Configuring a SAML 2.0 Authentication Response

After you create a trusted service provider, configure how Identity Server responds to authentication requests from the service provider.

  1. Click Devices > Identity Servers > Edit > SAML 2.0 > [Service Provider] > Authentication Response.

  2. Select the binding method.

    If the request from the service provider does not specify a response binding, you need to specify a binding method to use in the response. Select Artifact to provide enhanced security by using a back-channel communication between two servers. Select Post to use HTTP redirection for the communication channel between two servers. If you select Post, you might require the signing of the authentication requests. See Configuring the General Identity Provider Settings.

    The post binding can be configured to be sent as a compressed option as follows:

    1. Click Devices > Identity Servers > Edit > Options > New.

    2. Select IS SAML2 POST INFLATE in Property Type and true in Property Value. This provider will receive deflated SAML2 POST messages from its trusted providers.

    3. Click OK.

    4. Click Devices > Identity Servers > Edit > SAML 2.0 > Service Provider or Identity Provider> Options > New.

    5. Select SAML2 POST DEFLATE TRUSTEDPROVIDERS in Property Type and specify trusted providerʹs name, metadata URI, or provider ID in Property Value. You can specify multiple trusted providers in a comma separated format. These are the trusted providers who expect SAML2 POST messages in deflated format.

    6. Click OK.

    7. Restart Identity Server by using the /etc/init.d/novell-idp restart command.

      For the Docker deployment, perform the following steps:

      1. Run the kubectl get pods command to view the Access Manager pods.

      2. Go to the Identity Server pod by running the kubectl exec --namespace <name-of-the-namespace> -it pod/<name-of-the-identity-server-pod> -- sh command.

      3. Run the /etc/init.d/novell-idp restart orsystemctl restart novell-idp.service command.

  3. Specify the identity formats that Identity Server can send in its response.

    Select one or more of the following options:

    Option

    Description

    Persistent

    Specifies that a persistent identifier, which is written to the directory and remains intact between sessions, can be sent.

    Transient

    Specifies that a transient identifier, which expires between sessions, can be sent.

    E-mail

    Specifies that an e-mail attribute can be used as the identifier.

    Kerberos

    Specifies that a Kerberos token can be used as the identifier.

    X509

    Specifies that an X.509 certificate can be used as the identifier.

    Unspecified

    Specifies that an unspecified format can be used and any value can be used. The service provider and the identity provider must agree on the value of this identifier.

  4. Click Default to select the name identifier that Identity Server must send if the service provider does not specify a format.

    If you select E-mail, Kerberos, x509, or unspecified as the default format, you must also select a value. See Step 5.

    IMPORTANT:If you have configured the identity provider to allow a user matching expression to fail and still allow authentication by selecting the Do nothing option, select Transient identifier format as the default value. Otherwise, the users who fail to match the expression are denied access. To view the identity provider configuration, see Defining User Identification for Liberty and SAML 2.0.

  5. Specify the value for the name identifier.

    Persistent and transient formats are generated automatically. For others, select an attribute. Available attributes depend on the attributes that you select to send with authentication (see Configuring the Attributes Obtained at Authentication). If you do not select a value for E-mail, Kerberos, X509, or Unspecified format, a unique value is automatically generated.

  6. To specify that this Identity Server must authenticate the user, deselect Use proxied requests. When the option is not selected and Identity Server cannot authenticate, access is denied.

    When this option is selected, Identity Server verifies if other identity providers can satisfy the request. If yes, the user is allowed to select the identity provider to perform authentication. If a proxied identity provider performs the authentication, it sends the response to Identity Server. Identity Server then sends the response to the service provider.

  7. If you select Include the Session Timeout attribute in the assertion, Identity Server sends Identity Server session time out value to the service provider in the assertion.

  8. Set the assertion validity time for a SAML service provider in Assertion Validity to accommodate clock skew between the service provider and SAML Identity Server (IDP).

  9. Click OK > OK.

  10. Update Identity Server.