Novell ACCESS MANAGER 3.1 SP2 - IDENTITY SERVER GUIDE 2010 Manual page 208

Select the types from the Available types field to specify which type to use for authentication
between trusted service providers and identity providers. Standard types include Name/
Password, Secure Name/Password, X509, Token, and so on.
Use Contracts: Specifies that authentication contracts should be used.
Select the contract from the Available contracts list. For a contract to appear in the Available
contracts list, the contract must have the Satisfiable by External Provider option enabled. To
use the contract for federated authentication, the contract's URI must be the same on the
identity provider and the service provider. For information about contract options, see
Section 3.4, "Configuring Authentication Contracts," on page
Most third-party identity providers do not use contracts.
4 Configure the options:
Response protocol binding: Select Artifact or Post or None. Artifact and Post are the two
methods for transmitting assertions between the authenticating system and the target system.
If you select None, you are letting the identity provider determine the binding.
Identity Provider proxy redirects: Specifies whether the trusted identity provider can proxy
the authentication request to another identity provider. A value of None specifies that the
trusted identity provider cannot redirect an authentication request. Values 1-5 determine the
number of times the request can be proxied. Select Configured on IDP to let the trusted identity
provider decide how many times the request can be proxied.
Force authentication at Identity Provider: Specifies that the trusted identity provider must
prompt users for authentication, even if they are already logged in.
Use automatic introduction: Attempts single sign-on to this trusted identity provider by
automatically sending a passive authentication request to the identity provider. (A passive
requests does not prompt for credentials.) The identity provider sends one of the following
authentication responses:
When the federated user is authenticated at the identity provider: The identity

provider returns an authentication response indicating that the user is authenticated. The
user gains access to the service provider without entering credentials (single sign-on).
 When the federated user is not authenticated at the identity provider: The identity
provider returns an authentication response indicating that the user is not logged in. The
user can then select a card for authentication, including the card for the identity provider.
If the user selects the identity provider card, an authentication request is sent to the
identity provider. If the credentials are valid, the user is also authenticated to the service
provider.
IMPORTANT: Enable the Use automatic introduction option only when you are confident the
identity provider will be up. If the server is down and does not respond to the authentication
request, the user gets a page-cannot-be-displayed error. Local authentication is disabled
because the browser is never redirected to the login page.
This option should be enabled only when you know the identity provider is available 99.999%
of the time or when the service provider is dependent upon this identity provider for
authentication.
5 Click OK twice, then update the Identity Server.
208 Novell Access Manager 3.1 SP2 Identity Server Guide
124.