Skip to main content

Virtual Identity Provider

Definition

A single identity provider usually offers different profiles or service levels to diffeferent service provider. To be able to define this behavior, any Identity Provider can be split into many virtual identity providers. Those identity providers will be served by the same actual identity provider, but they will have different profile configurations.

Screen overview

&&TODO&&

Standard attributes

Identification

  • publicID: unique name to identify the identity provider.
  • Name: user friendly name to identify the identity provider.
  • Organization: company name of the external IdP.
  • Contact: email address of the external IdP.

Service configuration

  • Metadata: the Metadata for an Identity Provider defines how this Identity Provider delivers its service:
    • Which security algorithms does it support.
    • The public portion of it's signing and encrypting keys.
    • The SAML protocols does it support.
    • The URL of each SAML protocol endpoint.
    • Contact information.

Leave it blank as Soffid IdP will fulfill it for you.

SAML Security

  • PublicKey:  &&TODO&& ¿Como funciona??
    • if this field is black, Soffid IdP will generate a self-signed certificate.
    • if the option "Generates public / private key" is selected, it will generate a new private and public key pair and it will allow you to generate a certificate request file, also known as PKCS#10 or CSR file. The certificate authority will be able to create a certificate for you using this certificate request.
    • if the option "Upload PKCS12 file" is selected, it will allows you to upload a PKCS#12 file. It contains the private and public keys. Mind that PKCS#12 files use to be protected by a PIN
  • Certificate chain: text plain certificate created with the previous options.

Authentication

  • Authentication methods: matrix to define the authentication methods that will be required to successfully authenticate the user. Each row indicates the first authentication method, and each column indicates the second factor to use.
    • Adaptive authentication: &&TODO&&
  • Kerberos domain: &&TODO&&&allows to pick a file, que configuración tienen que tener ese fichero?

Advances authentication

  • Allow user to recover password: if it is checked (selected value is Yes), and the password recovery addon is installed, the user will be allowed to execute the password recovery mechanism.
  • Allow user to self-register: if it is checked (selected value is Yes), the user will be allowed to register itself. This option sends an email to the user to verify the email address is correct, and then lets the user to enter a new password.
  • Registet identities identified by external IdPs: allows Soffid IdP to automatically register a new identity when a user authenticates with a third-party IdP, and this identity does not exist yet in Soffid database. Furthermore, at the third party IdP configuration page, one can tune how this identity is going to be created.

&&TODO&&

https://confluence.soffid.com/display/SOF/Soffid+managed+Identity+Provider

Profiles

&&TODO&& ¿cuantos profiles puede haber activos?

A profile is a protocol implemented by the Identity Provider. There are some accepted protocols, those allows a custom config dependent on the selected profile

  • OpenIDProfile
  • SAML1ArtifactResolutionProfile
  • SAML1AttributeQueryProfile
  • SAML2ArtifactResolutionProfile
  • SAML2AttributeQueryProfile
  • SAML2ECPProfile
  • SAML2SSOProfile

You can visit the Profiles chapter for more information about each one.

Service Providers

&&TODO&&