The following high-level tasks describe the process required to set up the trust model between an identity provider and a service provider. Although these tasks assume that both providers are Identity Servers provided with Access Manager, similar tasks must be performed when one of the providers is a third-party application.
Administrators at each company install and configure Identity Server.
For information about installation, see Installing Identity Server in the NetIQ Access Manager CE 24.2 (v5.1) Installation and Upgrade Guide.
For information about configuration, see Creating a Cluster Configuration.
Administrators at each company must import the trusted root certificate of the other Identity Server into the NIDP trust store.
On the Home page, click Identity Servers > [cluster name] > Security > NIDP Trust Store, then auto import the certificate. Use the SSL port (8443) even if you haven’t set up the base URL of Identity Server to use HTTPS.
Administrators must exchange Identity Server metadata with the trusted partner.
Metadata is generated by Identity Server and can be obtained via a URL or an XML document, then entered in the system when you create the reference. This step is not applicable if you are referencing an ESP. When you reference an ESP, the system lists the installed ESPs for you to choose, and no metadata entry is required.
Create the reference to the trusted identity provider and the service provider.
This procedure associates the metadata with the new provider. See Creating a Trusted Service Provider.
Configure user authentication.
This procedure defines how your Identity Server interacts with the trusted provider during user authentication. Access Manager comes with default basic authentication settings already enabled.
See Section 2.8.8, Configuring User Identification Methods for Federation.
Additional important steps for enabling authentication between trusted providers include:
Setting up the necessary authentication contracts. See Section 6.1.4, Configuring Authentication Contracts.
Enabling the profiles that you are using. See Managing Web Services and Profiles.
Select Always Allow Interaction on the Web Service Consumer page. See Configuring the Web Service Consumer.
NOTE:For information about setting up federation between two NetIQ Identity Servers, see Section A.0, What Is Federated Authentication.