Configuring User Authentication

The following instructions describe one way to enable single sign-on to Identity Servers and Access Gateways in Figure A-1. It explains how to configure all sites to use the same contract. The instructions explain the following tasks:

  • Selecting the contract for federation

  • Configuring the contract at Site B to allow authentication at Site A

  • Configuring Site A so its contract can satisfy the requirements of the contract at Site B

  • Configuring Site A and Site B to use this contract as their default contract

To configure the contracts, perform the following steps:

  1. Log in to Administration Console for Site B.

  2. Configure the authentication request:

    1. Click Devices > Identity Servers > Edit > Liberty [or SAML 2.0] > [Name of Identity Provider] > Authentication Card > Authentication Request.

    2. (Liberty) Verify the settings of the following fields:

      Allow federation: Ensure that this option is selected. If this option is not selected, users cannot federate their accounts at Site A with an account at Site B.

      After authentication: Ensure that this option is selected. Enabling this option assumes that a user account exists at the service provider and that the account can be associated with a user’s account at the identity provider.

      During authentication: Ensure that this option is selected. Enabling this option allows federation to occur when the user selects the authentication card of the identity provider.

    3. (SAML 2.0) Verify the settings of the following fields:

      Persistent: Select this option to set up a persistent relationship between the two accounts.

      After authentication: Ensure that this option is selected. Enabling this option assumes that a user account exists at the service provider and that the account can be associated with a user’s account at the identity provider after authentication.

      During authentication: Ensure that this option is selected. Enabling this option allows federation to occur when the user selects the authentication card of the identity provider.

    4. For Requested By, select Use Contracts.

    5. (SAML 2.0) For Context Comparison, accept the default value of Exact.

    6. In the Authentication contracts section, select the name of the contract used by the protected resources and move it to the Contracts section.

      If the contract you require is not in the list, it has not been configured for federation. See step 3.

    7. Click OK, then update Identity Server configuration.

  3. (Conditional) Configure the contract at Site B to allow federation:

    1. Click Identity Servers > Edit > Local > Contracts.

    2. Record the URI for the contract you are using. This URI needs to exist as a contract on Site A. The name of the contract can be different at each site, but the URI must be the same.

      NOTE:If site A only understands authentication class or type, select Use Types in the Requested By field and specify the authentication class in the Allowable Class field. Record the allowable class for the contract you are using. This allowable class must exist as a contract on site B. The name of the contract can be different at each site, but the allowable class must be the same.

    3. Click the name of the contract.

    4. Ensure that the Satisfiable by External Provider option is selected.

    5. Click OK > OK, then update Identity Server if you made any changes.

    6. Return to Step 2 to select the contract.

  4. If Site A is configured as a SAML 2.0 identity provider, move the contract(s) from the Available contracts list to the Satisfies contract list.

    This automatically redirects the authentication request from Site B to Site A when this contract is executed. You can have multiple contracts in the Satisfies contract list.

  5. Verify that Site A contains the same contract:.

    1. Log in to Administration Console for Site A.

    2. Click Identity Servers > Edit > Local > Contracts.

    3. Match the URI from step 3b to a contract.

      NOTE:Match the allowable class if you have selected Use Types in Requested By at site B.

      If such a contract does not exist, you need to create it. See Configuring Authentication Contracts.

    4. Click OK.

  6. In Administration Console for Site A, click Identity Servers > Edit > Local > Defaults.

  7. For the Authentication Contract, select the name of the contract from step 5c.

  8. (Conditional) If you have multiple user stores, set the default contract for each user store.

  9. Click OK, then update Identity Server.

  10. Test the configuration:

    1. Enter the URL to the user portal of Site B.

    2. Click the federated login link to Site A.

    3. Enter the credentials for Site A and log in.

    4. Enter the URL for a protected resource at Site B.

      You are granted access without being prompted for credentials.

  11. If you want to allow federated users to log in at Site A rather than using the card at Site B to redirect them to Site A, complete the following tasks:

    1. In Administration Console for Site B, click Devices > Identity Servers > Edit > Local > Defaults.

    2. For the Authentication Contract, select the name of the contract whose URI matches the URI of the contract used by Site A.

    3. Click Liberty [or SAML 2.0] > [Name of Identity Provider] > Authentication Card > Authentication Request.

    4. In the Options section, enable the Use automatic introduction option.

      This enables single sign-on to Site B when the user has already federated the accounts at the two sites.

    5. Click OK, then update Identity Server.

    6. To test single sign-on, log in to the user portal on Site A, then enter a URL for a protected resource at Site B.