Novell ACCESS MANAGER 3.1 SP1 - IDENTITY SERVER Manual page 160

Authentication Context
Use Types: Specifies whether to use authentication types. Select the types from the Available types
field to specify which type to use for authentication between trusted service providers and identity
providers. Standard types include Name/Password, X.509, Token, and so on.
Use Contracts: Specifies whether to use authentication contracts. Select the contract from the
Available contracts list. For a contract to appear in the Available contracts list, the contract must
have the Satisfiable by External Provider option enabled. To use the contract for federated
authentication, the contract's URI must be the same on the identity provider and the service
provider. For information about contract options, see Section 2.4, "Configuring Authentication
Contracts," on page 94.
Do not specify: Specifies that the identity provider can send any type of authentication to satisfy a
service provider's request, and instructs a service provider to not send a request for a specific
authentication type or contract.
Options
Response protocol binding: Select Artifact or Post or None. Artifact and Post are the two methods
for transmitting assertions between the authenticating system and the target system.
If you select None, you are letting the identity provider determine the binding.
Identity provider proxy redirects: Specifies whether the trusted identity provider can proxy the
authentication request to another identity provider. A value of None specifies that the trusted identity
provider cannot redirect an authentication request. Values 1-5 determine the number of times the
request can be proxied. Select Configured on IDP to let the trusted identity provider decide how
many times the request can be proxied.
Force authentication at the IDP: Specifies that the trusted identity provider must prompt users for
authentication, even if they are already logged in.
Use automatic introduction: Automatically attempts single sign-on to this trusted identity
provider.
IMPORTANT: Only enable this option when you are confident the server will be up. If the server is
down and does not respond to the authentication request, the user gets a page-cannot-be-displayed
error. Local authentication is disabled because the browser is never redirected to the login page.
This option should only be enabled when you know the identity provider is available 99.999% of the
time or the service provider is dependent upon this identity provider for authentication.
Configuring a SAML 2.0 Authentication Request
Devices > Identity Servers > Edit > SAML 2.0 > [Identity Provider] > Authentication Card >
Authentication Request
Use this page to configure how an authentication request is federated. When users authenticate to a
service provider, they can be given the option to federate their account identities with the preferred
identity provider. This process creates an account association between the identity provider and
service provider that enables single sign-on and single log-out.
160 Novell Access Manager 3.1 SP1 Identity Server Guide