8.4 Configuring the Identity Server as a Relying Party

When the Identity Server is acting as the relying party, you need to define how you want the user to authenticate. This involves defining who can issue the credentials and what credentials are required.

For a basic setup, see Configuring the Relying Party to Trust an Identity Provider.

8.4.1 Defining an Authentication Card and Profile

The authentication card defines the visual aspects of the card. An authentication card profile defines the parameters for accessing CardSpace. Multiple profiles can be created for the authentication card, and the user can select which profile to use for authentication.

  1. In the Administration Console, click Devices > Identity Servers > Edit > CardSpace.

  2. Click Authentication Card, then fill in the following fields:

    ID: (Optional) Specify an alphanumeric value that identifies the card. If you need to reference this card outside of the user interface, you need to specify a value here. If you do not assign a value, the Identity Server creates one for its internal use.

    Text: Specify the text that is displayed as the card name to the user, such as CardSpace.

    Image: Select the image from the drop-down list. For CardSpace, you can use the default CardSpace image or any other image in the list. To add a new image, click Select local image. For more information on how to add an image, see Section 6.5, Adding Authentication Card Images.

    Show Card: Select this option when you want the Identity Server to display the card as a login option. Deselect this option when you want to prevent users from using this card and any of its authentication profiles.

  3. In the Profiles section, click New, then fill in the following fields:

    Name: Specify a display name for the profile.

    ID: (Optional) Specify an alphanumeric value that identifies the card. If you need to reference this card outside of the Administration Console, you need to specify a value here. If you do not assign a value, the Identity Server creates one for its internal use.

    Text: Specify the text that references the profile when more than one profile has been defined.

    Issuer: From the drop-down list, select one of the following:

    • Any Trusted or Untrusted Provider or Personal Card: Specifies that the issuer of the card can be a managed card from any provider or can be a personal card. This option allows all cards in the card selector to be selected.

    • Personal Card: Specifies that the issuer must be a personal card from a card selector.

    • Any Trusted Provider or Personal Card: Specifies that the card can be either a personal card or a managed card from any trusted provider. A trusted provider is a provider that is listed in the trusted provider list. See Section 8.4.2, Defining a Trusted Provider.

      This option allows all cards in the card selector to be selected. The Identity Server enforces the trusted provider requirement when the card is sent.

    • <Provider Name>: Specifies that the card must be a managed card from the specified provider. To add a trusted provider, see Section 8.4.2, Defining a Trusted Provider.

    Token Type: SAML 1.1 is displayed as the token type for the assertion.

    If you are using CardSpace to allow access to Access Gateway protected resources, you must ensure that the contract specified for a protected resource is satisfied by an authentication profile.

  4. Click Next, then specify the attributes for the card profile.

    Attribute set: Select the CardSpace attribute set.

    Required attributes: From the Available attribute list, select the attributes that you want the card to return and move them to the Required attribute list.

    Move Common First Name and Personal Private Identifier to the Required attribute list.

    Optional attributes: From the Available attribute list, select the attributes that the card can return, but is not required to return, and move them to the Optional attribute list.

  5. Click Next, then specify the user identification method.

    Satisfied contracts: (Optional) Move the contract that you want this profile to satisfy from the list of available contracts to the Satisfied contract list.

    Allow federation: Allows the CardSpace card to be linked with a user account. If you do not select this option, the user is always prompted for credentials.

    User Identification Methods: If you enable federation, the user identification method determines how the card is linked to a user account and allows the association to be saved. If you do not enable federation, a user identification method allows the card to be linked with an account, but the association is not saved. Select one of the following methods:

    • Do nothing: Select this option to allow the user to authenticate without creating an association with a user account. This option cannot be used when federation is enabled.

    • Authenticate: Select this option when you want to use login credentials. This option prompts the user to log in to the service provider.

      • Allow ‘Provisioning’: Select this option to allow users to create an account when they have no account on the service provider.

        This option requires that you specify a user provisioning method, which defines the required attributes for setting up a user account. See Section 11.3, Defining the User Provisioning Method.

    • Provision Account: Select this option when the users on the identity provider do not have accounts on the service provider. This option allows the service provider to trust any user that has authenticated to the trusted identity provider.

