This section explains how to modify a WS Federation service provider after it has been created. Section 10.3.2, Creating a Service Provider for WS Federation explains the steps required to create the service provider. You can modify the following configuration details:
In the Administration Console, click > > > >
In the field, specify a new name for the service provider.
Click twice, then update the Identity Server.
When the Identity Server creates its response for the service provider, it uses the attributes listed on the Attributes page. The response needs to contain the attributes that the service provider requires. If you do not own the service provider, you need to contact the administrator of the service provider and negotiate which attributes you need to send in the response. The service provider can then use these attributes to identify the user, to create policies, to match user accounts, or if it allows provisioning, to create a user account on the service provider.
In the Administration Console, click > > > >
(Conditional) To create an attribute set, select from the drop-down menu.
An attribute set is a group of attributes that can be exchanged with the trusted provider. For example, you can specify that the local attribute of any attribute in the Liberty profile (such as Informal Name) matches the remote attribute specified at the service provider.
Select an attribute set.
Select attributes that you want to send from the list, and move them to the left side of the page.
(Conditional) If you created a new attribute set, it must be enabled for STS.
For more information, see Enabling the Attribute Set.
Click , then update the Identity Server.
When the Identity Server sends its response to the service provider, the response can contain an identifier for the user. If you do not own the service provider, you need to contact the administrator of the service provider and negotiate whether the user needs to be identified and how to do the identification. If the service provider is going to use an attribute for user identification, that attribute needs to be in the attributes sent with authentication. See Section 10.5.2, Configuring the Attributes Sent with Authentication.
To select the user identification method to send in the response:
In the Administration Console, click > > > >
For the format, select one of the following:
Unspecified: Specifies that the SAML assertion contains an unspecified name identifier.
E-mail: Specifies that the SAML assertion contains the user’s e-mail address for the name identifier.
X509: Specifies that the SAML assertion contains an X.509 certificate for the name identifier.
For the value, select an attribute that matches the format. For the Unspecified format, select the attribute that the service provider expects.
The only values available are from the attribute set that you have created for WS Federation.
To specify that this Identity Server must authenticate the user, disable the option. When the option is disabled and the Identity Server cannot authenticate the user, the user is denied access.
When this option is enabled, the Identity Server checks to see if other identity providers can satisfy the request. If one or more can, the user is allowed to select which identity provider performs the authentication. If a proxied identity provider performs the authentication, it sends the response to the Identity Server. The Identity Server then sends the response to the service provider.
Click twice, then update the Identity Server.
You can view the metadata of the ADFS server, edit it, and view information about the signing certificate.
In the Administration Console, click > > > >
The following values need to be configured accurately:
ID: This is provider ID. This is the value that the ADFS server provides to the Identity Server in the realm parameter of the query string. This value is specified in the of the page on the ADFS server. The parameter label is . The default value is urn:federation:treyresearch.
sloUrl: This is the sign-on URL. This URL is listed in the of the on the ADFS server. The label is . The default value is https://adfsresource.treyresearch.net/adfs/ls/.
ssoUrl: This is the logout URL. The default value is https://adfsresource.treyresearch.net/adfs/ls/. The ADFS server makes no distinction between the login URL and the logout URL.
If the values do not match the ADFS values, you need to edit the metadata.
To edit the metadata, click . For configuration information, see Section 10.5.5, Editing the WS Service Provider Metadata.
To view information about the signing certificate, click .
Click twice.
You can view the metadata of the ADFS server and edit metadata.
In the Administration Console, click > > > >
Configure the following fields:
Provider ID: This is provider ID. This is the value that the ADFS server provides to the Identity Server in the realm parameter of the query string. This value is specified in the of the page on the ADFS server. The parameter label is . The default value is urn:federation:treyresearch.
Sign-on URL: This is the sloUrl. This URL is listed in the of the on the ADFS server. The label is . The default value is https://adfsresource.treyresearch.net/adfs/ls/.
Logout URL: This is the ssoUrl. The default value is https://adfsresource.treyresearch.net/adfs/ls/. The ADFS server makes no distinction between the login URL and the logout URL.
If you need to import a new signing certificate, click the Browse button and follow the prompts.
To view information about the signing certificate, click .
Click twice, then update the Identity Server.