An assertion issuer is an identity provider that issues an assertion.
Click Devices > Identity Server cluster > OAuth & OpenID Connect > Assertion Issuers.
Click the Add Assertion Issuer icon.
(Conditional) If you want to add assertion issuer that is existing as a trusted identity provider under SAML 2, WS-Trust, or WS Federation, click Import Configuration from Existing IDP.
Some of the values of the fields specified in Step 5 get auto-populated. You can modify the values if required and specify the values for the remaining fields.
NOTE:In an assertion, a user is identified based on the SAML 2 name identifier and not the SAML 2 attributes. You must configure the name identifier for the required Assertion Issuer.
(Conditional) To use a self-issued assertion (an assertion generated by a client application), click Create New Assertion Issuer.
Specify the following details:
Issuer Name: The name of the identity provider that generates the assertion.
Entity ID: The entity ID that identifies the identity provider.
Audience Alias: This is used for identifying the intended audience. Authorization server’s token endpoint is the intended audience by default. If the assertion does not contain the Identity Server’s token endpoint as the audience, you can configure an audience alias. The default value is https://<DNS name>:8443/nidp/oauth/nam/token.
Issuer Signing Certificate: This gets auto-populated if you have imported an existing trusted identity provider’s configuration. If you are creating an assertion issuer, click Upload Certificate to upload the signing certificate used by the identity provider.
NOTE:If there are multiple certificates available for the trusted Identity provider, the first certificate is imported.
Selected UserStores: This is used for identifying the users in an assertion. You can choose a list of user stores from the available list.
Select the required name identifiers in the assertion.
Persistent: Select this option if the assertion includes the name identifier in the persistent format. You can choose the required LDAP attribute that is used as the persistent value in the assertion.
NOTE:Access Manager supports only the LDAP attribute as persistent value.
Email: Select this option if the assertion includes the name identifier in email format. You can choose the required LDAP attribute that is used as the email value in the assertion.
Unspecified: Select this option if the assertion includes the name identifier in unspecified format. You can choose the required LDAP attribute that can be used as the unspecified value in the assertion.
For information about requesting a token, see the NetIQ Access Manager 5.0 Administration API Guide.