Create an Entity without Using Metadata

Single Sign-On Service › SSO Getting Started Guide › SSO Using Advanced Authentication and Provisioning for a Sensitive Application › Configure an IdP to SP Partnership › Create the IdP and SP Entities › Create an Entity without Using Metadata

Create an Entity without Using Metadata

Create an entity without metadata by using the following process:

Indicate an entity type.
Configure the specifics about that entity type.
Confirm the entity configuration.

Entity Type Choice

The first step in configuring an entity is to establish the entity type and determine the entity role.

To establish the entity type

Log in to the CSP console.
Select Federation, Partnership Federation, Entities.
Click Create Entity.
The Create Entity dialog displays.

Note: Click Help for a description of fields, controls, and their respective requirements.
Select one of the following options:

Local

Indicates that you are creating an entity that is local to your site.

Remote

Indicates that you are configuring an entity that represents the partner at the remote site.
Configure the remaining fields:

New Entity Type

Select the asserting or relying party.

SAMLToken Type (WS-FED only)

Select the token type, which defines the SAML format for the encrypted token that contains user credential information. Choose the Legacy option only if you want the token to comply with the SAML token type for WS-Federation 1.0.
Click Next to configure specifics about the entity.

Detailed Local Entity Configuration

After you have specified the entity type, configure the details of the entity. For a local entity, define the following information:

Identification information about the entity
Signature and encryption options
Name ID formats and attributes

Follow these steps:

Begin at the Configure Entity step.
Complete any required fields for features and services for the local entity type you are configuring.
Click Help for a description of the fields.
Click Next.
The Confirm dialog is displayed.

Be aware of the following features:

Entity ID and Entity Name Settings

If the Entity ID represents a remote partner, the value must be unique. If the Entity ID represents a local partner, it can be reused on the same system.

The Entity Name identifies an entity object in the policy store. The Entity Name must be a unique value. This value is for internal use only; the remote partner is not aware of this value.

Note: The Entity Name can be the same value as the Entity ID, but do not share the value with other entities at the same site.

Signing and Encryption Features

For signing and encryption features, you must have the appropriate key/certificate entries in the certificate data store. If you do not have the appropriate key/certificate entries, click Import to import a private key/certificate pair from a file on your local system. You can also import trusted certificates.

Note: If you are using SAML 2.0 POST profile, signing assertions is required.

WSFED Attributes (WS-Federation only)

You can specify various service URLs and IDs for WS-Federation entites to communicate.

Name ID Formats

You can indicate the identifier types that the federated entity supports.

Assertion Attribute Configuration (asserting partners only)

You can configure the asserting party to include specific assertion attributes when it generates an assertion. The recommended method is to define these attributes at the entity level. The entity serves as a template for the partnership so any assertion attributes you define for the entity get propagated to the partnership. The benefit of defining assertion attributes at the entity is that it enables you to use an entity in more than one partnership.

If you want to add or remove assertion attributes for the partnership, make such modifications at the partnership level, not at the entity level.

Detailed Remote Entity Configuration

After you have specified the entity type, configure the details of the entity. For a remote entity type, define the following information:

Identification information about the entity
Signature and encryption options
NameID and attribute information

Follow these steps:

Begin at the Configure Entity step.
Specify the Assertion Consumer Service URL. Examples:
- If the SP is a site such as Google, the URL can be similar to:
  https://www.google.com/a/example.com/acs
- If the SP is a site such as Salesforce.com, the URL can be similar to:
  https://login.salesforce.com/?saml=EK05LGnm40H7
- If the SP is another business partner, the URL can be similar to:
  http://myserver.forwardinc.com:9080/samlsp/acs
Complete any other required fields for features and services for the remote entity type.
Click Help for the field descriptions.
Click Next.
The Confirm dialog is displayed.

Be aware of the following features:

Entity ID and Entity Name Settings

If the Entity ID represents a remote partner, the value must be unique. If the Entity ID represents a local partner, it can be reused on the same system.

The Entity Name identifies an entity object in the policy store. The Entity Name must be a unique value. This value is for internal use only; the remote partner is not aware of this value.

Note: The Entity Name can be the same value as the Entity ID, but do not share the value with other entities at the same site.

Signing and Encryption Features

Note: If you are using SAML 2.0 POST profile, signing assertions is required.

WSFED Attributes (WS-Federation only)

You can specify various service URLs and IDs for WS-Federation entites to communicate.

Name ID Formats

You can indicate the identifier types that the federated entity supports.

Assertion Attribute Configuration (asserting partners only)

If you want to add or remove assertion attributes for the partnership, make such modifications at the partnership level, not at the entity level.

Confirm the Entity Configuration

Review the entity configuration before saving it.

Follow these steps:

Review the settings in the entity dialog.
Click Back to modify any settings from this dialog.
Click Finish when you are satisfied with the configuration.

A new entity is configured.

Editing Entities from the Partnership

You can click Get Updates next to the local and remote entity fields to update information about the entity. When you select Get Updates, the system asks to pull in the latest information from the entity.

After confirmation, the partnership you are editing is refreshed with the latest entity information. Changes are saved when you complete the partnership wizard. If you do not confirm the update, the partnership configuration remains the same.

The Entity Name identifies an entity object for in the policy store. The Entity Name must be the unique identifier because the product uses this value internally to distinguish an entity. This value is not used externally and the remote partner is not aware of this value.

If the Entity ID represents a remote partner, the value must be unique. If the Entity ID represents a local partner, it can be reused on the same system.

Note: The Entity Name can be the same value as the Entity ID, but do not share the value with any other entity.

An entity is a key component of a federation partnership. Changing an entity alters the partnership significantly; therefore, the CSP console does not let you replace an entity after it is in a partnership. To replace an entity, create a partnership.

To provide some flexibility within partnership configuration, you can change an entity ID because it does not identify the entity uniquely. Changing the entity ID at the partnership level does not link the partnership to another entity. The original entity in the partnership does not change. Modifications to an entity are a one-way propagation from the entity to the partnership. A change to the entity ID at the partnership does not get propagated back to the original entity.

Regard entity configurations as templates. Partnerships are created based on the entity templates so changing the partnership does not change the original entity template.