Complete the following steps to set up a Liberty IDP site:
Launch iManager and log in to your server.
You launch iManager by opening a Web browser and going to https://<ipaddress>/eMFrame/iManager.html (case-sensitive), where <ipaddress> is the address of your server. For detailed instructions on how to launch iManager, see the "Novell Web Applications," html document that was placed on your desktop as part of the iManager installation.
Under Roles and Tasks, expand the Liberty Management menu, then click the Manage Sites task.
This takes you to the Manage Liberty Identity Sites page.
Figure 16 Manage Liberty Identity Sites Page
Click the New Site link.
The New Liberty Identity Site page appears on the right-hand side.
Figure 17 New Liberty Identity Site Page
Enter a Descriptive Name for your site. (The name you choose is primarily for your own reference.)
Enter the context for this site.
The context identifies where you want to store this site object in the directory. (The default is located at the root, but you can choose the location you want.)
Enter the Protocol and Base URL information.
There are defaults you can use on the application, but if you defined this information during the product installation, you should verify that the information you used during the installation matches the information entered at this screen.
To enter the Protocol and Base URL information:
Change the Protocol to HTTP.
You should only use HTTP when Liberty is in test mode. (By default, that is how it is installed.)
IMPORTANT: Before you put your Liberty identity provider into a production environment, you need to change to HTTPS, however, we recommend that you get your IDP working with HTTP before switching to HTTPS. Once you are successfully running in HTTP mode, see Configuring Your Liberty Identity Provider to Run in SSL Mode for information on how to convert to HTTPS.
Enter the Domain and Port.
The Domain should be a name, but it can be the IP address of the Web server where you installed the IDP.
If you are running on port 80 (HTTP) or port 443 (HTTPS), you do not need to specify the port value.
Click OK.
2. Define Site Properties
Continuing from Step 7 in the previous section, you are now at the Site Properties page.
Figure 18 Site Properties Page
The Descriptive Name you entered in Step 3 carries forward.
The Provider ID is a required field for the Liberty specification. A value for this field is provided by default, which is the base URL Domain Name with your Descriptive Name added at the end. This name must be unique.
The Base URL information also carries forward.
Specify whether introductions should be used.
Introductions is a feature that allows a service provider to identify which providers (within a common domain) a user is logged into. The Allow Introductions check box is unchecked by default. In order for single sign-on to work seamlessly, you must check this box and enter values for the Application Domain and Common Domain.
NOTE: In order for introductions to work, the identity provider and the service providers must agree on a common domain.
The Common Domain is a DNS name that IDPs and SPs within a circle of trust have agreed upon and/or obtained for use between each other.
The Application Domain is an application/company extension to the Common Domain name that the IDP will use for introductions.
The Application Domain and the Common Domain combine together to form a DNS name that resolves to the same IP address as the Base URL Domain. If a port value other than the Base URL port needs to be specified, it can be appended to the Common Domain.
At the Session Timeout drop-down menu, select how long you want your Liberty IDP to run without timing out the session.
For IDP usage, we recommend that the minimum be at least two hours.
Select the Single Logout Method that you want to use from the drop-down menu. The default is Silent.
There are two ways that the identity provider uses to log out service providers using a single logout. One method is Silent, which is a behind-the-scenes method. The other way uses a confirmation screen. If you use HTTP, you need to choose one of the methods: either silent, or showing a notification screen.If you choose Show Notification Screen, the identity provider will return a page that shows all of the service providers that use this particular method to log out. These references generate a request to the servers to log out. When they do, they return a checkmark graphic (the visual notification) that shows they have logged out.
The Authentication Statement URI is optional. It references a statement about the authentication policy for this identity provider. Enter your information in the empty field if you want to include it in the information that is transferred to and from providers.
For example, if you are using Novell's installed sample service provider code, you would enter the following URL: http://<ip address of SP server>/nwt/metadata.
Click OK.
You are brought back to the Identity Sites page.
Click the name of your identity site.
3. Define Service Providers
Once you have set up your Liberty identity provider site, you need to identify the service providers (SPs) your Liberty IDP will affiliate with.
Continuing from where you left off in Step 6 in the previous section, click the Affiliate Service Providers link at the top of the screen.
The Affiliate Service Provider page appears.
Figure 19 Affiliate Service Providers Page
The Affiliate Service Providers table lists the SPs you have defined and whether they are enabled, and whether the information you have provided for them is complete. (Complete in this case means all the required fields were filled in, not that the information is necessarily correct.)
If you want to delete, enable, or disable an SP in the list, select the check box next to that SP, then click Delete, Enable, or Disable according to your preference.
You can choose to enter new SP information manually by clicking the New Affiliate Service Provider link, or you can import an SP definition by clicking the Import Affiliate Service Provider Definition link. We recommend that you import definitions from another service provider. Click Import Affiliate Server Provider Definition.
Figure 20 Import Affiliate Service Provider Definition
Enter the Descriptive Name and URL for the service provider's definition you want to import.
For example, if your IP address is 1.1.1.1, you would specify the URL as http://1.1.1.1/nwc/metadata.
Click OK.
4. Set Up Your Liberty Identity Server
Continuing where you left off in Step 5, click the Liberty Identity Servers tab. This page shows a list of your identity servers.
To add a new Liberty identity server:
Click New Liberty Identity Server.
At the Modify Object page, enter the Descriptive Name and IP Address of the identity server.
The IP Address should be the server that is going to run the IDP.
Figure 21 Modify Object Page
Click OK.
You are returned to the servers list, where your new server should now be listed.
You can select and delete servers as needed.
5. Manage Your Federations
If you have federated users, you can manage your federations by doing the following:
In iManager, click the Liberty Management role, then select the Manage Federations task.
Select the Site and enter the user context.
To browse for the User Context, select the icon to the right of the field.
Figure 22 Manage Federations
Click OK.
View the User Federation you created. If you need to delete it, select Delete.
Click Done.
If you deleted any federations, those deletions will occur when the user completely logs out of all sessions and then logs back in.
