata path is /nidp/saml2/metadata. For Site B in Figure A-2, specify the following value: http://idp.siteb.example.com:8080/nidp/saml2/metadata |
SAML 1.1 |
If you are using SAML 1.1, the metadata path is /nidp/saml/metadata. For Site B in Figure A-2, specify the following value: http://idp.siteb.example.com:8080/nidp/saml/metadata |
Click Next > Finish > OK.
Update Identity Server.
Wait for the health status to return to green.
Continue with Configuring Site B to Trust Site A as an Identity Provider.