7.3 Modifying a WS Federation Identity Provider

This section explains how to modify a WS Federation identity provider after it has been created. Section 7.2, Using the ADFS Server as an Identity Provider for an Access Manager Protected Resource explains the steps required to create an identity provider.

7.3.1 Renaming the Identity Provider

  1. In the Administration Console, click Devices > Identity Servers > Edit > WS Federation > [Identity Provider].

  2. In the Name field, specify a new name for the identity provider.

  3. Click OK twice, then update the Identity Server.

7.3.2 Configuring the Attributes Obtained at Authentication

When the Identity Server creates its request to send to the identity provider, it uses the attributes that you have selected. The request asks the identity provider to provide values for these attributes. You can then use these attributes to create policies, to match user accounts, or if you allow provisioning, to create a user account on the service provider.

To select the attributes:

  1. In the Administration Console, click Devices > Identity Servers > Edit > WS Federation > [Identity Provider] > Attributes.

  2. (Conditional) To create an attribute set, select New Attribute Set from the Attribute Set drop-down menu.

    An attribute set is a group of attributes that can be exchanged with the trusted provider. For example, you can specify that the local attribute of any attribute in the Liberty profile (such as Informal Name) matches the remote attribute specified at the service provider.

    1. Specify a set name, then click Next.

    2. On the Define Attributes page, click New.

    3. Select a local attribute.

    4. Specify the name of the remote attribute.

    5. For the namespace, select http://schemas.xmlsoap.org/claims.

    6. Click OK.

    7. To add other attributes to the set, repeat Step 2.b through Step 2.e.

    8. Click Finish.

  3. Select an attribute set.

  4. Select attributes from the Available list, and move them to the left side of the page.

  5. (Conditional) If you created a new attribute set, it must be enabled for STS.

    For more information, see Enabling the Attribute Set.

  6. Click OK, then update the Identity Server.

7.3.3 Modifying the User Identification Method

  1. In the Administration Console, click Devices > Identity Servers > Edit > WS Federation > [Identity Provider] > User Identification.

  2. Select the contract that can be used for authentication. Fill in the following field:

    Satisfies contract: Specifies the contract that is satisfied by the assertion received from the identity provider. WS Federation expects the URI name of the contract to look like a URL, and thus rejects all default Access Manager contracts. You must create a contract with a URI that conforms to WS Federation requirements.

  3. Specify whether the user can associate (federate) an account at the identity provider (the ADFS server) with an account at Identity Server. Fill in the following field:

    Allow federation: Indicates whether account federation is allowed. Enabling this option assumes that a user account exists at the provider or that a method is provided to create an account that can be associated with the user on subsequent logins. If you do not use this feature, authentication is permitted but is not associated with a particular user account.

  4. Select one of the following methods for user identification:

    • Do nothing: Allows the user to authenticate without creating an association with a user account. This option cannot be used when federation is enabled.

    • Authenticate: Allows the user to authenticate using a local account.

      • Allow ‘Provisioning’: Provides a button that the user can click to create an account when the authentication credentials do not match an existing account.

    • Provision account: Allows a new account to be created for the user when the authenticating credentials do not match an existing user. When federation is enabled, the new account is associated with the user and used with subsequent logins. When federation is not enabled, a new account is created every time the user logs in.

      This option requires that you specify a user provisioning method.

    • Attribute matching: Enables account matching. The service provider can uniquely identify a user in its directory by obtaining specific user attributes sent by the trusted identity provider. This option requires that you specify a user matching method.

      • Prompt for password on successful match: Specifies whether to prompt the user for a password when the user’s name is matched to an account, to ensure that the account matches.

  5. (Conditional) If you selected a method that requires provisioning (Allow ‘Provisioning’ or Provision account), click the Provision settings icon and create a provisioning method.

    For configuration information, see Section 8.4, Defining the User Provisioning Method.

  6. (Conditional) If you selected Attribute matching as the identification method, click the Attribute Matching settings icon and create a matching method.

    For configuration information, see Section 8.3, Configuring the Attribute Matching Method.

  7. Click OK twice, then update the Identity Server.

7.3.4 Managing the Metadata

You can view the metadata of the ADFS server, edit it, and view information about the signing certificate.

  1. In the Administration Console, click Devices > Identity Servers > Edit > WS Federation > [Identity Provider] > Metadata.

    The following values need to be configured accurately:

    ID: This is provider ID. The ADFS server provides this value to the service provider in the realm parameter in the assertion. You set this value in the Properties of the Trust Policy on the ADFS server. The label is Federation Service URI. The default value is urn:federation:adatum.

    sloUrl: This is the sign-on URL. This URL is listed in the Properties of the Trust Policy on the ADFS server. The label is Federation Services endpoint URL.

    ssoUrl: This is the logout URL. The default value is https://adfsresource.treyresearch.net/adfs/ls/. The ADFS server makes no distinction between the login and logout URL.

    If the values do not match the ADFS values, you need to edit the metadata.

  2. To edit the metadata, click Edit.

  3. Modify the values for the Provider ID, Sign-on URL, or Logout URL.

  4. If you need to import a new signing certificate, click the Browse button and follow the prompts.

  5. To view information about the signing certificate, click Certificates.

  6. Click OK twice, then update the Identity Server.

7.3.5 Modifying the Authentication Card

When you create an identity provider, you must also configure an authentication card. After it is created, you can modify it.

  1. In the Administration Console, click Devices > Identity Servers > Edit > WS Federation > [Identity Provider] > Authentication Card.

  2. Modify the values in one or more of the following fields:

    ID: If you have need to reference this card outside of the Administration Console, specify an alphanumeric value here. If you do not assign a value, the Identity Server creates one for its internal use. The internal value is not persistent. Whenever the Identity Server is rebooted, it can change. A specified value is persistent.

    Text: Specify the text that is displayed on the card. This value, in combination with the image, indicates to the users the provider they are logging into.

    Image: Specify the image to be displayed on the card. Select the image from the drop-down list. To add an image to the list, click <Select local image>.

    Show Card: Determine whether the card is shown to the user, which allows the user to select and use the card for authentication. If this option is not selected, the card is only used when a service provider makes a request for the card.

  3. Click OK twice, then update the Identity Server.