The following options are global in that they affect any identity provider or identity consumer that the Identity Server has been configured to trust:
In the Administration Console, click
> > .To specify identity provider settings, fill in the following fields:
Show logged out providers: Displays logged-out providers on the identity provider’s log-out confirmation page.
Require Signed Authentication Requests: Specifies that for the Liberty 1.2 and SAML 2.0 protocols, authentication requests from service providers must be signed. When you enable this option for the identity provider, you must also enable the
option under the heading on this page for the external trusted service provider. (It is possible, however, to configure an identity provider that requires signed requests to function as an identity consumer that does not sign requests.)Use Introductions (Publish Authentications): Enables single sign-on from the service provider to the identity provider. The service provider determines the identity providers that users are already logged into, and then selectively and automatically asks for authentication from one of the identity providers. Introductions are enabled only between service and identity providers that have agreed to a circle of trust, which means that they have agreed upon a common domain name for this purpose.
After authenticating a user, the identity provider accesses a service at the service domain and writes a cookie to the common part of the service domain, publishing that the authentication has occurred.
Service Domain (Local and Common): Enables a service provider to access a service at the service domain prior to authenticating a user. This service reads cookies obtained at this domain and discovers if any identity providers have provided authentication to the user. The service provider determines whether any of these identity providers can authenticate a user without credentials. The service domain must resolve to the same IP address as the base URL domain.
For example, if an agreed-upon common domain is xyz.com, the service provider can specify a service domain of sp.xyz.com, and the identity provider can specify a service domain of idp.xyz.com. For the identity provider, xyz.com is the common value entered, and idp is the local value.
Port: The port to use for identity provider introductions. Port 8445 for HTTPS is the default and must be opened on your firewall. If you specify a different port, you must edit the Tomcat server XML.
SSL Certificate: Displays the Keystore page that you use to locate and replace the test-provider SSL certificate for this configuration.
The Identity Server comes with a test-provider certificate that you must replace for your production environment. This certificate is used for identity provider introductions. You can replace the test certificate now or after you have configured the Identity Server. If you create the certificate and replace the test-connector now, you can save some time by restarting Tomcat only once. Tomcat must be restarted whenever you assign an Identity Server to a configuration and whenever you update a certificate key store. See Section 6.5.3, Managing the Keys, Certificates, and Trust Stores.
Click
, then update the Identity Server.In the Administration Console, click
> > .To specify whether the Identity Server also runs as an identity consumer.
If configured to run as an identity consumer, the Identity Server can receive (consume) authentication assertions from other identity providers.
Enable: Enables this site to function as service provider. This setting is enabled by default.
Require Signed Assertions: Specifies that all SAML assertions received by the service provider must be signed by the issuing SAML authority. The signing authority uses a key pair to sign SAML data sent to this trusted provider.
Sign Authentication Requests: Specifies that the service provider signs authentication requests to an identity provider for the Liberty 1.2 and SAML 2.0 protocols.
Use Introductions (Discover IDP Authentications): Enables a service provider to discover whether a user has authenticated to a trusted identity provider, so the user can use single sign-on without requiring authentication credentials.
Service domain: The shared, common domain for all providers in the circle of trust. This domain must resolve to the same IP address as the base URL domain. You must enable the
option to enable this field.Port: The port to use for identity consumer introductions. Port 8446 for HTTPS is the default and must be opened on your firewall. If you specify a different port, you must edit the Tomcat server XML.
SSL Certificate: Displays the Keystore page that you use to locate and replace the test-consumer SSL certificate for this configuration.
The Identity Server comes with a test-consumer certificate that you must replace for your production environment. This certificate is used for identity consumer introductions. You can replace the test certificate now or after you have configured the Identity Server. If you create the certificate and replace the test-connector now, you can save some time by restarting Tomcat only once. Tomcat must be restarted whenever you assign an Identity Server to a configuration and whenever you update a certificate key store. See Section 6.5.3, Managing the Keys, Certificates, and Trust Stores.
Click
, then update the Identity Server.