      This option requires that you specify a user provisioning method, which defines the required attributes for setting up a user account. See Section 11.3, Defining the User Provisioning Method.

    • Attribute matching: Select this option when you want to use attributes to match an identity server account with a service provider account. This option requires that you specify a user matching method. See Section 11.1.2, Configuring the Attribute Matching Method for Liberty or SAML 2.0.

      • Prompt for password on successful match: Select this option to prompt the user for a password when the user’s name is matched to an account, to ensure that the account matches.

  6. (Conditional) If you have selected a method that requires account provisioning or attribute matching, click the icon for Provisioning Settings or Attribute Matching Settings. For instructions, see Section 11.3, Defining the User Provisioning Method or Section 11.1.2, Configuring the Attribute Matching Method for Liberty or SAML 2.0.

  7. Click Finish > OK.

  8. Restart the Identity Server. Stopping and starting the Identity Server also updates its configuration:

    1. On the Identity Servers page, select the server, then click Stop > OK.

    2. When the health turns red, select the server, then click Start.

  9. Continue with Section 8.4.2, Defining a Trusted Provider.

8.4.2 Defining a Trusted Provider

You need to create a trusted provider for each server you want to explicitly trust as an identity provider. If your users are going to use only personal cards for authentication or it explicit trust is not required, you do not need to create a trusted provider configuration.

The authentication profile allows you to select an option to trust any provider, including untrusted providers. For a secure system, you need to identify the providers you want to trust and create a configuration for them. To create a trusted provider, you need to obtain the issuer ID of the provider and the public key certificate for signing certificate from the provider’s administrator.

For an Identity Server cluster, the issuer ID is the base URL of the Identity Server plus the following path:

/sts/services/Trust

For example, if the base URL is https://test.lab.novell.com:8443/nidp, the Provider ID is the following value:

https://test.lab.novell.com:8443/nidp/sts/services/Trust

This section explains the following:

Creating a Trusted Provider Configuration

  1. In the Administration Console, click Devices > Identity Servers > Edit > CardSpace.

  2. On the Trusted Providers page, click New, then fill in the following fields:

    Name: Specify a display name for the provider. This name appears in the list of trusted providers that you can select for an authentication card profile.

    Source: This line specifies that the Provider ID is entered manually.

    Provider ID: Specify the issuer ID of the trusted provider. For an Identity Server cluster when the base URL is https://test.lab.novell.com:8443/nidp, the Provider ID is the following value

    https://test.lab.novell.com:8443/nidp/sts/services/Trust
    

    For a third-party identity provider, you need to obtain the issuer ID from the provider.

    Signing Certificate: Import the certificate by clicking Browse. Find the signing certificate file, click Open to import it, then click Next.

  3. To confirm the signing certificate, click Finish.

Managing the Trusted Provider Configuration

You can modify the name of the configuration, view and edit the metadata, view and reimport the signing certificate.

  1. In the Administration Console, click Devices > Identity Servers > Edit > CardSpace.

  2. On the Trusted Providers page, click the name of a trusted provider.

  3. To change the name of the trusted provider, specify a new name on the Configuration page, then click Apply.

  4. To view or edit the metadata, click Metadata.

  5. To modify the Provider ID or to import a new signing certificate, click Edit.

    1. (Optional) To change the Provider ID, enter a new value or modify the current value.

    2. (Optional) To import a new signing certificate, click Browse, find the certificate file, click Open to import it, then click Apply.

  6. To view the signing certificate, click Certificates.

  7. (Conditional) If you made any modifications, update the Identity Server.

8.4.3 Cleaning Up Identities

When acting as a relying party, you can set limits for how long an identity can remain unused before the identity is automatically defederated. The default value is 90 days. You can specify a value from 0 to 365 days. To configure this value:

  1. In the Administration Console, click Devices > Identity Servers > Edit > CardSpace.

  2. Click Configuration.

  3. Specify a value for the relying party maximum age.

  4. Click Apply, then update the Identity Server.

8.4.4 Defederating after User Portal Login

If you want to remove the federation link on a card so you are prompted for login credentials the next time you use it, you need to defederate the card.

  1. Log in to the user portal.

  2. In your authentication card section, select the card you used to authenticate.

  3. Click the options icon.

  4. To defederate this account, select the defederate option.