Single Sign-On Service › SSO Getting Started Guide › SSO using a Third-party IdP and Self-registration › Configure Federated Partnerships › Create the Local SP-to-Remote IdP Partnership › Identify the Partnership

Identify the Partnership

Follow these steps:

1. Select Federation, Partnership Federation, Partnerships.
2. Click Create Partnership.
3. Select SAML2 SP -> IdP.

   Selecting this option indicates that you are the local SP and that the IdP is a remote partner.

   You come to the first step in the partnership wizard.

4. Complete the following fields

   Partnership Name

   Local SP

   Select the local SP. Example: cloudhost.ca.com.

   Remote IdP

   Select the remote ID. For example, Facebook.com

   Skew Time (Seconds)

   Accept the default

   The skew time is the difference between the system time on the local system and the system time on the remote system. Usually, the inaccuracy of system clocks causes this condition. Determine the skew time number by subtracting the number of seconds from the current time.

   The system uses the skew time and the SSO validity duration to determine how long an assertion is valid.

5. Move the cloud host directory from the Available Directories list to the Selected Directories list.

   If you configure only one user directory, that directory is automatically placed in the Selected Directories list.

6. Click Next to go to the Federation User step.

Note: If you are editing a partnership, you can click Get Updates next to this field to update the entity information. The latest information from the entity configuration is propagated to the partnership. However, if you edit the entity information directly from the partnership, the changes do not get propagated back to the individual entity configuration.

Configure User Identification at the Relying Party

Configure user identification so the relying party has a method of locating a user in the local user directory.

Follow these steps:

Note: Click Help for a description of fields, controls, and their respective requirements.

1. Select one of the following attributes for disambiguation:
   • Name ID
   • An attribute from a previously populated drop-down list

     If the remote asserting entity was created based on metadata that contained attributes, the list is populated.

   • An attribute you enter.

     This option is most likely used when metadata is not available and the remote asserting entity does not include any attributes.

   • An Xpath query
2. (Optional—SAML 2.0 only) Select Allow IDP to create user identifier.

   This attribute instructs the asserting party to generate a new value for the NameID, if this feature is enabled at the asserting party. The Name ID Format entry at the asserting party must be a persistent identifier.

3. (Optional—SAML 2.0 only) Select Query parameter overrides identifier.

   This setting lets the relying party send an AllowCreate query parameter to override the value of the AllowCreate attribute configured in the authentication request. Using the query parameter instead of the identifier lets you change the value of the AllowCreate attribute without altering the partnership configuration.

   Note: For the Identity Provider to honor this query parameter setting, select the Allow IDP to create user identifier check box.

4. Specify a directory search specification for each directory listed. Two examples of search specifications are:

   LDAP Example

   uid=%s

   ODBC Example

   name=%s

5. Click Next to continue with the partnership configuration.