You can use Access Manager as an identity provider for several service providers.You can configure a specific authentication contract that is required for a service provider. If you have configured more than one authentication contract for a service provider, the contract with minimum level is selected.
When providing authentication to a service provider, Identity Server ensures that the user is authenticated by the required contract. When a user is not authenticated or when a user is authenticated, but the authenticated contracts do not satisfy the required contracts, user is prompted to authenticate with the required contract. This is called step up authentication.
If no required contract is configured, then the default contract is executed.
NOTE:For SAML 2.0, this step up authentication is supported for Intersite Transfer Service (for both identity provider initiated and service provider initiated requests). For Liberty, it works only for identity provider initiated requests.
Perform the following steps to define options for a SAML 2.0 service provider:
Click Devices > Identity Servers > Servers > Edit > SAML 2.0 > Service Provider > Options.
Select OIOSAML Compliance to make the service provider OIOSAML compliant.
The OIOSAML attribute set is automatically populated with the required attributes to send with authentication after selecting this option.
Select the required step up authentication contracts from Available contracts and move them to Selected contracts. This is to provide the step up authentication for the service provider.
NOTE:Only the contract that is listed first in Selected contracts list will be executed. This is applicable only for SAML 2.0.
Click New.
The following table lists the available properties:
|
Property Type |
Description |
|---|---|
|
SAML ASSERTION INCLUDE MILLISECS |
Select true to get SAML responses for this service provider including the timestamp in millisecond in IssueInstant. |
|
SAML2 AVOID AUDIENCE RESTRICTION |
Select true to avoid sending the audience restriction information with assertion to this service provider. |
|
SAML2 AVOID AUTHNCONTEXT CLASS REFERENCE |
Set this to true to exclude AuthnContextClassRef as part of the SAML 2.0 assertion response for this service provider. |
|
SAML2 AVOID AUTHNCONTEXT DECLARATION REFERENCE |
Set this to true to exclude AuthnContextDeclRef as part of the SAML 2.0 assertion response for this service provider. |
|
SAML2 AVOID CONSENT |
Select true to not include Consent as part of the SAML 2.0 request. |
|
SAML2 AVOID SIGN AND VALIDATE ASSERTIONS TRUSTED PROVIDERS |
If you select true, the cluster will sign SAML 2.0 POST responses (excluding the assertion) for this provider. |
|
SAML2 AVOID SPNAMEQUALIFIER |
Select true to not include SPNAMEQUALIFIER in NAMEIDENTIFER in the assertion. |
|
SAML2 AVOID SPNAMEQUALIFIER TO |
Select true to send SPNAMEQUALIFIER in NAMEIDENTIFER with the assertion. |
|
SAML2 NAMEID ATTRIBUTE NAME |
Specify the LDAP attribute name that will be sent in the name identifier in a SAML response for this service provider. |
|
SAML2 POST DEFLATE TRUSTEDPROVIDERS |
If you select true, the cluster will send deflated post messages to this provider. |
|
SAML2 POST SIGN RESPONSE TRUSTEDPROVIDERS |
If you select true, the identity provider will sign the entire SAML 2.0 response for this service provider. |
|
SAML2 REQUEST IGNORE AUTHCONTEXT |
If you select true, the identity provider ignores any specific authentication available in a SAML request from this service provider. |
|
SAML2 SHOW SHARED ATTRIBUTE NAMES |
If you select true, the attributes shared with the SAML 2 service provider are displayed on the user portal page. |
|
SAML2 SIGN METHODDIGEST SHA256 |
If you select true, assertion will use the SHA 256 algorithm as a hashing algorithm for this service provider. |
|
SAML2 CUSTOM AUTHNCONTEXT CLASS REF LIST |
This property helps in identifying the contract that Identity Server can use for authenticating users for a specific service provider.This option is useful when Identity Server acts as a local identity provider and mediates communication between a trusted identity provider (any remote identity provider) and a trusted service provider. For example, a service provider sends an authentication request (authnrequest) to a remote identity provider. The request contains the AuthnContextClassRef attribute. The local identity provider (Identity Server) performs the following actions:
Example: If authnrequest includes the following details: <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef> Identity Server verifies all the configured identity providers. If any of the configured identity providers in Identity Server has the value of SAML2 CUSTOM AUTHNCONTEXT CLASS REF LIST as classes:Password, the request is redirected to that identity provider. Therefore, the authentication happens using the remote identity provider. |
|
OTHER |
Specify Property Name and Value if you want to configure any other property for this service provider. |
|
IGNORE_ACS_METADATA_CHECK |
If the Assertion Consumer Service URL is configured in an unsigned request, the authentication fails. To prevent this scenario, configure this option to true as follows: Click Other and specify the following details: Property Name: IGNORE_ACS_METADATA_CHECK Property Value: true |
Click OK > Apply.