The following instructions explain how to import the trusted root certificate and metadata of Site A into the configuration for Site B.
Log in to Administration Console for Site B.
The configuration of Site B can be created in the same Administration Console as Site A; it cannot be configured to be a cluster member of Site A.
Import the trusted root certificate of Site A into the NIDP trust store of Site B.
Click Devices > Identity Servers > Edit > Security > NIDP Trust Store.
In the Trusted Roots section, click Auto-Import From Server.
Specify the following details:
|
Field |
Description |
|---|---|
|
Server IP/DNS |
Specify the IP address or DNS name of Site B. For Site B in Figure A-2, specify the following value: idp.sitea.example.com |
|
Server Port |
Specify 8443. |
Click OK, then specify an alias for the certificate (for example, SiteA).
You will get two certificate options: Root CA Certificate and Server certificate. Select Root CA Certificate.
Examine the trusted root that is selected for you.
If the trusted root is part of a chain, ensure that you select the parent and all intermediate trusted roots.
Click OK.
The trusted root certificate of Site A is added to the NIDP trust store.
Click Close.
Click Identity Servers > Update > OK.
Wait for the health status to return to green.
Configure an identity provider for Site B.
Click Identity Servers > Edit > Liberty [or SAML 2.0 or SAML 1.1].
Click New and select Identity Provider.
Specify the following details:
|
Field |
Description |
|---|---|
|
Name |
Specify a name for the provider. If you plan on configuring more than one protocol, include the protocol as part of the name, such as SiteA_Liberty |
|
Metadata URL |
Specify the URL of the Liberty metadata on Site A. For Site A in Figure A-2, specify the following: http://idp.sitea.example.com:8080/nidp/idff/metadata This example uses port 8080 to avoid any potential certificate problems that occur when Identity Server and Administration Console are installed on separate machines. |
|
SAML 2.0 |
If you are using SAML 2.0, the metadata path is /nidp/saml2/metadata. For Site A in Figure A-2, specify the following for SAML 2.0: http://idp.sitea.example.com:8080/nidp/saml2/metadata |
|
SAML 1.1 |
If you are using SAML 1.1, the metadata path is /nidp/saml/metadata. For Site B in Figure A-2, specify the following for SAML 1.1: http://idp.siteb.example.com:8080/nidp/saml/metadata |
Click Next.
To configure an authentication card, specify the following details:
|
Field |
Description |
|---|---|
|
ID (Optional) |
Specify an alphanumeric number that identifies the card. If you need to reference this card outside of Administration Console, specify a value here. If you do not assign a value, Identity Server creates one for its internal use. |
|
Text |
Specify the text that is displayed on the card to the user |
|
Image |
Specify the image to be displayed on the card. Select the image from the drop down list. To add an image to the list, click Select local image. |
|
Login URL (Conditional) |
If you are configuring an authentication card for SAML 1.1, specify an Intersite Transfer Service URL. For Figure A-1, specify the following value: https://idp.sitea.example.com:8443/nidp/saml/idpsend?PID=https://idp.siteb.example.com:8443/nidp/saml/metadata&TARGET=https://idp.siteb.example.com:8443/nidp/app For more information, see Specifying the Intersite Transfer Service URL for the Login URL Option. |
|
Show Card |
Determine whether the card is shown to the user. If this option is not selected, the card is only used when a service provider makes a request for the card. For this scenario, select this option. |
|
Passive Authentication Only |
Do not select this option. |
Click Finish > OK.
Update Identity Server.
Wait for the health status to return to green.
Continue with one of the following:
If you are using Liberty or SAML 2.0, continue with Verifying the Trust Relationship.
If you are using SAML 1.1, continue with Configuring SAML 1.1 for Account Federation.