Configuring the Liberty Authentication Response

After creating a trusted service provider, configure how Identity Server responds to authentication requests from a service provider.

  1. Click Devices > Identity Servers > Edit > Liberty > [Service Provider] > Authentication Response.

  2. Select the binding method.

    If a request from a service provider does not specify a response binding, you need to specify a binding method to use in the response. Select Artifact for enhanced security by using a back-channel means of communication between two servers. Select Post to use HTTP redirection for the communication channel between two servers. If you select Post, you might want to require the signing of authentication requests. See Configuring the General Identity Provider Settings.

  3. Specify the identity formats that Identity Server can send in its response. Select Use to choose one or more of the following options:

    • Persistent Identifier Format: Specifies a persistent identifier that federates the user profile on the identity provider with the user profile on the service provider. It remains intact between sessions.

    • Transient Identifier Format: Specifies that a transient identifier, which expires between sessions, can be sent.

    If the request from a service provider requests a format that is not enabled, the user cannot authenticate.

  4. Use Default button to specify whether a persistent or transient identifier is sent when the request from the service provider does not specify a format.

  5. To specify that this Identity Server must authenticate the user, deselect Use proxied requests. When the option is disabled and Identity Server cannot authenticate the user, access is denied.

    When this option is enabled, Identity Server checks if other identity providers can satisfy the request. If one or more can, the user is allowed to select which identity provider performs the authentication. If a proxied identity provider performs the authentication, it sends the response to Identity Server. Identity Server then sends the response to the service provider.

  6. Select Provide Discovery Services if you want to allow the service provider to query Identity Server for a list of its web services. For example, when the option is enabled, the service provider can determine whether the Web Services Framework is enabled and which web service provider profiles are enabled.

  7. Click OK > OK.

  8. Update Identity Server.