The Identity Server can send roles in an authentication assertion. You can map these roles that are received from trusted providers to your own roles. Figure 27-11 illustrates this process.
Figure 27-11 Role Mapping
In this example, employees authenticate to identity providers novell.com (Liberty) or xyz.com (SAML 2.0). Each user is assigned to a role (such as N_EmployeeRole or XYZ_Empl, respectively). Attribute sets at each of the identity providers are configured to exchange the
attribute with the trusted service provider, DigitalAirlines.com. DigitalAirlines.com consumes the authentication assertions, then maps the incoming roles to local roles. The mapped roles at DigitalAirlines.com can be used as evaluated conditions in authorization or J2EE policies, which can provide access to resources intended for the authenticated employees.Configure trust between trusted providers, using the Liberty or SAML 2.0 protocol.
You should be familiar with Section 9.0, Configuring Trusted Providers.
Configure local authentication.
You must create an external contract at the service provider that matches the contract of the identity provider. See Section 8.0, Configuring Local Authentication.
Create an attribute set and select the local attribute
in the set. This must be done at the identity provider and service provider.This attribute set is used to pass roles from an identity provider to an external service provider in authentication assertions. See Section 7.1, Configuring Attribute Sets.
The following procedure describes how the service provider configures this type of role policy for novell.com, mapping N_EmployeeRole to an Access Manager role:
In the Administration Console, click
> .Click
, then specify a name for the Role policy.Select
for the type, then click .Configure the role policy as shown on the following page.
In the
section, click > .Select the trusted identity provider in the drop-down menu.
For
, choose > .Choose
> .Type the name of the role used by the trusted identity provider.
Under the
section, click .Type the name of the role you want to activate at the trusted service provider.
Click
.On the Policies page, click
.To enable the role so that it can be used in Authorization and Identity Injection policies, click
> > > .Select the check box by the name of the role, then click
.Click
.To update the Identity Server, click
> .