Identity Server cluster configuration provides a Brokering tab that you can use to configure the groups and generate brokered URLs.
On the Home page, click Identity Servers > [cluster name] > Brokering > Plus icon
The Display Brokering Groups page displays the following information for each group:
Group Name: Specifies a unique name to identify the group. When you click on the hyperlink, you can view the Group Details page, where the Group configuration such as name and list of Identity Providers and Service Providers can be modified.
Enabled: A check mark indicates that brokering is enabled for the group by applying the configured rules. A blank means that brokering is disabled.
Truster Providers
Trusted IDPs: Display the total number of SAML2 IDPs assigned to this group
Truster SPs: Display the total number of SAML2 SPs assigned to this group.
Rules: If the rules are not configured, then “No Rules Config” is displayed. The default rule allows for brokering between any IDP to any SP in the group. If new rules are configured, then the first rule name is displayed along with the count of total rules.
When a brokering group is created while grouping the brokering feature, following rules are applicable:
Brokering is not allowed among different company groups.
The brokering is not allowed between the logical customers of Company 1 Brokering Group and Company 2 Brokering Group.
Brokering is allowed among different partners of the company group.
Brokering is allowed between the brokering groups of Company 1 Brokering Group and Company 2 Brokering Group.
Role based brokering is allowed among Company 1 and Partner 1 logical customers.
Role based brokering is allowed among Company 2 and Partner 2 logical customers.
Brokering is allowed among different partners based on roles and groups authentication of the company.
To create a new broker group, follow these steps:
On the Home page, click Identity Servers > [cluster name] > Brokering > Plus icon.
Specify the following details:
|
Field |
Description |
|---|---|
|
Display Name |
Brokering group display name. |
|
Trusted IDPs |
At least one trusted IDP using edit icon. |
|
Trusted SPs |
At least one trusted SP using edit icon. |
|
Select Trusted IDPs |
Displays SAML2.0 Trusted Identity Providers configured on the given Identity Provider Cluster. |
|
Select Trusted SPs |
Displays SAML2.0 Trusted Service Providers configured on the given Identity Provider Cluster. |
Click Save to complete creation of the brokering group creation.
You can configure the rules between the trusted identity providers and service providers by configuring rules, roles, and actions. You can view the configured rules, create new, delete the existing rule, edit the rules, enable and disable the configured rules.
You can configure the service providers and identity providers for all of the protocols in Identity Server, which are configured in Identity Server cluster. Using the brokering group, you can view the list of available service providers and identity providers in the selection box. Using the arrow keys, configure the trusted identity providers and trusted service providers for the respective brokering group.
On the Home page, click Identity Servers > [cluster name] > Brokering Group Name.
Click Trusted Providers.
Specify the following details:
|
Field |
Description |
|---|---|
|
Display Name |
Name of the configuring brokering group. |
|
Trusted IDPs |
Configure the selected Identity Providers using edit icon. |
|
Select Trusted IDPs |
Select the available Trusted Identity Providers and click Done. |
|
Trusted SPs |
Configure the selected Service Providers using edit icon. |
|
Select Trusted SPs |
Select the available Trusted Service Providers and click Done. |
Click Save to continue and the configured service providers and identity providers details are displayed in the Brokering page.
On the Home page, click Identity Servers > [cluster name] > Brokering > Rules.
Click the existing or newly created Brokering Group.
|
Field |
Description |
|---|---|
|
Rule Name |
Displays the rule name of the brokering group. |
|
Enabled |
Displays the status of the brokering group rule. |
|
Identity Providers |
Displays the number of Identity Providers configured to the brokering group. |
|
Service Providers |
Displays the number of service providers configured to the brokering group. |
|
Rule Priority |
Displays the brokering group rule priority number. |
|
Actions |
Displays the configured brokering group rule action status as permit or deny. |
|
Role Conditions |
Displays the brokering groups role condition, such as manager and employee configured on the rule page. |
Click Done > Save.
On the Home page, click Identity Servers> [cluster name] > Brokering.
Click the existing or newly created Brokering Group hyperlink.
Click Rules > Plus icon.
Rule Name: Specify the name of the rule.
Rule Priority: Select the rule priority from the list.
NOTE:The default rule specified during creation of the group has a priority of 1. Additional rules can be added, and existing rules can be deleted or modified. You can use the Edit Rules Page to modify the priority of the rules.
Enabled: Displays the status of the brokering group rule.
The following IDPs: Displays all Identity Servers that are available in the group.
The following SPs: Displays all service providers that are available in the group.
Role Conditions: Displays the brokering group role condition such as manager and employee configured on the rule page.
Actions: Select Permit or Deny action for the rule you configure to the brokering group.
