Identity Server cluster configuration provides a Brokering tab that you can use to configure the groups and generate brokered URLs.
Click Devices > Identity Servers > Brokering.
The Display Brokering Groups page displays the following information for each group:
Group Name: Specifies a unique name to identify the group. When you click on the hyperlink, you can view the Group Details page, where the Group configuration such as name and list of Identity Providers and Service Providers can be modified.
Enabled: A check mark indicates that brokering is enabled for the group by applying the configured rules. A blank means that brokering is disabled.
Identity Providers: Display the total number of Liberty/SAML1.1/SAML2 IDPs assigned to this group.
Service Providers: Display the total number of Liberty/SAML1.1/SAML2 SPs assigned to this group.
Brokering Rules: If the rules are not configured, then “No Rules Config” is displayed. The default rule allows for brokering between any IDP to any SP in the group. If new rules are configured, then the first rule name is displayed along with the count of total rules.
When a brokering group is created while grouping the brokering feature, following rules are applicable:
Brokering is not allowed among different company groups.
The brokering is not allowed between the logical customers of Company 1 Brokering Group and Company 2 Brokering Group.
Brokering is allowed among different partners of the company group.
Brokering is allowed between the brokering groups of Company 1 Brokering Group and Company 2 Brokering Group.
Role based brokering is allowed among Company 1 and Partner 1 logical customers.
Role based brokering is allowed among Company 2 and Partner 2 logical customers.
Brokering is allowed among different partners based on roles and groups authentication of the company.
To create a new broker group, follow these steps:
Click Devices > Identity Servers > Brokering.
Click New.
Specify the following details:
Display Name: Brokering group display name.
Selected IDPs: At least one trusted IDP using navigation button.
Selected SPs: At least one trusted SP using navigation button.
Available Trusted IDPs: Displays Liberty/SAML1.1/SAML2.0 trusted IDP configured on the given IDP cluster (idp_cluster1).
Available Trusted SPs: Displays Liberty/SAML1.1/SAML2.0 Trusted Service Providers configured on the given Identity Provider Cluster (idp_cluster1).
Click Finish to complete creation of the brokering group creation.
You can configure the rules between the trusted identity providers and service providers by configuring rules, roles, and actions. You can view the configured rules, create new, delete the existing rule, edit the rules, enable and disable the configured rules.
You can configure the service providers and identity providers for all of the protocols in Identity Server, which are configured in Identity Server cluster. Using the brokering group, you can view the list of available service providers and identity providers in the selection box. Using the arrow keys, configure the trusted identity providers and trusted service providers for the respective brokering group.
Click Devices > Identity Servers > Brokering Group Name.
Click Trusted Providers.
Specify the following details:
Display Name: Specify the display name of the configuring brokering group.
Select IDPs: Configure the selected identity providers using the arrow keys from the available trusted IDPs.
Available Trusted IDPs: Configure the available trusted identity providers using the arrow keys from Selected Identity Providers selection box.
Selected SPs: Configure the selected service providers using the arrow keys from the Available Trusted Service Providers selection box.
Available Trusted SPs: Configure the available trusted service providers using the arrow keys from the Selected Service Providers selection box.
Click OK to continue and the configured service providers and identity providers details are displayed in the Brokering page.
Click Finish to complete the rules configuration for the brokering group.
Click Apply to see the configuration changes.
NOTE:When you log out from Access Gateway device, then the logout is not propagated on the other Identity Servers if you have SAML 1.1 as one of the trusted provider in the brokering group.
Click Devices > Identity Servers > Brokering.
Click the existing or newly created Brokering Group.
Click Rules and specify the following details:
Name: Displays the rule name of the brokering group.
Enabled: Displays the status of the brokering group rule.
Identity Providers: Displays the number of identity providers configured to the brokering group.
Service Providers: Displays the number of service providers configured to the brokering group.
Priority: Displays the brokering group rule priority number.
Actions: Displays the configured brokering group rule action status as permit or deny.
Role Conditions: Displays the brokering group role condition, such as manager and employee, configured on the rule page.
Click OK > Apply.
Click Devices > Identity Servers > Brokering.
Click the existing or newly created Brokering Group hyperlink.
Click Rules.
Rule Name: Specify the name of the rule.
Rule Priority: Select the rule priority from the list.
NOTE:The default rule specified during creation of the group has a priority of 1. Additional rules can be added, and existing rules can be deleted or modified. You can use the Edit Rules Page to modify the priority of the rules.
Origin IDP: Displays all Identity Servers that are available in the group.
Allowed SP: Displays all service providers that are available in the group.
Role Conditions: Displays the brokering group role condition such as manager and employee configured on the rule page.
