Configuring Site A to Trust Site B as a Service Provider

To establish trust between Site A and Site B, you must perform two tasks:

  • The providers must trust certificates of each other. You need to import the trusted root certificate of Site B to Site A.

  • You must import the metadata of Site B to Site A. The metadata allows Site A to verify that Site B is truly Site B when Site B sends a request to Site A.

Perform the following steps to import the certificate and the metadata:

  1. Log in to Administration Console for Site A.

    The configuration for Site A can be created in the same Administration Console as Site B; it cannot be configured to be a cluster member of Site B.

  2. Import the trusted root certificate of Site B into the NIDP trust store of Site A:

    1. Click Devices > Identity Servers > Edit > Security > NIDP Trust Store.

    2. In the Trusted Roots section, click Auto-Import From Server.

    3. Specify the following details:

      Field

      Description

      Server IP/DNS

      Specify the IP address or DNS name of Site B. For Site B in Figure A-2, specify the following value:

      idp.siteb.example.com

      Server Port

      Specify 8443.

    4. Click OK, then specify an alias for the certificate (for example, SiteB).

      You will get two certificate options: Root CA Certificate and Server certificate. Select Root CA Certificate.

    5. Examine the trusted root that is selected for you.

      If the trusted root is part of a chain, ensure that you select the parent and all intermediate trusted roots.

    6. Click OK.

      The trusted root certificate of Site B is added to the NIDP trust store.

    7. Click Close.

    8. Click Devices > Identity Servers, then update Identity Server.

      Wait for the health status to return to green.

  3. Configure a service provider for Site A:

    1. Click Identity Servers > Edit > Liberty [or SAML 2.0 or SAML 1.1].

    2. Click New, select Service Provider.

    3. Specify the following details:

      Fields

      Description

      Name

      Specify a name for the provider. If you plan on configuring more than one protocol, include the protocol as part of the name, such as, SiteB_Liberty

      Metadata URL

      Specify the URL of the Liberty metadata on Site B. For Site B in Figure A-2, specify the following:

      http://idp.siteb.example.com:8080/nidp/idff/metadata

      This example uses port 8080 to avoid any potential certificate problems that occur when Identity Server and Administration Console are installed on separate machines.

      SAML 2.0

      If you are using SAML 2.0, the metadata path is /nidp/saml2/metadata. For Site B in Figure A-2, specify the following value:

      http://idp.siteb.example.com:8080/nidp/saml2/metadata

      SAML 1.1

      If you are using SAML 1.1, the metadata path is /nidp/saml/metadata. For Site B in Figure A-2, specify the following value:

      http://idp.siteb.example.com:8080/nidp/saml/metadata

    4. Click Next > Finish > OK.

    5. Update Identity Server.

      Wait for the health status to return to green.

  4. Continue with Configuring Site B to Trust Site A as an Identity Provider.