After you create a trusted service provider, you can configure how your Identity Server responds to authentication requests from the service provider.
In Administration Console Dashboard, click Devices > Identity Servers > Edit > SAML 2.0 > [Service Provider] > Authentication Response.
Select the binding method.
If the request from the service provider does not specify a response binding, you need to specify a binding method to use in the response. Select Artifact to provide an increased level of security by using a back-channel means of communication between the two servers. Select Post to use HTTP redirection for the communication channel between the two servers. If you select Post, you might want to require the signing of the authentication requests. See Configuring the General Identity Provider Settings.
Specify the identity formats that Identity Server can send in its response. Select the box to choose one or more of the following:
Persistent: Specifies that a persistent identifier, which is written to the directory and remains intact between sessions, can be sent.
Transient: Specifies that a transient identifier, which expires between sessions, can be sent.
E-mail: Specifies that an e-mail attribute can be used as the identifier.
Kerberos: Specifies that a Kerberos token can be used as the identifier.
X509: Specifies that an X.509 certificate can be used as the identifier.
Unspecified: Specifies that an unspecified format can be used and any value can be used. The service provider and the identity provider need to agree on the value that is placed in this identifier.
Use the Default button to select the name identifier that Identity Server must send if the service provider does not specify a format.
If you select E-mail, Kerberos, x509, or unspecified as the default format, you must also select a value. See Step 5.
IMPORTANT:If you have configured the identity provider to allow a user matching expression to fail and still allow authentication by selecting the Do nothing option, you need to select Transient identifier format as the default value. Otherwise the users who fail the matching expression are denied access. To view the identity provider configuration, see Defining User Identification for Liberty and SAML 2.0.
Specify the value for the name identifier.
The persistent and transient formats are generated automatically. For the others, you can select an attribute. The available attributes depend upon the attributes that you have selected to send with authentication (see Configuring the Attributes Obtained at Authentication). If you do not select a value for the E-mail, Kerberos, X509, or Unspecified format, a unique value is automatically generated.
To specify that this Identity Server must authenticate the user, disable the Use proxied requests option. When the option is disabled and Identity Server cannot authenticate the user, the user is denied access.
When this option is enabled, Identity Server checks to see if other identity providers can satisfy the request. If one or more can, the user is allowed to select which identity provider performs the authentication. If a proxied identity provider performs the authentication, it sends the response to Identity Server. Identity Server then sends the response to the service provider.
Click OK twice, then update Identity Server.