Actions: Select Permit or Deny action for the rule you configure to the brokering group.
NOTE:By default, Access Manager allows any role. If you want to allow access to only particular roles, configure a permit condition for roles with higher priority and configure a deny condition in which no roles are defined with lower priority.
Click Finish to complete configuration of rules for the brokering group.
Click Devices > Identity Servers > Edit > Brokering > (Brokering Group in the Brokering Group list) > Rules.
Select the brokering group rule you want to delete, and click Delete.
Click OK.
Click Devices > Identity Servers > Edit > Brokering > (Brokering Group in the Brokering Group list) > Rules.
Select the brokering group rule you want to enable.
Click Enable.
Click Devices > Identity Servers > Edit > Brokering > (Brokering Group in the Brokering Group list) > Rules.
Select the brokering group you want to disable from the brokering group rule configuration.
Click Disable.
Click Devices > Identity Servers > Edit > Brokering.
Click the existing or newly created brokering group.
Click Rules.
Click the Brokering Rules hyperlink to edit the information.
You can edit all fields. For information about create brokering rule, see Creating a Brokering Rule
You can generate the URL according to the origin and allowed service provider Identity Servers.
Click Devices > Identity Servers > Brokering.
Click the existing or newly created brokering group.
Click Construct URL.
IDP Type: Select the Identity Provider type. The options are Local IDP, Access Manager IDP, and Other IDP. If you select Access Manager IDP, then you can select the Origin IDP in the list. If you select Other IDP, you can enter the Origin IDP URL and you can select the Origin IDP in list.
Origin IDP: The Origin identity providers are the trusted providers. The list displays all trusted providers created for the specific Access Manager brokering group. Select the Origin IDP.
NOTE:When a local Identity Server exists as a trusted provider, the Origin IDP list does not show any trusted providers. To resolve this, add another Identity Server to the Access Manager brokering group.
Origin IDP URL: If you select Other IDP as the IDP type, you can enter the Origin IDP URL manually. The <OriginIDPURL> represents (protocol :// domain : port / path ? querystring).
Provider Parameter Name: If you select Other IDP as the IDP Type, you can enter the trusted provider parameter ID. For more information about Intersite Transfer Service target for a service provider, see Configuring an Intersite Transfer Service Target for a Service Provider.
Target Parameter Name: If you select Other IDP as the IDP type, you can enter the target provider parameter name manually.
Allowed SP: The allowed service providers are the selected service providers of the trusted providers. The drop-down list displays all the service providers created for the specific brokering group. Select the service providers from the drop-down list.
Target URL: Specify the target URL for the specific trusted providers and service provider pair. This URL will be appended to the login URL. Click Generate to generate the login URL
Login URL: The login URL consists of Origin IDP URL and the target URL.
Click Cancel to close the Construct URL page.
The rule validation page helps you to validate the Origin identity providers and the allowed service provider rule according to the role associated with the respective trusted partners.
Click Devices > Identity Servers > Brokering.
Click the existing or newly created brokering group hyperlink.
Click the Rule Validation tab.
Origin IDP: The Origin identity providers are the trusted providers. The list displays all trusted providers created for an Access Manager brokering group.
Allowed SP: Allowed SPs are the selected service providers of trusted providers. The list displays all service providers created for a brokering group.
Role: Specify the role you want to validate for the selected Origin identity trusted providers and allowed SP. Click Validate Rule.
Name: Displays the role name of the selected trusted providers.
Identity Providers: Displays the identity provider name.
Service Providers: Displays the service provider name.
Priority: In ascending order, displays the priority number of the rule validation of the selected trusted providers.
Action: Displays the permission action for validation of the selected trusted providers rule validation.
Role Conditions: Displays the role conditions for the selected trusted providers rule validation. Denial takes precedence over Permit.
Evaluate State: Displays the role conditions evaluate state for the selected trusted providers rule validation. You can see different evaluation states in the role conditions.
Pass 1: If the rule matches the Origin identity provider, allowed service provider or any roles mentioned.
Pass2: If the rule matches the Origin identity provider, allowed service provider or any specific role mentioned.
Ignored: If the rule does not match either Pass 1 or Pass 2.
Not Executed: The default state of all the roles.
NOTE:If the rule has the evaluate State as Pass 1 action as Deny, the remaining rules are in the non-executed state.
After a rule has the evaluate state as Pass 2, regardless of the action, the remaining rules are in the non-executed state.
The rules before Pass 1, must have the evaluate state of Ignored. All these ignored rules must have the role condition as Any, without specifying any role condition.
Pass 1 evaluation stops, as soon as a match for the Origin identity provider and allowed service provider is found with specific to some role condition.
Click Cancel to close the Rule Validation page.