When the Identity Server is acting as the relying party, you need to define how you want the user to authenticate. This involves defining who can issue the credentials and what credentials are required.
For a basic setup, see Configuring the Relying Party to Trust an Identity Provider.
The authentication card defines the visual aspects of the card. An authentication card profile defines the parameters for accessing CardSpace. Multiple profiles can be created for the authentication card, and the user can select which profile to use for authentication.
In the Administration Console, click
> > > .Click
, then fill in the following fields:ID: (Optional) Specify an alphanumeric value that identifies the card. If you need to reference this card outside of the user interface, you need to specify a value here. If you do not assign a value, the Identity Server creates one for its internal use.
Text: Specify the text that is displayed as the card name to the user, such as CardSpace.
Image: Select the image from the drop-down list. For CardSpace, you can use the default CardSpace image or any other image in the list. To add a new image, click Section 6.5, Adding Authentication Card Images.
. For more information on how to add an image, seeShow Card: Select this option when you want the Identity Server to display the card as a login option. Deselect this option when you want to prevent users from using this card and any of its authentication profiles.
In the
section, click , then fill in the following fields:Name: Specify a display name for the profile.
ID: (Optional) Specify an alphanumeric value that identifies the card. If you need to reference this card outside of the Administration Console, you need to specify a value here. If you do not assign a value, the Identity Server creates one for its internal use.
Text: Specify the text that references the profile when more than one profile has been defined.
Issuer: From the drop-down list, select one of the following:
Any Trusted or Untrusted Provider or Personal Card: Specifies that the issuer of the card can be a managed card from any provider or can be a personal card. This option allows all cards in the card selector to be selected.
Personal Card: Specifies that the issuer must be a personal card from a card selector.
Any Trusted Provider or Personal Card: Specifies that the card can be either a personal card or a managed card from any trusted provider. A trusted provider is a provider that is listed in the trusted provider list. See Section 8.4.2, Defining a Trusted Provider.
This option allows all cards in the card selector to be selected. The Identity Server enforces the trusted provider requirement when the card is sent.
<Provider Name>: Specifies that the card must be a managed card from the specified provider. To add a trusted provider, see Section 8.4.2, Defining a Trusted Provider.
Token Type: SAML 1.1 is displayed as the token type for the assertion.
If you are using CardSpace to allow access to Access Gateway protected resources, you must ensure that the contract specified for a protected resource is satisfied by an authentication profile.
Click
, then specify the attributes for the card profile.Attribute set: Select the CardSpace attribute set.
Required attributes: From the
list, select the attributes that you want the card to return and move them to the list.Move
and to the list.Optional attributes: From the
list, select the attributes that the card can return, but is not required to return, and move them to the list.Click
, then specify the user identification method.Satisfied contracts: (Optional) Move the contract that you want this profile to satisfy from the list of available contracts to the
list.Allow federation: Allows the CardSpace card to be linked with a user account. If you do not select this option, the user is always prompted for credentials.
User Identification Methods: If you enable federation, the user identification method determines how the card is linked to a user account and allows the association to be saved. If you do not enable federation, a user identification method allows the card to be linked with an account, but the association is not saved. Select one of the following methods:
Do nothing: Select this option to allow the user to authenticate without creating an association with a user account. This option cannot be used when federation is enabled.
Authenticate: Select this option when you want to use login credentials. This option prompts the user to log in to the service provider.
Allow ‘Provisioning’: Select this option to allow users to create an account when they have no account on the service provider.
This option requires that you specify a user provisioning method, which defines the required attributes for setting up a user account. See Section 11.3, Defining the User Provisioning Method.
Provision Account: Select this option when the users on the identity provider do not have accounts on the service provider. This option allows the service provider to trust any user that has authenticated to the trusted identity provider.
This option requires that you specify a user provisioning method, which defines the required attributes for setting up a user account. See Section 11.3, Defining the User Provisioning Method.
Attribute matching: Select this option when you want to use attributes to match an identity server account with a service provider account. This option requires that you specify a user matching method. See Section 11.1.2, Configuring the Attribute Matching Method for Liberty or SAML 2.0.
Prompt for password on successful match: Select this option to prompt the user for a password when the user’s name is matched to an account, to ensure that the account matches.
(Conditional) If you have selected a method that requires account provisioning or attribute matching, click the icon for Section 11.3, Defining the User Provisioning Method or Section 11.1.2, Configuring the Attribute Matching Method for Liberty or SAML 2.0.
or . For instructions, seeClick
> .Restart the Identity Server. Stopping and starting the Identity Server also updates its configuration:
On the Identity Servers page, select the server, then click
> .When the health turns red, select the server, then click
.Continue with Section 8.4.2, Defining a Trusted Provider.
You need to create a trusted provider for each server you want to explicitly trust as an identity provider. If your users are going to use only personal cards for authentication or it explicit trust is not required, you do not need to create a trusted provider configuration.
The authentication profile allows you to select an option to trust any provider, including untrusted providers. For a secure system, you need to identify the providers you want to trust and create a configuration for them. To create a trusted provider, you need to obtain the issuer ID of the provider and the public key certificate for signing certificate from the provider’s administrator.
For an Identity Server cluster, the issuer ID is the base URL of the Identity Server plus the following path:
/sts/services/Trust
For example, if the base URL is https://test.lab.novell.com:8443/nidp, the Provider ID is the following value:
https://test.lab.novell.com:8443/nidp/sts/services/Trust
This section explains the following:
In the Administration Console, click
> > > .On the Trusted Providers page, click
, then fill in the following fields:Name: Specify a display name for the provider. This name appears in the list of trusted providers that you can select for an authentication card profile.
Source: This line specifies that the Provider ID is entered manually.
Provider ID: Specify the issuer ID of the trusted provider. For an Identity Server cluster when the base URL is https://test.lab.novell.com:8443/nidp, the Provider ID is the following value
https://test.lab.novell.com:8443/nidp/sts/services/Trust
For a third-party identity provider, you need to obtain the issuer ID from the provider.
Signing Certificate: Import the certificate by clicking
. Find the signing certificate file, click to import it, then click .To confirm the signing certificate, click
.You can modify the name of the configuration, view and edit the metadata, view and reimport the signing certificate.
In the Administration Console, click
> > > .On the
page, click the name of a trusted provider.To change the name of the trusted provider, specify a new name on the
page, then click .To view or edit the metadata, click
.To modify the Provider ID or to import a new signing certificate, click
.(Optional) To change the Provider ID, enter a new value or modify the current value.
(Optional) To import a new signing certificate, click
, find the certificate file, click to import it, then click .To view the signing certificate, click
.(Conditional) If you made any modifications, update the Identity Server.
When acting as a relying party, you can set limits for how long an identity can remain unused before the identity is automatically defederated. The default value is 90 days. You can specify a value from 0 to 365 days. To configure this value:
In the Administration Console, click
> > > .Click
.Specify a value for the relying party maximum age.
Click
, then update the Identity Server.If you want to remove the federation link on a card so you are prompted for login credentials the next time you use it, you need to defederate the card.
Log in to the user portal.
In your authentication card section, select the card you used to authenticate.
Click the options icon.
To defederate this account, select the
option.