Federation Guides › Partnership Federation Guide › Federation Entity Configuration › How to Create an Entity without Using Metadata

How to Create an Entity without Using Metadata

Create an entity without metadata by using the following process:

1. Indicate an entity type.
2. Configure the specifics about that entity type.
3. Confirm the entity configuration.

Entity Type Choice

The first step in configuring an entity is to establish the entity type and determine the entity role.

To establish the entity type

1. Log in to the Administrative UI.
2. Select Federation, Partnership Federation, Entities.
3. Click Create Entity.

   The Create Entity dialog displays.

   Note: Click Help for a description of fields, controls, and their respective requirements.

4. Select one of the following options:

   Local

   Indicates that you are creating an entity that is local to your site.

   Remote

   Indicates that you are configuring an entity that represents the partner at the remote site.

5. Configure the remaining fields:

   New Entity Type

   Select the asserting or relying party.

   SAMLToken Type (WS-FED only)

   Select the token type, which defines the SAML format for the encrypted token that contains user credential information. Choose the Legacy option only if you want the token to comply with the SAML token type for WS-Federation 1.0.

6. Click Next to configure specifics about the entity.

Detailed Local Entity Configuration

After you have specified the entity type, configure the details of the entity. For a local entity, define the following information:

• Identification information about the entity
• Signature and encryption options
• Name ID formats and attributes

Follow these steps:

1. Begin at the Configure Entity step.
2. Complete any required fields for features and services for the local entity type you are configuring.

   Note: Click Help for a description of fields, controls, and their respective requirements.

3. Click Next.

   The Confirm dialog is displayed.

Be aware of the following features:

Entity ID and Entity Name Settings

If the Entity ID represents a remote partner, the value must be unique. If the Entity ID represents a local partner, it can be reused on the same system.

The Entity Name identifies an entity object in the policy store. The Entity Name must be a unique value. This value is for internal use only; the remote partner is not aware of this value.

Note: The Entity Name can be the same value as the Entity ID, but do not share the value with other entities at the same site.

Signing and Encryption Features

For signing and encryption features, you must have the appropriate key/certificate entries in the certificate data store. If you do not have the appropriate key/certificate entries, click Import to import a private key/certificate pair from a file on your local system. You can also import trusted certificates.

Note: If you are using SAML 2.0 POST profile, signing assertions is required.

WSFED Attributes (WS-Federation only)

You can specify various service URLs and IDs for WS-Federation entites to communicate.

Name ID Formats

You can indicate the identifier types that the federated entity supports.

Assertion Attribute Configuration (asserting partners only)

You can configure the asserting party to include specific assertion attributes when it generates an assertion. The recommended method is to define these attributes at the entity level. The entity serves as a template for the partnership so any assertion attributes you define for the entity get propagated to the partnership. The benefit of defining assertion attributes at the entity is that it enables you to use an entity in more than one partnership.

If you want to add or remove assertion attributes for the partnership, make such modifications at the partnership level, not at the entity level.

Detailed Remote Entity Configuration

After you have specified the entity type, configure the details of the entity. For a remote entity type, define the following information:

• Identification information about the entity
• Signature and encryption options
• NameID and attribute information

Follow these steps:

1. Begin at the Configure Entity step.
2. Specify the Assertion Consumer Service URL. Examples:
   • If the SP is a site such as Google, the URL can be similar to:

     https://www.google.com/a/example.com/acs

   • If the SP is a site such as Salesforce.com, the URL can be similar to:

     https://login.salesforce.com/?saml=EK05LGnm40H7

   • If the SP is another business partner, the URL can be similar to:

     http://myserver.forwardinc.com:9080/samlsp/acs

3. Complete any other required fields for features and services for the remote entity type.

   Note: Click Help for a description of fields, controls, and their respective requirements.

4. Click Next.

   The Confirm dialog is displayed.

Be aware of the following features:

Entity ID and Entity Name Settings

If the Entity ID represents a remote partner, the value must be unique. If the Entity ID represents a local partner, it can be reused on the same system.

The Entity Name identifies an entity object in the policy store. The Entity Name must be a unique value. This value is for internal use only; the remote partner is not aware of this value.

Note: The Entity Name can be the same value as the Entity ID, but do not share the value with other entities at the same site.

Signing and Encryption Features

For signing and encryption features, you must have the appropriate key/certificate entries in the certificate data store. If you do not have the appropriate key/certificate entries, click Import to import a private key/certificate pair from a file on your local system. You can also import trusted certificates.

Note: If you are using SAML 2.0 POST profile, signing assertions is required.

WSFED Attributes (WS-Federation only)

You can specify various service URLs and IDs for WS-Federation entites to communicate.

Name ID Formats

You can indicate the identifier types that the federated entity supports.

Assertion Attribute Configuration (asserting partners only)

You can configure the asserting party to include specific assertion attributes when it generates an assertion. The recommended method is to define these attributes at the entity level. The entity serves as a template for the partnership so any assertion attributes you define for the entity get propagated to the partnership. The benefit of defining assertion attributes at the entity is that it enables you to use an entity in more than one partnership.

If you want to add or remove assertion attributes for the partnership, make such modifications at the partnership level, not at the entity level.

Confirm the Entity Configuration

Review the entity configuration before saving it.

Follow these steps:

1. Review the settings in the entity dialog.
2. Click Back to modify any settings from this dialog.
3. Click Finish when you are satisfied with the configuration.

A new entity is configured.

Entity Configuration Changes from a Partnership

You can change an entity ID value for the remote entity from within the context of a single partnership configuration. However, changing the entity ID at the partnership level does not link the partnership to another entity, nor does it update the original entity. Modifications to an entity are a one-way propagation from the entity to the partnership. A change to the entity ID at the partnership level does not get propagated to the original entity.

Note: The entity ID you specify has to match what your remote partner is using.

Regard entity configurations as templates. Partnerships are created based on the entity templates so changing the partnership does not change the original entity template.

Refer to editing an entity from a partnership for more details about entities within a partnership.