Skip to main content

How to create the identity & service provider

&&TODO&& ??????????????????

Step-by-step

1. To create an identity provider is advisable to install a dedicated sync server. It can be configured as a proxy sync server as it does not need direct access to Sofid database. Instead, it will connect to main sync servers to get users and federation information.

To install a proxy sync server follow the instructions at the Install Syncserver page.

2. The next step will be to create the Identity Provider:

2.1. Open the  Identity & Service providers page

Main Menu > Administration > Configure Soffid > Web SSO > Identity & Service providers

2.2. Add a new group to the Federation by clicking the "Add group" button. To create a new Entity Group will be mandatory to fulfill the Entity Group name and save (dick button) or apply changes (Apply changes button). 

When the Entity Group is created, inside there will be two options, one to create the Identity Providers and other to create the Service Providers.

2.2.1. Clicking on the Identity Providers record, it will be able to create new identity providers.

2.2.1. Clicking on the Service Providers record, it will be able to create new service providers.

3. New Identity Provider

3.1. To create a new Identity Provider you can view the Identity Provider page.

When you are creating a Soffid Identity Provider, to create an agent will be necessary. On the connector parameters you must define a unique Public ID which will be used on the Identity Provider configuration. To create an agent you can visit the Agents page.

3.2. Also, you must define protocol or subset of protocols implemented by the Identity Provider. You can visit the Profiles chapter

3.3. Sending identities attributes

When a service providers requires the user information, the mechanism to publish the user attributes is a two step process:

    1. The attribute values are computed based on the attributes value expression.
    2. The policies are evaluated to guess which attributes and attribute values can be disclosed for the requesting service provider.

This mechanism is triggered when:

      • The user is authenticated and a SAML assertion with attributes statements is being sent to the service provider (SSO Profile).
      • The service provider queries the user attributes using the SAML AttributeQueryProfile.
      • the user is authenticated and a OpenIDConnect token is generated, as the OpenIDConnect token contains all the user attributes.
      • The service provider queries the user attributes using the OpenIDConnect user-info endpoint.

4. To create a new Service Provider, you can view the Service Provider page.

 

Back to top