Skip to main content

Virtual Identity Provider

Definition

A single identity provider usually offers different profiles or service levels to diffeferent service provider. To be able to define this behavior, any Identity Provider can be split into many virtual identity providers. Those identity providers will be served by the same actual identity provider, but they will have different profile configurations.

Standard attributes

Identification

  • publicID: unique name to identify the identity provider.
  • Name: user friendly name to identify the identity provider.
  • Organization: company name of the external IdP.
  • Contact: email address of the external IdP.

Service configuration

  • Metadata: the Metadata for an Identity Provider defines how this Identity Provider delivers its service:
    • Which security algorithms does it support.
    • The public portion of it's signing and encrypting keys.
    • The SAML protocols does it support.
    • The URL of each SAML protocol endpoint.
    • Contact information.

Leave it blank as Soffid IdP will fulfill it for you.

SAML Security

  • PublicKeyPublic key:  &&TODO&& Revisar?
    • ifGenerate thispublic/private fieldkey: is black, Soffid IdP will generate a self-signed certificate.
      • ifDelete the option "Generates public / public/private key"key: is selected, it will generate a new private and public key pair and it will allowallows you to generatedelete the public/private key generated previously.
      • Generate PKCS10: generates a certificatePKCS10 file (Certification request file,standard)
        • also
      known as PKCS#10 or CSR file. The certificate authority will be able to create a certificate for you using this certificate request.
    • if the option "Upload PKCS12 file" is selected, it willfile: allows you to upload a PKCS#12 file. ItThat containsfile must contain the private and public keys.kesus and the server certificate as weel. Mind that PKCS#12 filesfile use to be protected by a PINPIN.
  • Certificate chain: text plaincertificate certificatechain created with one of the previous options.

    Authentication

     

    • Authentication methods: matrix to define the authentication methods that will be required to successfully authenticate the user. Each row indicates the first authentication method, and each column indicates the second factor to use.
      • Adaptive authentication: that option allows you to add additional authentication matrix which will be run when the condition defined was comply.
        • Description: rule description to identify it.
        • Condition: script to enable that rule. The result of the rule must be true or false. There are some available vars to create the condition. You can visit the Condition for Adaptive authentication page for more information and some examples. &&TODO&&
        • Matrix: to define the authentication methods that will be required to successfully authenticate the user. Each row indicates the first authentication method, and each column indicates the second factor to use.
      • Kerberos domain: &&TODO&&&allows to pick a file, que configuración tienen que tener ese fichero?

      Advances authentication

      • Allow user to recover password: if it is checked (selected value is Yes), and the password recovery addon is installed, the user will be allowed to execute the password recovery mechanism.
      • Allow user to self-register: if it is checked (selected value is Yes), the user will be allowed to register itself. This option sends an email to the user to verify the email address is correct, and then lets the user to enter a new password.
      • Registet identities identified by external IdPs: allows Soffid IdP to automatically register a new identity when a user authenticates with a third-party IdP, and this identity does not exist yet in Soffid database. Furthermore, at the third party IdP configuration page, one can tune how this identity is going to be created.

      Profiles

      A profile is a protocol implemented by the Identity Provider. There are some accepted protocols, those allows a custom config dependent on the selected profile

      • OpenIDProfile
      • SAML1ArtifactResolutionProfile
      • SAML1AttributeQueryProfile
      • SAML2ArtifactResolutionProfile
      • SAML2AttributeQueryProfile
      • SAML2ECPProfile
      • SAML2SSOProfile

      You can visit the Profiles chapter for more information about each one.

      Service Providers

      It will be necessary to bind any service provider to the virtual identity provider. When no such bind exists for a service provider, the actual identity provider profile configuration applies. 

       

    Back to top