Adding a service provider includes adding service provider EndPoint URL, configuring trust certificates, selecting token types, and customizing attributes.
Perform the following steps:
Click Devices > Identity Servers > Edit > WS-Trust > Service Provider Domain.
Select the domain under which you want to configure a service provider.
Click Service Provider > New.
Specify the following details:
Name: Specify a name for the service provider.
Endpoint: Specify the SOAP endpoint location at the service provider to which SOAP messages are sent.
Token Type: Select the type of token that the service provider will accept or validate.
Encrypt Proof Token Using: Import a certificate from the file system or paste content of the certificate here. This certificate must be configured in the web service provider and is used for creating the subject confirmation in the SAML token.
Click Finish.
Select the Service Provider to define the Attributes and Authentication Response. For more information, see Modifying Service Providers.
By default, ActAs and OnBehalfOf requests are disabled in the Access Manager Identity Server. To enable delegation and impersonation, you must enable ActAs and OnBehalfOf by performing the following steps:
Go to WS-Trust > Service Provider Domain.
Click the service provider domain name for which you want to enable ActAs and OnBehalfOf operations.
Under WS Trust Operations, select ActAs and OnBehalfOf in Available operations and move to Selected operations.
Click OK.
These operations are restricted to a set of privileged user accounts defined in the policy. You need to configure the allowed user accounts who can perform ActAs and OnBehalfOf operations. For information, see Adding Policy for ActAs and OnBehalfOf.
For ActAs, the username on behalf of whom a client requests for a token must be present in the user store (eDirectory). The default implementation checks for this user only in the default user store. If you want to search the user in a different user store, perform the following steps:
Click Devices > Identity Server > Edit > Local > Classes.
Click New and specify the following details:
Display name: Specify Find_By_Username
Java class: Select Other
Java class path: Specify com.novell.nidp.authentication.local.UserNameAuthenticationClass
Click Next > Finish.
Go to Local > Methods.
Click New and select the Find_By_Username class.
For information about configuring a method, see Configuring Authentication Methods.
Go to WS-Trust > STS Configuration. Move this authentication method in Selected Authentication Methods from Available Authentication Methods.
You must add an policy to allow ActAs and OnBehalfOf operations. For ActAs and OnBehalfOf, you must specify multiple username values separated with comma. If no value is specified, ActAs and OnBehalfOf are denied.
Click Devices > Identity Servers > Edit > Options.
Click New.
Set the following properties based on your requirement:
|
Property Type |
Property Value |
|---|---|
|
WSTRUST AUTHORIZATION ALLOWED ACTAS VALUES |
Specify user names who can perform ACTas operations. Allowed user names are the user accounts that are used by an intermediate web service provider to authenticate with STS when sending a request with Actas elements. |
|
WSTRUST AUTHORIZATION ALLOWED ONBEHALF VALUES |
Specify user names who can perform OnBehalfOf operations. Allowed user names are the user accounts that the intermediate web service provider uses to authenticate with STS when sending a request with OnBehalfOf elements. |
|
WSTRUST AUTHORIZATION ALLOWED VALUES |
Specify the user names who can perform both Actas and onBehalfOf operations. |
Click OK > Apply.
Restart Identity Server by running the following command:
/etc/init.d/novell-idp restart
For the Docker deployment, perform the following steps:
Run the kubectl get pods command to view the Access Manager pods.
Go to the Identity Server pod by running the kubectl exec --namespace <name-of-the-namespace> -it pod/<name-of-the-identity-server-pod> -- sh command.
Run the /etc/init.d/novell-idp restart or systemctl restart novell-idp.service command.
After upgrading Access manager, the configuration is set to default values. You must reconfigure the details after each upgrade.