C Understanding How Access Manager Uses Saml; Attribute Mapping With Liberty - Novell ACCESS MANAGER 3.1 SP1 - IDENTITY SERVER Manual

Understanding How Access
C
Manager Uses SAML
Security Assertions Markup Language (SAML) is an XML-based framework for communicating
security assertions (user authentication, entitlement, and attribute information) between identity
providers and trusted service providers. For example, an airline company can make assertions to
authenticate a user to a partner company or another enterprise application, such as a car rental
company or hotel.
The Identity Server allows SAML assertions to be exchanged with trusted service providers that are
using SAML servers. Using SAML assertions in each Access Manager component protects
confidential information by removing the need to pass user credentials between the components to
handle session management.
An identity provider using the SAML protocol generates and receives assertions for authentication,
according to the SAML 1.0, 1.1, and 2.0 specifications described on the
(http://www.oasis-open.org/specs/index.php).
This section describes how Access Manager uses SAML. It includes the following topics:
Section C.1, "Attribute Mapping with Liberty," on page 313
Section C.2, "Trusted Provider Reference Metadata," on page 314
Section C.3, "Identity Federation," on page 314
Section C.4, "Authorization Services," on page 314
Section C.5, "What's New in SAML 2.0?," on page 314
Section C.6, "Identity Provider Process Flow," on page 315
Section C.7, "SAML Service Provider Process Flow," on page 316
C.1 Attribute Mapping with Liberty
Attribute-based authorization involves one Web site communicating identity information about a
subject to another Web site in support of some transaction. However, the identity information might
be some characteristic of the subject, such as a role. The attribute-based authorization is important
when the subject's identity is either not important, should not be shared, or is insufficient on its own.
In order to interoperate with trusted service providers through the SAML protocol, the Identity
Server distinguishes between different attributes from different SAML implementations. All of the
SAML administration is done with Liberty attributes. When you specify which attributes to include
in an assertion, or which attributes to use when locating the user from an assertion, these attributes
should always be specified in the Liberty format.
In an attribute map, you convert SAML attributes from each vendor's implementation to Liberty
attributes. (See Section 4.1, "Configuring Attribute Sets," on page
You can find detailed information about SAML 2.0 on the
Web site (http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security).
Oasis Standards Web site
133.)
OASIS Security Services (SAML) TC
Understanding How Access Manager Uses SAML
C
313