Before you can create a trusted identity provider, you must complete the following tasks:
Imported the trusted root of the provider’s SSL certificate into the NIDP trust store. For information, see Managing the Keys, Certificates, and Trust Stores.
Shared the trusted root of the SSL certificate of your Identity Server with the identity provider so that the administrator can imported it into the identity provider’s trust store.
Obtained the metadata URL from the identity provider, an XML file with the metadata, or the information required for manual entry.
Shared the metadata URL of your Identity Server with the identity provider or an XML file with the metadata.
Enabled the protocol. On the Home page, click Identity Servers > [cluster name], and verify that the required protocol in the Enabled Protocols section has been enabled.
To create an identity provider:
On the Home page, click Applications > Select a Cluster > New Application > SAML v2.0 Identity Provider.
In Name, specify a name by which you want to refer to the provider.
Select one of the following sources for the metadata:
Metadata URL: Specify the metadata URL for a trusted provider. The system retrieves protocol metadata using the specified URL. Examples of metadata URLs for an Identity Server acting as an identity provider with an IP address of 10.1.1.1:
SAML:
http://10.1.1.1:8080/nidp/saml2/metadata
https://10.1.1.1:8443/nidp/saml2/metadata
OIOSAML:
http://10.1.1.1/nidp/saml2/metadata_oiosaml
https://10.1.1.1/nidp/saml2/metadata_oiosaml
The default values nidp and 8080 are established during product installation; nidp is the Tomcat application name. If you have set up SSL, you can use https and port 8443.
If your Identity Server and Administration Console are on different machines, use HTTP to import the metadata. If you are required to use HTTPS with this configuration, you must import the trusted root certificate of the provider into the trust store of Administration Console. You need to use the Java keytool to import the certificate into the cacerts file in the security directory of Administration Console.
If your Identity Server and Administration Console are on different machines, use HTTP to import the metadata. If you are required to use HTTPS with this configuration, you must import the trusted root certificate of the provider into the trust store of Administration Console. You need to use the Java keytool to import the certificate into the cacerts file in the security directory of Administration Console.
The cacerts file is located in /opt/novell/java/jre/lib/security.
If you do not want to use HTTP and you do not want to import a certificate into Administration Console, you can use the Metadata Text option. In a browser, enter the HTTP URL of the metadata.
View the text from the source page, save the source metadata, then paste it into the Metadata Text option.
Metadata Text: An editable field in which you can paste copied metadata text from an XML document, assuming you obtained the metadata via e-mail or disk and are not using a URL. If you copy metadata text from a web browser, you must copy the text from the page source.
Manual Entry: Allows you to enter metadata values manually. When you select this option, the system displays the Enter Metadata Values page.
Metadata Repositories: (SAML 2.0) Allows you to configure several identity and/or service providers using a multi-entity metadata file available in a central repository.
Click Next.
Review the metadata certificates, then click OK.
Configure an authentication card to use with this identity provider. Fill in the following fields:
Authentication Image: Specify the image to be displayed on the card. Select the image from the list. To add an image to the list, click <Select local image>.
ID: (Optional) Specify an alphanumeric value that identifies the card. If you need to reference this card outside of Administration Console, you need to specify a value here. If you do not assign a value, Identity Server creates one for its internal use
Label: Specify the text that is displayed on the card to the user.
Show Card: Determine whether the card is shown to the user, which allows the user to select and use the card for authentication. If this option is not selected, the card is only used when a service provider makes a request for the card.
Click Finish. The system displays the trusted provider on the protocol page.
Update Identity Server.
The wizard allows you to configure the required options and relies upon the default settings for the other options. For information about how to configure the default settings and how to configure the other available options, see Modifying a Trusted Provider.