|
|
|
A federated partnership relies on trust between the two parties. Part of the trust relationship can be a contractual requirement to have user permission to pass on identity information to a relying partner. Additionally, users that control whether to exchange their identity information for a requested service helps enforce the trust relationship.
Your federation system acting as an Identity Provider supports the SAML 2.0 user consent feature. User consent at the Identity Provider site requires that the Identity Provider asks the user to grant permission before it sends an assertion to a partner. If you enable user consent at the Identity Provider, the Identity Provider prompts the user for consent. The Identity Provider passes the consent value in an assertion.
The consent validity period is 5 minutes. When the Identity Provider redirects the user to the consent page, the user has 5 minutes to grant consent. The user is then redirected back to the Identity Provider. The Identity Provider then generates the assertion and sends it to the Service Provider. These tasks must be complete in the 5-minute time period. If the time expires before the Identity Provider generates an assertion, it does not pass on the user identity.
Consent applies only to a single assertion. After the Identity Provider generates an assertion, it deletes all record of consent being granted. The same user can return to an Identity Provider before the 5-minute validity period expires, but the Identity Provider still prompts the user for consent.
Note: The validity period is not configurable.
This figure shows the configuration tasks at each partner.
The configuration tasks at the IdP are:
The configuration task at the SP is:
| Copyright © 2012 CA. All rights reserved. |
|