Creating A Trusted Provider For Liberty Or Saml 2.0 - Novell ACCESS MANAGER 3.1 SP2 - IDENTITY SERVER GUIDE 2010 Manual

Disable: Disables the selected identity or service provider. When a provider is disabled, the
server does not load the definition. The definition is not deleted, and at a future time, the
provider can be enabled.
IMPORTANT: When selecting which protocol to use, be aware of logout behavior of the SAML
1.1 protocol. The SAML 2.0 and Liberty 1.2 protocols define a logout mechanism whereby the
service provider sends a logout command to the trusted identity provider when a user logs out at a
service provider. SAML 1.1 does not provide such a mechanism. For this reason, when a logout
occurs at the SAML 1.1 service provider, no logout occurs at the trusted identity provider. A valid
session is still running at the identity provider, and no credentials need to be entered. In order to log
out at both providers, the user must navigate to the identity provider that authenticated him to the
SAML 1.1 service provider and log out manually.

7.3.1 Creating a Trusted Provider for Liberty or SAML 2.0

You can configure the Identity Server to trust a service provider or an identity provider.
When you create a trusted identity provider, you are allowing that identity provider to

authenticate the user and the Identity Server acts as a service provider.
When you create a trusted service provider, you are configuring the Identity Server to provide

authentication for the service provider and the Identity Server acts as an identity provider.
Both of these types of trust relationships require the identity provider to establish a trusted
relationship with the service provider and the service provider to establish a trusted relationship with
the identity provider.
Prerequisites
Before you can create a trusted provider, you must complete the following tasks:
Imported the trusted root of the provider's SSL certificate into the NIDP trust store. For

instructions, see
page 29.
 Shared the trusted root of the SSL certificate of your Identity Server with the other provider so
that the administrator can imported it into the provider's trust store.
Obtained the metadata URL from the other provider or an XML file with the metadata.

 Shared the metadata URL of your Identity Server with the other provider or sent an XML file
with the metadata.
 Enabled the protocol. Click Devices > Identity Servers > Edit, and on the Configuration page,
verify that the required protocol in the Enabled Protocols section has been enabled.
Procedure
1 In the Administration Console, click Devices > Identity Servers > Edit > [Protocol].
For the protocol, click Liberty or SAML 2.0.
190 Novell Access Manager 3.1 SP2 Identity Server Guide
Section 1.3.3, "Managing the Keys, Certificates, and Trust Stores," on