This section explains how to modify a WS Federation service provider after it has been created. Section 7.1, Using the Identity Server as an Identity Provider for ADFS explains the steps required to create the service provider.
In the Administration Console, click > > > >
In the field, specify a new name for the service provider.
Click twice, then update the Identity Server.
When the Identity Server creates its response for the service provider, it uses the attributes listed here. The response needs to contain the attributes that the service provider requires. If you do not own the service provider, you need to contact the administrator of the service provider and negotiate which attributes you need to send in the response. The service provider can then use these attributes to identify the user, to create policies, to match user accounts, or if it allows provisioning, to create a user accounts on the service provider.
In the Administration Console, click > > > >
(Conditional) To create an attribute set, select from the drop-down menu.
An attribute set is a group of attributes that can be exchanged with the trusted provider. For example, you can specify that the local attribute of any attribute in the Liberty profile (such as Informal Name) matches the remote attribute specified at the service provider.
Select an attribute set.
Select attributes from the list, and move them to the left side of the page.
(Conditional) If you created a new attribute set, it must be enabled for STS.
For more information, see Enabling the Attribute Set.
Click , then update the Identity Server.
When the Identity Server sends its response to the service provider, the response can contain an identifier for the user. If you do not own the service provider, you need to contact the administrator of the service provider and negotiate whether the user needs to be identified, and if this required, how the user should be identified. If the service provider is going to use an attribute for user identification, that attribute needs to be in the attributes sent with authentication. See Section 7.4.2, Configuring the Attributes Sent with Authentication.
To select the user identification method to send in the response:
In the Administration Console, click > > > >
For the format, select one of the following:
Unspecified: Specifies that the SAML assertion contains an unspecified name identifier.
E-mail: Specifies that the SAML assertion contains the user’s e-mail address for the name identifier.
X509: Specifies that the SAML assertion contains an X.509 certificate for the name identifier.
For the value, select an attribute that matches the format. For the Unspecified format, select the attribute that the service provider expects.
The only values available are from the attribute set that you have created for WS Federation.
Click twice, then update the Identity Server.
You can view the metadata of the ADFS server, edit it, and view information about the signing certificate.
In the Administration Console, click > > > >
The following values need to be configured accurately:
ID: This is provider ID. This is the value that the ADFS server provides to the Identity Server in the realm parameter of the query string. This value is specified in the of the page on the ADFS server. The parameter label is . The default value is .
sloUrl: This is the sign-on URL. This URL is listed in the of the on the ADFS server. The label is . The default value is .
ssoUrl: This is the logout URL. The default value is . The ADFS server makes no distinction between the login and logout URL.
If the values do not match the ADFS values, you need to edit the metadata.
To edit the metadata, click .
Modify the values for the , , or .
If you need to import a new signing certificate, click the Browse button and follow the prompts.
To view information about the signing certificate, click .
Click twice, then update the Identity Server.