JOSSO.orgCommunity Documentation

Chapter 10. Circle of Trust Establishment

10.1. Connecting Identity Providers with Service Providers

A Circle of Trust is a group of Service Providers that share linked identities and have pertinent business agreements in place regarding how to do business and interact with identities.

The first and most obvious way in which trust is established is through existing relationships with partners, vendors and customers. If your organization already has agreements in place with another organization and you have a history of working together, they're already part of your circle.

Having put together the building blocks of an Identity Appliance defining at least one Identity Provider (IdP) and a set of Service Providers, the next step is to enable a seamless SSO experience for users to leverage when consuming the business services provided by the Service Provider (SP).

This is accomplished by creating a relationship of trust between IdPs and SPs, who agree to honor one another's authentication and authorization information.

To connect IdP and SP elements in order to create a relationship of trust, use the "Federated Connection" edge available in the "Connections" palette drawer.

Click on the "Federation Connection" element. Select the SP and drag the edge onto the target IdP.

The following dialog will appear for defining the characteristics of the federation connection between the chosen entities.

On the Contract screen, specify the SAML Profiles and Bindings to be enabled, as well as the level of security of the artifacts involved in message exchanges between SPs and the IdP.

Field Descriptions

Field

Description

Name

The unique identifier of the Federated SSO connection.

Description

A descriptive text for the Federated SSO connection.

In the "Identity Provider Channel" section, define the SP's contract, specific to the IdP end of the Federated SSO connection. IdP Channel properties specified within this section will override the default contract established by the SP toward trusted IdPs.

Field Descriptions

Field

Description

Use Inherited Service Provider Settings

Select this checkbox if you wish to override the default contract established by the SP toward the IdP.

Enabled SAML Profiles

The SAML Profile to activate in the SP for the IdPs. These mainly represent usage scenarios which arerealized by the SP for this specific IdP. The most important SAML profile is the "Web Browser Single Sign-On Profile", which can be enabled by selecting the SSO checkbox. Select the SLO checkbox to enable Single Logout Support.

Enabled SAML Bindings

Enable SAML bindings for selected SAML profiles. This action specifies the mapping of a SAML protocol message onto standard messaging formats and/or communications protocols. Select the Http Post checkbox to convey SAML messages through HTTP Post. Select the Http Redirect checkbox to convey SAML messages through HTTP Get. Select the Artifact checkbox to convey SAML messages through the SAML Artifact Binding, which builds on both HTTP Redirect and SOAP bindings to exchange SAML messages. Select the SOAP checkbox to convey SAML messages through SOAP over HTTP(s).

Sign Authentication Requests

Select this checkbox to authenticate - by digitally signing SAML authentication request messages - submitted to the IdP by the SP.

Want Assertions Signed

Select this checkbox to request that the IdP authenticate assertions conveyed in responses pushed by the IdP to the SP.

Account Linkage Policy

The means by which an IdP user account is mapped with one on the SP end; it determines which of the input claims is the name identifier to use at the SP end.

Select "One To One" to link IdP and SP accounts using the supplied name identifier.

Select "Email" to link IdP and SP accounts using the supplied email.

Select "UID" to link IdP and SP accounts using the username identifier.

Identity Mapping Policy

The means by which input claims conveyed in the security token, which are issued and submitted by the IdP's end of the Federated SSO connection, are mapped to output claims; which will in turn be consumed by the relevant party in order to authorize users and grant appropriate access.

Select "Use Theirs" to link IdP and SP accounts using the supplied name identifier, and mapping input to output claims in a one-to-one fashion.

Select "Use Ours" to link IdP and SP accounts using the supplied name identifier, and to issue output claims based only on the user details that are available within the identity source that is connected to the SP.

Select "Aggregate" to link IdP and SP accounts using the supplied name identifier, and to issue output claims based on merging both the user details conveyed in the security token and those obtained from the identity source connected to the SP.

Preferred IdP Channel

Select this checkbox to select the IdP of this connection as the SP's default authority for identification of a user when a protected resource is requested. More specifically, this is the IdP to which the user will be redirected in an SP-initiated usage scenario.

In the "Service Provider Channel" section, define the IdP's contract specific to the SP end of the Federated SSO connection. Service Provider Channel properties specified within this section override the default contract established by the IdP toward trusted SPs.

Field Descriptions

Field

Description

Use Inherited Identity Provider Settings

Select this checkbox if you wish to override the default contract, established by the IdP end, toward trusted SPs.

Enabled SAML Profiles

The SAML Profile to activate in the IdP, for SPs. These profiles mainly represent usage scenarios which have been realized by the IdP for a specific SP. The most important SAML profile is the "Web Browser Single Sign-On Profile", which can be enabled by selecting the SSO checkbox. Select the SLO checkbox to enable Single Logout Support.

Enabled SAML Bindings

The SAML bindings to be enabled for your chosen SAML profiles. This specifies the mapping of a SAML protocol message onto standard messaging formats and/or communications protocols. Select the Http Post checkbox to convey SAML messages through HTTP Post. Select the Http Redirect checkbox to convey SAML messages through HTTP Get. Select the Artifact checkbox to convey SAML messages through the SAML Artifact Binding, which builds on both HTTP Redirect and SOAP bindings for exchanging SAML messages. Select the SOAP checkbox to convey SAML messages through SOAP over HTTP(s).

Want Authentication Requests Signed

Determines whether SAML Authentication Requests submitted by the SP end will need to be authenticated using digital signature. Digitally signing SAML Authentication Requests provides proof-of-identity of the SP to the Identity Provider, as well as ensuring their integrity.

Authentication Contract

The authentication contract is a fundamental set of assumptions made by application-level code about the security context of any given request.

Authentication Mechanism

The means for authenticating a user.

Authentication Mechanism

Select "Two-Factor Authentication" checkbox if you wish to use strong authentication, instead of simple authentication, for identifying users accessing from the SP end.

Authentication Assertion Emission Policy

This enables you to customize how, upon successful authentication, assertions are emitted for the SP's connection end. The emitted authentication assertions are conveyed in security tokens pushed to relying parties.