NOTE:By default, Access Manager allows any role. If you want to allow access to only particular roles, configure a permit condition for roles with higher priority and configure a deny condition in which no roles are defined with lower priority.
Click Done to complete configuration of rules for the brokering group.
On the Home page, click Identity Servers > [cluster name] > Brokering > (Brokering Group in the Brokering Group list) > Rules.
Select the brokering group rule you want to delete, and click Delete.
Click Save.
On the Home page, click Identity Servers > [cluster name] > Brokering > (Brokering Group in the Brokering Group list > Rules.
Select the brokering group rule you want to enable.
Select Enabled > Done > Save.
On the Home page, click Identity Servers > [cluster name] > Brokering > (Brokering Group in the Brokering Group list) > Rules.
Select the brokering group rule you want to disable from the brokering group rule configuration.
Deselect Enabled > Done > Save.
On the Home page, click Identity Servers > [cluster name] > Brokering.
Click the existing or newly created brokering group.
Click Rules.
Select the brokering group rule you want to edit.
You can edit all fields. For information about create brokering rule, see Creating a Brokering Rule
You can generate the URL according to the origin and allowed service provider Identity Servers.
On the Home page, click Identity Servers > [cluster name] > Brokering.
Click the existing or newly created brokering group.
Click Construct URL.
IDP Type: Select the Identity Provider type. The options are Local IDP, Access Manager IDP, and Other IDP. If you select Access Manager IDP, then you can select the Origin IDP in the list. If you select Other IDP, you can enter the Origin IDP URL and you can select the Origin IDP in list.
Origin IDP: The Origin identity providers are the trusted providers. The list displays all trusted providers created for the specific Access Manager brokering group. Select the Origin IDP.
NOTE:When a local Identity Server exists as a trusted provider, the Origin IDP list does not show any trusted providers. To resolve this, add another Identity Server to the Access Manager brokering group.
Origin IDP URL: If you select Other IDP as the IDP type, you can enter the Origin IDP URL manually. The <OriginIDPURL> represents (protocol :// domain : port / path ? querystring).
Provider Parameter Name: If you select Other IDP as the IDP Type, you can enter the trusted provider parameter ID. For more information about Intersite Transfer Service target for a service provider, see Configuring an Intersite Transfer Service Target for a Service Provider.
Target Parameter Name: If you select Other IDP as the IDP type, you can enter the target provider parameter name manually.
Allowed SP: The allowed service providers are the selected service providers of the trusted providers. The drop-down list displays all the service providers created for the specific brokering group. Select the service providers from the drop-down list.
Target URL: Specify the target URL for the specific trusted providers and service provider pair. This URL will be appended to the login URL. Click Generate to generate the login URL
Login URL: The login URL consists of Origin IDP URL and the target URL.
Click Cancel to close the Construct URL page.
The rule validation page helps you to validate the Origin identity providers and the allowed service provider rule according to the role associated with the respective trusted partners.
On the Home page, click Identity Servers > [cluster name] > Brokering.
Click the existing or newly created brokering group hyperlink.
Click the Rule Validation tab.
Origin IDP: The Origin identity providers are the trusted providers. The list displays all trusted providers created for an Access Manager brokering group.
Allowed SP: Allowed SPs are the selected service providers of trusted providers. The list displays all service providers created for a brokering group.
Role: Specify the role you want to validate for the selected Origin identity trusted providers and allowed SP. Click Validate Rule.
Name: Displays the role name of the selected trusted providers.
Identity Providers: Displays the identity provider name.
Service Providers: Displays the service provider name.
Priority: In ascending order, displays the priority number of the rule validation of the selected trusted providers.
Action: Displays the permission action for validation of the selected trusted providers rule validation.
Role Conditions: Displays the role conditions for the selected trusted providers rule validation. Denial takes precedence over Permit.
Evaluated State: Displays the role conditions evaluate state for the selected trusted providers rule validation. You can see different evaluation states in the role conditions.
Pass 1: If the rule matches the Origin identity provider, allowed service provider or any roles mentioned.
Pass2: If the rule matches the Origin identity provider, allowed service provider or any specific role mentioned.
Ignored: If the rule does not match either Pass 1 or Pass 2.
Not Executed: The default state of all the roles.
NOTE:If the rule has the evaluate State as Pass 1 action as Deny, the remaining rules are in the non-executed state.
After a rule has the evaluate state as Pass 2, regardless of the action, the remaining rules are in the non-executed state.
The rules before Pass 1, must have the evaluate state of Ignored. All these ignored rules must have the role condition as Any, without specifying any role condition.
Pass 1 evaluation stops, as soon as a match for the Origin identity provider and allowed service provider is found with specific to some role condition.
Click Cancel to close the Rule Validation page.