To add an Identity Provider to the Service Provider federation, you must import the Identity Provider configuration properties.
wsadmin>$AdminTask manageItfimFederation { -operation export
-fimDomainName fimipdomain -federationName saml11ip -fileId
/downloads/saml11_ip_metadata.xml }
The following confirmation message shows: FBTADM001I Command completed successfully
wsadmin>$AdminTask manageItfimPartner { -operation createResponseFile
-fimDomainName fimspdomain -federationName saml11sp -partnerRole ip -fileId
/downloads/saml11_ip_partner_properties.xml }
The following confirmation message shows: FBTADM001I Command completed successfully
Configuration item | Description | Your value | CLI Properties or Names |
---|---|---|---|
Import metadata file | To import a metadata file, you need the file name and its location. (Required) | The fully specified metadata file name. For
example:
|
metadataFileName |
Validate Signatures on Artifact Resolution Requests | You have the option of validating the SAML message signatures when browser artifact is used. | Validate signatures for artifact. (Set to true.) |
|
Validation Key Identifier | Because Browser POST messages must be signed and validated, you must specify a key to validate the signature. If also you select to validate messages when using a browser artifact, use the same validation key to validate them. The key you use is the public key that corresponds to the private key that your partner uses to sign messages. Note: If you are importing partner data,
the key is supplied in the metadata file. Before importing the data,
create a keystore, then specify a keystore for the key.
Before entering partner data manually, obtain the key from the partner and import it into the appropriate keystore in the Tivoli® Federated Identity Manager key service. |
Metadata method:
|
|
Server Certificate Validation | Enable server certificate validation | Set to true. |
|
Select Server Validation Certificate | The public key for the displayed certificate during SSL communication with your partner. Determine the certificate used by you and your partner. You must already have the certificate and keystore for the certificate. |
|
rtAuthKeyId |
Client authentication information Either:
|
If your partner requires mutual authentication, determine which type to use.
Note: Before performing this task, be sure that you and your
partner agreed where the certificate to be obtained, and imported
it into the keystore in the Tivoli Federated
Identity Manager key
service.
|
Disable client authentication by setting the properties on the next column to false. | UseClientBasicAuth
|
Validate SAML Assertions Signature | Validate the SAML assertions signature. (Optional) | Enable SAML signature validation. (Set to true.) |
|
Select Validation Key for Assertion signature | Specify the assertion signature validation key to use. | Use keystore alias to find public key for signature validation. (Default) | SAML11ValidationKey |
Create multiple attribute statements in the Universal User | Select this option to keep multiple attribute statements in the groups they were received in. This option might be necessary if your custom identity mapping rules are written to operate on one or more specific groups of attribute statements. If this option is not selected, multiple attribute statements are arranged into a single group (AttributeList) in the STSUniversalUser document. |
Set the value to false. | SAML11Create MultipleUniversal UserAttributes |
wsadmin>$AdminTask manageItfimPartner { -operation create -fimDomainName
fimspdomain -federationName saml11sp -partnerName saml11ip -fileId
/downloads/saml11_ip_partner_properties.xml -signingKeystorePwd testonly}
The following confirmation message shows: FBTADM001I Command completed successfully