Novell ACCESS MANAGER 3.1 SP1 - IDENTITY SERVER Manual page 161

Allow Federation: Determines whether federation is allowed. The federation options that control
when and how federation occurs can only be configured if the identity provider has been configured
to allow federation.
After authentication: Specifies that the federation request can be sent after the user has
authenticated (logged in) to the service provider. When you set only this option, users must log
in locally, then they can federate using the Federate option on the card in the Login page of the
Access Manager User Portal. Because the user is required to authenticate locally, you do not
need to set up user identification.
During authentication: Specifies whether federation can occur when the user selects the
authentication card of the identity provider. Typically, a user is not authenticated at the service
provider when this selection is made. When the identity provider sends a response to the
service provider, the user needs to be identified on the service provider to complete the
federation. If you enable this option, make sure you configure a user identification method. See
Section 8.1, "Selecting a User Identification Method for Liberty or SAML 2.0," on page
Authentication Context
Use Types: Specifies whether to use authentication types. Select the types from the Available types
field to specify which type to use for authentication between trusted service providers and identity
providers. Standard types include Name/Password, X.509, Token, and so on.
Use Contracts: Specifies whether to use authentication contracts. Select the contract from the
Available contracts list. For a contract to appear in the Available contracts list, the contract must
have the Satisfiable by External Provider option enabled. To use the contract for federated
authentication, the contract's URI must be the same on the identity provider and the service
provider. For information about contract options, see
Contracts," on page 94.
Do not specify: Specifies that the identity provider can send any type of authentication to satisfy a
service provider's request, and instructs a service provider to not send a request for a specific
authentication type or contract.
Options
Response protocol binding: Select Artifact or Post or None. Artifact and Post are the two methods
for transmitting assertions between the authenticating system and the target system.
If you select None, you are letting the identity provider determine the binding.
Allowable IDP proxy indirections: Specifies whether the trusted identity provider can proxy the
authentication request to another identity provider. A value of None specifies that the trusted identity
provider cannot redirect an authentication request. Values 1-5 determine the number of times the
request can be proxied. Select Let IDP Decide to let the trusted identity provider decide how many
times the request can be proxied
Force authentication at the IDP: Specifies that the trusted identity provider must prompt users for
authentication, even if they are already logged in.
Use automatic introduction: Automatically attempts single sign-on to this trusted identity
provider.
Section 2.4, "Configuring Authentication
Configuring SAML and Liberty Trusted Providers 161
209.