When users authenticate to a service provider, they can be given the option to federate their account identities with their preferred identity provider. This process creates an account association between the identity provider and service provider that enables single sign-on and single logout.
In the Administration Console, click
> > > > > > > .Click
.Enable the following option:
Allow users to federate: Enables account federation. By enabling this option, you assume that a user account exists at the service provider and that the account can be associated with a user’s account at the identity provider. If you do not use this feature, authentication is permitted but is not associated with a particular user account.
Specify when the federation request occurs:
Allow after authentication: Sends the federation request after the user has authenticated (logged in) to the service provider. When you set this option, users can federate from the Federations page in the Access Manager User Portal.
Allow before authentication: Specifies whether federation can occur when the user clicks the login link to the identity provider. Allowing federation in this method means that a user must be identified at a later time during the federation process. For this reason, when you click this option, the system displays additional options on the Authentication page, under
These options are discussed in Section 10.2, Configuring User Identification Methods.
Under
, configure the following fields:Use Types: Specifies whether to use authentication types. Select the types from the
field to specify which type to use for authentication between trusted service providers and identity providers. Standard types include Name/Password, X.509, Token, and so on.Use Contracts: Specifies whether to use authentication contracts. Select the contract from the Section 8.4, Configuring Authentication Contracts.
list. For a contract to appear in the list, the contract must have the option enabled. To use the contract for federated authentication, the contract’s URI must be the same on the identity provider and the service provider. For information about contract options, seeDo not specify: Specifies that the identity provider can send any type of authentication to satisfy a service provider’s request, and instructs a service provider to not send a request for a specific authentication type or contract.
Under the
heading, configure the following fields, as necessary:Response Protocol Binding: Select
or or . Artifact and Post are the two methods for transmitting assertions between the authenticating system and the target system.If you select
, you are letting the identity provider determine the protocol.Identity provider proxy redirects: Specifies whether or not the trusted identity provider can proxy the authentication request to another identity provider. A value of zero specifies that the trusted identity provider cannot redirect an authentication request. Values 1-5 determine the number of times the request can be proxied. Select
to let the trusted identity provider decide how many times the request can be proxied.Force authentication at the IDP: Specifies that the trusted identity provider must prompt the user for authentication, even if they are already logged in.
Use automatic introduction: Automatically attempts single sign-on to this trusted identity provider.
IMPORTANT:Only enable this option when you are confident the server will be up. If the server is down and does not respond to the authentication request, the user gets a page-cannot-be-displayed error. Local authentication is disabled because the browser is never redirected to the login page.
This option should only be enabled when you know the identity provider is available 99.999% of the time or the service provider is dependent upon this identity provider for authentication.
Click
.On the Trusted Providers page, click
.Update the Identity Server configuration on the
page.