Trusted Provider Reference Metadata; Identity Federation; Authorization Services; What's New In Saml 2.0 - Novell ACCESS MANAGER 3.1 SP2 - IDENTITY SERVER GUIDE 2010 Manual

B.2 Trusted Provider Reference Metadata
Metadata is generated by the Identity Server and is used for server communication and
identification. Metadata can be obtained via URL or XML document, then entered in the system
when you create the reference. Metadata is traded with federation partners and supplies various
information regarding contact and organization information located at the Identity Server. Metadata
is generated automatically for SAML 2.0. You enter it manually for SAML 1.1. (See
"Configuring SAML and Liberty Trusted Providers," on page
IMPORTANT: The SAML 2.0 and Liberty 1.2 protocols define a logout mechanism whereby the
service provider sends a logout command to the trusted identity provider when a user logs out at a
service provider. SAML 1.1 does not provide such a mechanism. For this reason, when a logout
occurs at the SAML 1.1 service provider, no logout occurs at the trusted identity provider. A valid
session is still running at the identity provider, and no credentials need to be entered. In order to log
out at both providers, users must navigate to the identity provider that authenticated them to the
SAML 1.1 service provider and log out manually.

B.3 Identity Federation

Identity federation is the association of accounts between an identity provider and a service
provider, while maintaining privacy protection. From an administrative perspective, this type of
sharing can help reduce identity management costs because multiple organizations do not need to
independently collect and maintain identity-related data, such as passwords. From the end user's
perspective, this results in an enhanced experience by requiring fewer sign-ons.

B.4 Authorization Services

When a user has authenticated to a site or application, the user has access to a resource controlled by
a Policy Enforcement Point (PEP). The PEP checks for user access to the desired resource. The user
is either granted or denied access to the resource. SAML is used as the communication mechanism
between the PEP and a Policy Decision Point (PDP). In Novell product terminology, a PEP could be
thought of as the Novell Access Gateway, and the PDP as the Novell Identity Server.

B.5 What's New in SAML 2.0?

SAML 2.0 provides several new features:
 Pseudonyms: An arbitrary name assigned by the identity provider to identify a user to a
service provider. The identifier has meaning only in the context of the relationship between the
relying parties. They can be a principal's e-mail or account name. Pseudonyms are a key
privacy feature that inhibits collusion between multiple providers.
 Metadata: The SAML metadata specification defines how to express configuration and trust-
related data to simplify SAML deployment. Metadata identifies the Identity Servers involved in
performing single sign-on between trusted identity providers and service providers.
Metadata includes supported roles, identifiers, supported profiles, URLs, certificates, and keys.
System entities must agree upon the data.
Encryption: SAML permits attribute statements, name identifiers, or entire assertions to be

encrypted. Encryption ensures that end-to-end confidentiality of these elements can be
supported as needed.
364 Novell Access Manager 3.1 SP2 Identity Server Guide
Chapter 7,
183.)