Creating a Trusted Service Provider

You can configure Identity Server to trust a service provider or an identity provider.

  • When you create a trusted identity provider, you are allowing that identity provider to authenticate the user and Identity Server acts as a service provider.

  • When you create a trusted service provider, you are configuring Identity Server to provide authentication for the service provider and Identity Server acts as an identity provider.

Both of these types of trust relationships require the identity provider to establish a trusted relationship with the service provider and the service provider to establish a trusted relationship with the identity provider.

The default settings of identity and service providers when you import the metadata repository are as follows:

  • SAML 1.1 Identity Provider

    • No contracts associated to Satisfiable list of IDP

    • No image selected for the IDP card

    • Login URL will be empty with Show card disabled.

    • No attribute set associated

  • SAML 1.1 Service Provider

    • No contracts associated to Satisfiable list of SP

    • No Attribute set associated

  • SAML 2.0 Identity Provider

    • Persistent Federation as the Name Identifier

    • Post Binding

    • No contracts associated to Satisfiable list of IDP

    • No image selected for the IDP card

    • No Attribute set associated

  • SAML 2.0 Service Provider

    • No contracts associated to Satisfiable list of SP

    • Post Binding

    • No Attribute set associated

Prerequisites

Before you can create a trusted provider, you must complete the following tasks:

  • Imported the trusted root of the provider’s SSL certificate into the NIDP trust store. For instructions, see Managing the Keys, Certificates, and Trust Stores.

  • Shared the trusted root of the SSL certificate of your Identity Server with the other provider so that the administrator can imported it into the provider’s trust store.

  • Obtained the metadata URL from the other provider or an XML file with the metadata.

  • Shared the metadata URL of your Identity Server with the other provider or sent an XML file with the metadata.

  • Enabled the protocol. Click Devices > Identity Servers > Edit, and on the Configuration page, verify that the required protocol in the Enabled Protocols section has been enabled.

Procedure

  1. Click Devices > Identity Servers > Edit > [Protocol].

  2. Click New, then click Service Provider.

    NOTE:By default, the Provider Type > General is selected. You can configure an Identity Server to trust a service provider to establish federation with external service providers. For more information about pre-configured metadata for Google Applications, Office 365, and Salesforce.com, see Federated Authentication for Specific Providers.

  3. Select one of the following sources for the metadata:

    Metadata URL: Specify the metadata URL for a trusted provider. The system retrieves protocol metadata by using the specified URL.

    Examples of metadata URLs for an Identity Server acting as a trusted provider with an IP address 10.1.1.1:

    • Liberty:

      http://10.1.1.1:8080/nidp/idff/metadata

      https://10.1.1.1:8443/nidp/idff/metadata

    • SAML:

      http://10.1.1.1:8080/nidp/saml2/metadata

      https://10.1.1.1:8443/nidp/saml2/metadata

    • OIOSAML:

      http://10.1.1.1/nidp/saml2/metadata_oiosaml

      https://10.1.1.1/nidp/saml2/metadata_oiosaml

    • SAML 1.1:

      http://10.1.1.1:8080/nidp/saml/metadata

      https://10.1.1.1:8443/nidp/saml/metadata

    The default values nidp and 8080 are established during product installation; nidp is the Tomcat application name. If you have set up SSL, you can use https and port 8443.

    If your Identity Server and Administration Console are on different machines, use HTTP to import the metadata. If you are required to use HTTPS with this configuration, you must import the trusted root certificate of the provider into the trust store of Administration Console. You need to use the Java keytool to import the certificate into the cacerts file in the security directory of Administration Console.

    /opt/novell/java/jre/lib/security

    If you do not want to use HTTP and you do not want to import a certificate into Administration Console, you can use the Metadata Text option. In a browser, enter the HTTP URL of the metadata. View the text from the source page, save the source metadata, then paste it into the Metadata Text option.

    Metadata Text: An editable field in which you can paste copied metadata text from an XML document, assuming you obtained the metadata via e-mail or disk and are not using a URL. If you copy metadata text from a web browser, you must copy the text from the page source.

    Manual Entry: Allows you to enter metadata values manually. When you select this option, the system displays the page to enter the required details. See Editing a SAML 2.0 Service Provider’s Metadata or Editing a SAML 1.1 Service Provider’s Metadata.

    Metadata Repositories: Allows you to configure several identity and/or service providers using a multi-entity metadata file available in a central repository.

  4. In the Name option, specify a name by which you want to refer to the provider.

  5. Specify the metadata source details based on the selection of Source.

  6. (Conditional) If you are specifying the same metadata for a different instance of the same service provider, you will be prompted for specifying a value in the Unique ID field. For information about unique ID, see Configuring Multiple Instances of a SAML 2.0 Service Provider in an Identity Server Cluster.

    You can use numbers, alphabets, special characters or combination of all without using spaces. The value of Unique ID must not be uniqueid or naminstance.

    Also, Unique Id has to be unique among all the unique ids present for different SAML 2 service providers in Identity Server cluster.

  7. Click Next.

  8. Review the metadata certificates and click Finish. The system displays the trusted provider on the protocol page.

  9. Click OK, then update Identity Server.

    The wizard allows you to configure the required options and relies upon the default settings for the other federation options. For information about how to configure the default settings and how to configure the other available options, see Modifying a Trusted Provider.