Federation Manager Guide › Federation Partnerships › Application Integration › Dynamic Provisioning of a User Identity at the Relying Party › Delivery of Assertion Data to the Provisioning Application

Delivery of Assertion Data to the Provisioning Application

To accomplish remote provisioning, Federation Manager redirects the browser with the assertion data to the provisioning application.

Federation Manager can pass the assertion data using one of three methods:

• Legacy cookie

  Delivers SAML assertion information in a legacy cookie generated by Federation Manager. The cookie contains a login ID based on the assertion data. If a legacy cookie is used, then the Federation Manager Java SDK must be installed on the system with the provisioning application so that the provisioning application can read the legacy cookie.

  Note: If you use the legacy cookie, the Federation Manager system and the remote provisioning system must be in the same domain.

• Open format cookie

  Delivers SAML assertion information in an open format cookie. The cookie contains a login ID based on the assertion data.

  Note: If you use the open format cookie, the Federation Manager system and the remote provisioning system must be in the same domain.

  The cookie can be created in one of two ways:

  • The Federation Manager SDK creates the cookie.

    If you select one of the FIPS algorithms (AES algorithms), you are required to use a Federation Manager SDK to generate the cookie. If you are planning to use the .NET SDK, you are required to use the AES128/CBC/PKCS5Padding encryption algorithm. If the provisioning application uses .NET then the Federation Manager .NET SDK can be installed on the provisioning server and used to read the open format cookie.

    The provisioning application must use the same language as the SDK that it is using to create a cookie. If you are using the Federation Manager Java SDK, the application must be in Java. If you are using the .NET SDK, the application must support .NET.

  • You manually create an open format cookie.

    To create an open format cookie without using a Federation Manager SDK, use any programming language to create the cookie. Review the details about the contents of the open format cookie.

    The language you use to write the cookie must support UTF-8 encoding and any of the PBE encryption algorithms that Federation Manager uses for password-based encryptions, which include:

    • PBE/SHA1/AES/CBC/PKCS12PBE-1000-128
    • PBE/SHA1/AES/CBC/PKCS12PBE-1000-192
    • PBE/SHA1/AES/CBC/PKCS12PBE-1000-256
    • PBE/SHA256/AES/CBC/PKCS12PBE-1000-128
    • PBE/SHA256/AES/CBC/PKCS12PBE-1000-192
    • PBE/SHA256/AES/CBC/PKCS12PBE-1000-256
    • PBE/SHA1/3DES_EDE/CBC/PKCS12PBE-1000-3
    • PBE/SHA256/3DES_EDE/CBC/PKCS12PBE-1000-3

    The provisioning application cannot read the open format cookie without an SDK if you select FIPS-compatible (AES) algorithm to encrypt the cookie.

    You must also ensure that the open format cookie gets set in the user's browser.

    Note: If you installed Federation Manager in FIPS-only mode, only the open format cookie is available.

• HTTP headers

  If proxy mode is used, this information can also be passed as HTTP headers. If you use HTTP headers, the Federation Manager system and the remote provisioning system can be in different domains.

The delivery option is configurable in the Application Integration step of the Partnership wizard.

After the user is redirected to the provisioning application, Federation Manager no longer has control over the process. If provisioning a user account is a time-consuming process, the provisioning application is responsible for handling this situation, for example, by sending a message to the user that provisioning is in process. This information lets the user know not to keep trying to log in before an user account is available.