Configuring An Authentication Request For An Identity Provider; Configuring A Liberty Authentication Request - Novell ACCESS MANAGER 3.1 SP2 - IDENTITY SERVER GUIDE 2010 Manual

7.8 Configuring an Authentication Request for
an Identity Provider
When you are configuring the Identity Server to trust an identity provider and to use that identity
provider for authentication, you can specify the conditions under which the Identity Server accepts
the authentication credentials of the identity provider. The authentication request contains these
conditions.
The Liberty and SAML 2.0 protocols have slightly different options for configuring an
authentication request.
Section 7.8.1, "Configuring a Liberty Authentication Request," on page 207

Section 7.8.2, "Configuring a SAML 2.0 Authentication Request," on page 209


7.8.1 Configuring a Liberty Authentication Request

You can configure how the Identity Server creates an authentication request for a trusted identity
provider. When users authenticate, they can be given the option to federate their account identities
with the preferred identity provider. This process creates an account association between the identity
provider and service provider that enables single sign-on and single log-out.
The authentication request specifies how you want the identity provider to handle the authentication
process so that it meets the security needs of the Identity Server.
1 In the Administration Console, click Devices > Identity Servers > Edit > Liberty > [Identity
Provider] > Authentication Card > Authentication Request.
2 Configure the federation options:
Allow Federation: Determines whether federation is allowed. The federation options that
control when and how federation occurs can only be configured if the identity provider has
been configured to allow federation.
 After authentication: Specifies that the federation request can be sent after the user has
authenticated (logged in) to the service provider. When you set only this option, users
must log in locally, then they can federate by using the Federate option on the card in the
Login page of the Access Manager User Portal. Because the user is required to
authenticate locally, you do not need to set up user identification.
During authentication: Specifies whether federation can occur when the user selects the

authentication card of the identity provider. Typically, a user is not authenticated at the
service provider when this selection is made. When the identity provider sends a response
to the service provider, the user needs to be identified on the service provider to complete
the federation. If you enable this option, make sure you configure a user identification
method. See Section 11.1.1, "Selecting a User Identification Method for Liberty or SAML
2.0," on page 277.
3 Select one of the following options for the Requested By option:
Do not specify: Specifies that the identity provider can send any type of authentication to
satisfy a service provider's request, and instructs a service provider to not send a request for a
specific authentication type or contract.
Use Types: Specifies that authentication types should be used.
Configuring SAML and Liberty Trusted Providers 207