Configuring The General Identity Consumer Options; Creating A Trusted Provider - Novell ACCESS MANAGER 3.1 SP1 - IDENTITY SERVER Manual

the certificate and replace the test-connector now, you can save some time by restarting Tomcat
only once. Tomcat must be restarted whenever you assign an Identity Server to a configuration
and whenever you update a certificate key store. See
Certificates, and Trust Stores," on page
3 Click OK, then update the Identity Server.

5.2.2 Configuring the General Identity Consumer Options

1 In the Administration Console, click Devices > Identity Servers > Edit > Identity Consumer.
2 Specify whether the Identity Server can run as an identity consumer.
When the Identity Server is configured to run as an identity consumer, the Identity Server can
receive (consume) authentication assertions from other identity providers.
Enable: Enables this site to function as service provider. This setting is enabled by default.
If this option is disabled, the Identity Server cannot trust or consume authentication assertions
from other identity providers. You can create and enable identity providers for the various
protocols, but they are not loaded or used until this option is enabled.
Require Signed Assertions: Specifies that the service provider must sign authentication
requests that are
Sign Authentication Requests: Specifies that the service provider signs authentication
requests sent to an identity provider when using the Liberty 1.2 and SAML 2.0 protocols.
Use Introductions (Discover IDP Authentications): Enables a service provider to discover
whether a user has authenticated to a trusted identity provider, so the user can use single sign-
on without requiring authentication credentials.
Service domain: The shared, common domain for all providers in the circle of trust. This
domain must resolve to the same IP address as the base URL domain. You must enable the
Identity Consumer option to enable this field.
Port: The port to use for identity consumer introductions. Port 8446 for HTTPS is the
default and must be opened on your firewall. If you specify a different port, you must edit
the Tomcat server XML.
SSL Certificate: Displays the Keystore page that you use to locate and replace the test-
consumer SSL certificate for this configuration.
The Identity Server comes with a test-consumer certificate that you must replace for your
production environment. This certificate is used for identity consumer introductions. You can
replace the test certificate now or after you have configured the Identity Server. If you create
the certificate and replace the test-connector now, you can save some time by restarting Tomcat
only once. Tomcat must be restarted whenever you assign an Identity Server to a configuration
and whenever you update a certificate key store. See
Certificates, and Trust Stores," on page
3 Click OK, then update the Identity Server.

5.3 Creating a Trusted Provider

The procedure for establishing trust between providers begins with obtaining metadata for the
trusted provider. If you are using the Novell Identity Server, protocol-specific metadata is available
via a URL. Examples of metadata URLs for server 10.1.1.1 would be:
Liberty: http://10.1.1.1:8080/nidp/idff/metadata
Section 1.7.3, "Managing the Keys,
68.
Section 1.7.3, "Managing the Keys,
68.
Configuring SAML and Liberty Trusted Providers 145