The procedure for establishing trust between providers begins with obtaining metadata for the trusted provider. If you are using the Novell Identity Server, protocol-specific metadata is available via a URL. Examples of metadata URLs for server 10.1.1.1 would be:
Liberty: http://10.1.1.1:8080/nidp/idff/metadata
SAML 1.1: http://10.1.1.1:8080/nidp/saml/metadata
SAML 2.0: http://10.1.1.1:8080/nidp/saml2/metadata
The default values nidp and 8080 are established during product installation; nidp is the Tomcat application name.
In the Administration Console, click
> > > > .Click
, then click or .In the Name option, specify a name by which you want to refer to the provider.
Select one of the following methods to obtain the metadata:
Metadata URL: Specify the metadata URL for a trusted provider. The system retrieves protocol metadata using the specified URL.
If your Identity Server and Administration Console are on different machines, use HTTP to import the metadata. If you are required to use HTTPS with this configuration, you must import the trusted root certificate of the provider into the trust store of the Administration Console. You need to use the Java keytool to import the certificate into the cacerts file in the /opt/novell/java/jre/lib/security directory of the Administration Console.
If you do not want to use HTTP and you do not want to import a certificate into the Administration Console, you can use the
option. In a browser, enter the HTTP URL of the metadata. View the text from the source page, save the source metadata, then paste it into the option.Metadata Text: An editable field in which you can paste copied metadata text from an XML document, assuming you obtained the metadata via e-mail or disk and are not using a URL. If you copy metadata text from a Web browser, you must copy the text from the page source.
Manual Entry: (SAML 1.1 only) Allows you to enter metadata values manually. When you select this option, the system displays the Enter Metadata Values page. See Section 9.5, Editing a SAML 1.1 Trusted Identity Provider’s Metadata.
If you are creating a service provider for an Access Gateway or agent, click the following option:
Embedded Service Provider: Access Gateway and application server agents (J2EE or Windows) include an embedded service provider (ESP) that can be trusted by identity providers. ESPs run in the same enterprise as the identity provider, and are therefore created and configured in the same directory. The ESP enables all of the single-sign on functionality for Access Gateway or agent. Installed ESPs are displayed in a drop-down list for you to select as a trusted entity. You do not need to enter metadata for an ESP; it is automatically generated.
Click
.Review the metadata certificates, then click
.The system displays the trusted provider on the Liberty page.