Adding a service provider includes adding service provider EndPoint URL, configuring trust certificates, selecting token types, and customizing attributes.
Perform the following steps:
on the Home page, click Applications > Select a Cluster > WS-Trust SP ApplicationsService Providers > Plus icon.
Specify the following details:
Name: Specify a name for the service provider.
EndPoint: Specify the SOAP endpoint location at the service provider to which SOAP messages are sent.
Token Type: Select the type of token that the service provider will accept or validate.
Encrypt Proof Token Using: Import a certificate from the file system or paste content of the certificate here. This certificate must be configured in the web service provider and is used for creating the subject confirmation in the SAML token.
Click Save.
Select the Service Provider to define the Attributes and Authentication Response. For more information, see Modifying Service Providers.
By default, ActAs and OnBehalfOf requests are disabled in the Access Manager Identity Server. To enable delegation and impersonation, you must enable ActAs and OnBehalfOf by performing the following steps:
On the Home page, click Applications > Select a Cluster > WS-Trust Application > Configuration.
Select ActAs and OnBehalfOf operations.
Click Save.
These operations are restricted to a set of privileged user accounts defined in the policy. You need to configure the allowed user accounts who can perform ActAs and OnBehalfOf operations. For information, see Adding Policy for ActAs and OnBehalfOf.
For ActAs, the username on behalf of whom a client requests for a token must be present in the user store (eDirectory). The default implementation checks for this user only in the default user store. If you want to search the user in a different user store, perform the following steps:
On the Home page, click Identity Servers > [cluster name] > Authentication > Classes > Plus icon.
Specify the following details:
|
Field |
Description |
|---|---|
|
Class Name |
Select Custom |
|
Java Class Path |
Specify com.novell.nidp.authentication.local.UserNameAuthenticationClass |
Click Save.
On the Home page, click Identity Servers > [cluster name] > Authentication > Methods > Plus icon.
Select the Find_By_Username class.
For information about configuring a method, see Configuring Authentication Methods.
On the Home page, click Applications > Select a Cluster > Application Settings > WS-Trust Applications > STS Configuration and select this method. Move this authentication method to Selected Authentication Methods from Available Authentication Methods.
You must add an policy to allow ActAs and OnBehalfOf operations. For ActAs and OnBehalfOf, you must specify multiple username values separated with comma. If no value is specified, ActAs and OnBehalfOf are denied.
On the Home page, click Identity Servers > [cluster name] > Configuration > Properties.
Click the Plus icon and set the following properties based on your requirement:
|
Property Type |
Property Value |
|---|---|
|
WSTRUST AUTHORIZATION ALLOWED ACTAS VALUES |
Specify user names who can perform ACTas operations. Allowed user names are the user accounts that are used by an intermediate web service provider to authenticate with STS when sending a request with Actas elements. |
|
WSTRUST AUTHORIZATION ALLOWED ONBEHALF VALUES |
Specify user names who can perform OnBehalfOf operations. Allowed user names are the user accounts that the intermediate web service provider uses to authenticate with STS when sending a request with OnBehalfOf elements. |
|
WSTRUST AUTHORIZATION ALLOWED VALUES |
Specify the user names who can perform both Actas and onBehalfOf operations. |
Click Save.
Restart Identity Server by running the following command:
/etc/init.d/novell-idp restart
After upgrading Access manager, the configuration is set to default values. You must reconfigure the details after each upgrade.