Single Sign-On Service › SSO Getting Started Guide › SSO using a Third-party IdP and Self-registration › Configure Federated Partnerships › Create the Local SP-to-Remote IdP Partnership › Identify the Partnership

Identify the Partnership

Follow these steps:

1. Select Federation, Partnership Federation, Partnerships.
2. Click Create Partnership.
3. Select SAML2 SP -> IdP.

   Selecting this option indicates that you are the local SP and that the IdP is a remote partner.

   You come to the first step in the partnership wizard.

4. Complete the following fields

   Partnership Name

   Local SP

   Select the local SP. Example: cloudhost.ca.com.

   Remote IdP

   Select the remote ID. For example, Facebook.com

   Skew Time (Seconds)

   Accept the default

   The skew time is the difference between the system time on the local system and the system time on the remote system. Usually, the inaccuracy of system clocks causes this condition. Determine the skew time number by subtracting the number of seconds from the current time.

   The system uses the skew time and the SSO validity duration to determine how long an assertion is valid.

5. Move the cloud host directory from the Available Directories list to the Selected Directories list.

   If you configure only one user directory, that directory is automatically placed in the Selected Directories list.

6. Click Next to go to the Federation User step.

Note: If you are editing a partnership, you can click Get Updates next to this field to update the entity information. The latest information from the entity configuration is propagated to the partnership. However, if you edit the entity information directly from the partnership, the changes do not get propagated back to the individual entity configuration.

Configure User Identification at the Relying Party

Configure user identification so the relying party has a method of locating a user in the local user directory.

Follow these steps:

1. Select one of the following attributes for disambiguation:
   • Name ID
   • An attribute from a previously populated drop-down list

     If the remote asserting entity was created based on metadata that contained attributes, the list is populated.

   • An attribute you enter.

     This option is most likely used when metadata is not available and the remote asserting entity does not include any attributes.

   • An Xpath query

   Click Help for the field descriptions,

2. (Optional—SAML 2.0 only) Select Allow IDP to create user identifier.

   This attribute instructs the asserting party to generate a new value for the NameID, if this feature is enabled at the asserting party. The Name ID Format entry at the asserting party must be a persistent identifier.

3. (Optional—SAML 2.0 only) Select Query parameter overrides identifier.

   This setting lets the relying party send an AllowCreate query parameter to override the value of the AllowCreate attribute configured in the authentication request. Using the query parameter instead of the identifier lets you change the value of the AllowCreate attribute without altering the partnership configuration.

   Note: For the Identity Provider to honor this query parameter setting, select the Allow IDP to create user identifier check box.

4. Specify a directory search specification for each directory listed. Two examples of search specifications are:

   LDAP Example

   uid=%s

   ODBC Example

   name=%s

5. Click Next to continue with the partnership configuration.

Single Sign-on Configuration (Relying Party)

To configure single sign-on at the relying party, specify the SAML binding and the other related SSO settings.

At the relying party, the system uses the skew time for the partnership to determine whether the assertion it receives is valid. To understand how the system uses the configured skew time, read more about assertion validity.

The procedure that follows offers the basic steps to enable single sign-on. Details about all the configurable features in the sign-on dialog are described in subsequent topics and in the CSP console help.

Follow these steps:

1. Begin at the appropriate step in the partnership wizard.

   SAML 1.1

   Single Sign-On

   SAML 2.0

   SSO and SLO

   WS-Federation

   Single Sign-On and Sign-Out

2. Configure the settings in the SSO section of the dialog. These settings let you control the single sign-on binding.

   Click Help for the field descriptions.

   For SAML, configure the HTTP-Artifact or the HTTP-POST profile. If the relying party initiates single sign-on, it includes a query parameter in the request. This query parameter indicates the SSO binding to use. If no binding is specified, the default is POST. If the asserting party initiates single sign-on, the asserting party indicates the binding in use for that particular transaction.

3. (Optional). For SAML 2.0, you can configure these settings:
   • Remote SSO Service URLs
   • Remote SOAP Artifact URLs
   • Initiation of single sign-on from which partner

     If a third-party IdP is authenticating a consumer user with no user record at the host, SSO is initiated at the SP.

   • User consent requirement
4. If you select the HTTP-Artifact profile, configure the authentication method for the back channel in the Back Channel section of the dialog.
5. For the remaining settings, accept the defaults.

The basic settings for single sign-on are complete. Other settings are available for SSO. Click Help for the field descriptions.