5.11.3 Managing WS Federation Providers

The WS Federation page allows you to create or edit trusted identity providers and trusted service providers. When you create an identity provider configuration, you are configuring Identity Server to be a WS Federation resource partner. When you create a service provider configuration, you are configuring Identity Server to be a WS Federation account partner.

  1. Click Devices > Identity Servers > Edit > WS Federation.

  2. Select one of the following actions:

    New: Launches the Create Trusted Identity Provider Wizard or the Create Trusted Service Provider Wizard, depending on your selection. For more information, see one of the following:

    Delete: Allows you to delete the selected provider. This action deletes the definition.

    Enable: Enables the selected provider.

    Disable: Disables the selected provider. When the provider is disabled, the server does not load the definition. However, the definition is not deleted.

    Modify: Click the name of a provider. For more information, see Modifying a WS Federation Identity Provider or Modifying a WS Federation Service Provider.

  3. Click OK.

  4. Update Identity Server.

Creating an Identity Provider for WS Federation

To set up a trust relationship, configure the ADFS server as an identity provider for Identity Server.

  1. Click Devices > Identity Servers > Edit > WS Federation.

  2. Click New, select Identity Provider, then specify the following details:

    Field

    Description

    Name

    Specify a name that identifies the identity provider, such as Adatum.

    Provider ID

    Specify the federation service URI of the identity provider. For example, urn:federation:adatum.

    Sign-on URL

    Specify the login URL. For example, https://adfsaccount.adatum.com/adfs/ls/.

    Logout URL

    Specify the logout URL. For example, https://adfsresource.treyresearch.net/adfs/ls/

    Identity Provider

    Specify the path to the signing certificate of the ADFS server.

  3. Confirm the certificate and click Next.

  4. For the authentication card, specify the following values:

    Field

    Description

    ID

    Leave this field blank.

    Text

    Specify a description. This is shown when a user hovers the mouse over the card.

    Image

    Select an image, such as Customizable, or any other image.

    Show Card

    Select this option to display the card as a login option.

  5. Click Finish.

For information about additional configuration steps required to use this identity provider, see Using the ADFS Server as an Identity Provider for an Access Manager Protected Resource.

Using Access Manager as a WS Federation Identity Provider and Consumer

NOTE:Use this configuration only in the test environment and not in the production environment.

  1. Click Devices > Identity Servers > Edit > WS Federation.

  2. Click New > Identity Provider, then specify the following details:

    Field

    Description

    Name

    Specify a name that identifies the identity provider.

    Provider ID

    https://240onbox.nam.example.com:8443/nidp/wsfed/

    Sign-on URL

    https://240onbox.nam.example.com:8443/nidp/wsfed/ep.

    Logout URL

    https://240onbox.nam.example.com:8443/nidp/wsfed/loreply

  3. Upload the test-signing certificate of the trusted identity provider.

    (Dashboard > Certificates > test-signing > Export Public Certificate > DER File > test-signing)

  4. Click Next.

  5. For the authentication card, specify the following values:

    Field

    Description

    ID

    Specify an alphanumeric value. This value is persistent.

    If you do not assign a value, Identity Server creates an internal value that keeps changing whenever you restart Identity Server.

    Text

    Specify a description to help a user understand the authentication method of the card.

    This description is displayed when the user hovers over the authentication card.

    Image

    Select an image.

    Show Card

    Select this option to display the card as a login option.

  6. Click Finish.

Creating a Service Provider for WS Federation

To establish a trusted relationship with the ADFS server, you need to set up the ADFS server as service provider. The trusted relationship allows the service provider to trust Identity Server for user authentication credentials.

  1. Click Devices > Identity Servers > Edit > WS Federation > New > Service Provider.

  2. Specify the following details:

    Field

    Description

    Name

    Specify a name that identifies the service provider, such as TreyResearch.

    Provider ID

    Specify the provider ID of the ADFS server. The default value is urn:federation:treyresearch.

    Sign-on URL

    Specify the URL that the user is redirected to after login. The default value is https://adfsresource.treyresearch.net/adfs/ls/.

    Logout URL

    (Optional) Specify the URL that the user can use for logging out. The default value is https://adfsresource.treyresearch.net/adfs/ls.

    Service Provider

    Specify the path to the signing certificate of the ADFS server.

  3. Click Next, confirm the certificate, and click Finish.

For more information, see Using Identity Server as an Identity Provider for ADFS.

Using Access Manager as a WS Federation Service Provider

NOTE:Use this configuration only in a test environment and not in a production environment.

  1. Click Devices > Identity Servers > Edit > WS Federation > New > Service Provider.

  2. Specify the following details:

    Field

    Description

    Name

    Specify a name that identifies the service provider.

    Provider ID

    https://240onbox.nam.example.com:8443/nidp/wsfed/.

    Sign-on URL

    https://240onbox.nam.example.com:8443/nidp/wsfed/ep.

    Logout URL

    https://240onbox.nam.example.com:8443/nidp/wsfed/loreply

  3. Upload the test-signing certificate.

    (Dashboard > Certificates > test-signing > Export Public Certificate > DER File > test-signing.)

  4. Click Next, confirm the certificate, and click Finish.

Contracts Assigned to a WS Federation Service Provider

During federation, when a service provider initiates an authentication request, contract information may not be available. If the contract information is not available, Identity Server executes a default contract for validating the user. You can use the step-up authentication to assign a default contract for service providers in such scenarios.

The following scenario helps you understand the execution of contracts that are assigned to a WS Federation service provider:

Figure 5-17 Step-up authentication example with two applications

Two web applications Payroll Portal and HR Portal that are protected through different service providers use Access Manager Identity Server as an identity provider. A user wants to use the name/password form contract whenever the user accesses the HR application and wants to use the higher level contract X509 for the Payroll application. Identity Server provides ability to execute the appropriate contract that has been assigned to the service provider instead of executing the default contract.

Perform the following steps to assign a specific contract to a service provider:

  1. Click Devices > Identity Servers > Edit > WS Federation.

  2. Click the configured service provider.

  3. Go to Options > Step Up Authentication contracts and select the contracts from the Available contracts list.

NOTE:When using the service provider (SP) initiated login with a WS Federation SP, the SP configuration can impact the selection of the Access Manager contract for authentication depending on the values sent in WS Fed authentication request. To make it work properly, you must define your Access Manager contract URI to match with the request sent by the service provider.