27.4 Mapping Roles between Trusted Providers

The Identity Server can send roles in an authentication assertion. You can map these roles that are received from trusted providers to your own roles. Figure 27-11 illustrates this process.

Figure 27-11 Role Mapping

In this example, employees authenticate to identity providers novell.com (Liberty) or xyz.com (SAML 2.0). Each user is assigned to a role (such as N_EmployeeRole or XYZ_Empl, respectively). Attribute sets at each of the identity providers are configured to exchange the All Roles attribute with the trusted service provider, DigitalAirlines.com. DigitalAirlines.com consumes the authentication assertions, then maps the incoming roles to local roles. The mapped roles at DigitalAirlines.com can be used as evaluated conditions in authorization or J2EE policies, which can provide access to resources intended for the authenticated employees.

Prerequisites

The following procedure describes how the service provider configures this type of role policy for novell.com, mapping N_EmployeeRole to an Access Manager role:

  1. In the Administration Console, click Access Manager > Policies.

  2. Click New, then specify a name for the Role policy.

  3. Select Identity Server: Roles for the type, then click OK.

  4. Configure the role policy as shown on the following page.

    Role activation from trusted provider
  5. In the Conditions section, click New > Roles from Identity Provider.

  6. Select the trusted identity provider in the drop-down menu.

  7. For Comparison, choose String > Equals.

  8. Choose Value > Data Entry Field.

  9. Type the name of the role used by the trusted identity provider.

  10. Under the Actions section, click Activate Role.

  11. Type the name of the role you want to activate at the trusted service provider.

  12. Click OK.

  13. On the Policies page, click Apply Changes.

  14. To enable the role so that it can be used in Authorization and Identity Injection policies, click Identity Servers > Servers > Edit > Roles.

  15. Select the check box by the name of the role, then click Enable.

  16. Click OK.

  17. To update the Identity Server, click Servers > Update Servers.