Creating A Trusted Identity Provider For Saml 1.1 - Novell ACCESS MANAGER 3.1 SP2 - IDENTITY SERVER GUIDE 2010 Manual

7.3.3 Creating a Trusted Identity Provider for SAML 1.1

Before you can create a trusted identity provider, you must complete the following tasks:
 Imported the trusted root of the provider's SSL certificate into the NIDP trust store. For
instructions, see
page 29.
Shared the trusted root of the SSL certificate of your Identity Server with the identity provider

so that the administrator can imported it into the identity provider's trust store.
Obtained the metadata URL from the identity provider, an XML file with the metadata, or the

information required for manual entry. For more information about the manual entry option,
see Section 7.7.3, "Editing a SAML 1.1 Identity Provider's Metadata," on page
 Shared the metadata URL of your Identity Server with the identity provider or an XML file
with the metadata.
Enabled the protocol. Click Devices > Identity Servers > Edit, and on the Configuration page,

verify that the required protocol in the Enabled Protocols section has been enabled.
To create an identity provider:
1 In the Administration Console, click Devices > Identity Servers > Servers > Edit > SAML 1.1.
2 Click New, then click Identity Provider.
3 In the Name option, specify a name by which you want to refer to the provider.
4 Select one of the following sources for the metadata:
Metadata URL: Specify the metadata URL for a trusted provider. The system retrieves
protocol metadata using the specified URL. Examples of metadata URLs for an Identity Server
acting as an identity provider with an IP address of 10.1.1.1:
http://10.1.1.1:8080/nidp/saml/metadata
https://10.1.1.1:8443/nidp/saml/metadata
The default values nidp and 8080 are established during product installation; nidp is the Tomcat
application name. If you have set up SSL, you can use https and port 8443.
If your Identity Server and Administration Console are on different machines, use HTTP to
import the metadata. If you are required to use HTTPS with this configuration, you must import
the trusted root certificate of the provider into the trust store of the Administration Console.
You need to use the Java
security directory of the Administration Console.
Linux:
Windows Server 2003:
Windows Server 2008:
If you do not want to use HTTP and you do not want to import a certificate into the
Administration Console, you can use the Metadata Text option. In a browser, enter the HTTP
URL of the metadata. View the text from the source page, save the source metadata, then paste
it into the Metadata Text option.
Metadata Text: An editable field in which you can paste copied metadata text from an XML
document, assuming you obtained the metadata via e-mail or disk and are not using a URL. If
you copy metadata text from a Web browser, you must copy the text from the page source.
194 Novell Access Manager 3.1 SP2 Identity Server Guide
Section 1.3.3, "Managing the Keys, Certificates, and Trust Stores," on
keytool
/opt/novell/java/jre/lib/security
\Program Files\Novell\jre\lib\security
\Program Files (x86)\Novell\jre\lib\security
to import the certificate into the
204.
file in the
cacerts