Federated Identity Providers

In an identity bridging configuration, the Federated Identity Provider (FIP) is an essential element when bridging disparate security domains. It allows the Federated Gateway (authorization domain) to authorize requests containing credentials originating in the Trusted Authority (authentication domain). Credentials may be X.509 certificates signed by trusted certificate authorities (CAs) or SAML tokens signed by a Security Token Service. Alternatively, a Federated Identity Provider may not contain any certificates.
gateway
The generic "Trusted Authority" and "Federated Gateway" references are used in the identity bridging examples, workflows, and instructions. The Trusted Authority is the certificate authority (CA) that issues and manages security credentials and that is responsible for authentication. The Federated Gateway is the web service provider that is responsible for authorization.
In an identity bridging configuration, the Federated Identity Provider (FIP) is an essential element when bridging disparate security domains. It allows the Federated Gateway (authorization domain) to authorize requests containing credentials originating in the Trusted Authority (authentication domain). Credentials may be X.509 certificates signed by trusted certificate authorities (CAs) or SAML tokens signed by a Security Token Service. Alternatively, a Federated Identity Provider may not contain any certificates.
The trust store in the Federated Gateway is the repository for the certificates from other security domains that may be required by the FIP in an identity bridging configuration. Certificates are defined and added to the trust store with the Add Certificate Wizard prior to creating the FIP in the Federated Gateway. The chosen credential source and optional configuration elements outlined in Workflow Using an X.509 Certificate or Workflow Using SAML determine certificate and FIP configuration details. Once the trusted certificates are added to a new FIP, federated users, groups, and/or virtual groups can be created to authorize corresponding users, groups, or credential patterns in the Federated Gateway security domain.
For the SAML credential source, SAML constraints are defined in the Require SAML Token Profile assertion that is included in the Web service policy. Ensure that all required certificates are added to the trust store prior to creating a Federated Identity Provider.