Configuring Site B to Trust Site A as an Identity Provider

The following instructions explain how to import the trusted root certificate and metadata of Site A into the configuration for Site B.

  1. Log in to Administration Console for Site B.

    The configuration of Site B can be created in the same Administration Console as Site A; it cannot be configured to be a cluster member of Site A.

  2. Import the trusted root certificate of Site A into the NIDP trust store of Site B.

    1. On the Home page, click Identity Servers > [cluster name] > Security > NIDP Trust Store.

    2. On the Home page, click Certificates > Trusted Roots > Auto-Import From Server.

    3. Specify the following details:

      Field

      Description

      Server IP/DNS

      Specify the IP address or DNS name of Site B. For Site B in Figure A-2, specify the following value:

      idp.sitea.example.com

      Server Port

      Specify 8443.

    4. Click OK, then specify an alias for the certificate (for example, SiteA).

      You will get two certificate options: Root CA Certificate and Server certificate. Select Root CA Certificate.

    5. Examine the trusted root that is selected for you.

      If the trusted root is part of a chain, ensure that you select the parent and all intermediate trusted roots.

    6. Click OK.

      The trusted root certificate of Site A is added to the NIDP trust store.

    7. Click Close.

    8. On the Home page, click Identity Servers > Update > OK.

      Wait for the health status to return to green.

  3. Configure an identity provider for Site B.

    1. On the Home page, click Applications > [cluster name] > New Application > SAML 2.0 Identity Provider.

    2. Specify the following details:

      Field

      Description

      Name

      Specify a name for the provider. If you plan on configuring more than one protocol, include the protocol as part of the name, such as SiteA

      Metadata URL

      Specify the URL of the metadata on Site A. For Site A in Figure A-2, specify the following:

      http://idp.sitea.example.com:8080/nidp/idff/metadata

      This example uses port 8080 to avoid any potential certificate problems that occur when Identity Server and Administration Console are installed on separate machines.

      SAML 2.0

      If you are using SAML 2.0, the metadata path is /nidp/saml2/metadata. For Site A in Figure A-2, specify the following for SAML 2.0:

      http://idp.sitea.example.com:8080/nidp/saml2/metadata

    3. Click Next.

    4. To configure an authentication card, specify the following details:

      Field

      Description

      Authentication Image

      Specify the image to be displayed on the card. Select the image from the drop down list. To add an image to the list, click Select local image.

      ID

      (Optional)

      Specify an alphanumeric number that identifies the card. If you need to reference this card outside of Administration Console, specify a value here. If you do not assign a value, Identity Server creates one for its internal use.

      Card Name

      Specify the text that is displayed on the card to the user

      Show Card

      Determine whether the card is shown to the user. If this option is not selected, the card is only used when a service provider makes a request for the card. For this scenario, select this option.

      Passive Authentication Only

      Do not select this option.

    5. Click Finish > OK.

    6. Update Identity Server.

      Wait for the health status to return to green.

  4. Continue with one of the following: