Preparing for federated identity management

The difficulty of getting your system ready for federated identity management depends on both the state of your system, and on your knowledge and experience with SAML, SSO, LDAP, and related technologies.

Before contacting your IBM® customer service representative to enable federated identity management, review the following checklist:
  • Choose the version of SAML that you want to use. You can use either SAML 1.1 or SAML 2.0.
  • Choose the type of federation that you want to employ: Federated, Modified, or Partial. See the topic SAML federated identity concepts for more information.
  • Review the IdP-initiated flow model and the SP-initiated hybrid flow model. See the topic SAML federated identity concepts for more information.
  • Implement SAML on your web server using a federated identity manager.
    Attention: IBM has tested with IBM Tivoli Federated Identity Manager and Microsoft Active Directory Federation Services. Other federated identity managers require you to work with IBM to verify functionality before implementation, to ensure settings and configurations configuration. This can be a lengthy process but is necessary to prevent organization-wide failures.
  • If you are setting up federated identity for users of mobile apps, create a second endpoint that accepts basic authorization. The mobile apps work with the SP-initiated flow model only.
  • Retrieve or create the private/public key pair that will be used in digital signatures.
  • Integrate your directory server with your SAML service. Administration is easier if all of your users are on the same directory server.
  • Implement and test the SAML Browser/POST profile in either SAML 1.1 or SAML 2.0.
  • Create a dummy service provider and conduct an IdP-initiated single sign-on test to make sure that everything is working correctly.
  • Create a SAML metadata file to transmit your identity provider metadata to the IBM customer service representative. If you are using SAML 1.1, you have the option of transmitting most of the information in an email or by some other means that you negotiate with the IBM customer service representative. However, in this case you must transmit the public key inside a Java keystore.