Federation Wizard

Step-by-step guide to setting up identity federation using the Authonomy Federation Wizard

Federation Wizard Setup Guide

Set up secure identity federation relationships between your organization and partners using Authonomy’s guided Federation Wizard. This administrative tool walks you through configuring SAML and OIDC federation without requiring deep technical expertise.

Overview

The Federation Wizard simplifies the complex process of establishing trust relationships between identity providers. Instead of manually configuring federation metadata, certificates, and endpoints, the wizard guides you through each step with clear instructions and validation.

When to Use the Federation Wizard

  • Partner Integration: Enable single sign-on access for business partners
  • Mergers & Acquisitions: Quickly establish trust with newly acquired organizations
  • Customer Federation: Allow customer organizations to authenticate through their own IDPs
  • Multi-Domain Organizations: Federate between different divisions or subsidiaries

Prerequisites

Before starting the Federation Wizard, ensure you have:

  • Administrative Access: Authonomy admin role with federation permissions
  • Partner Coordination: Communication channel with the partner organization’s IT team
  • Federation Metadata: Partner’s IDP metadata XML or endpoint URLs
  • Certificates: X.509 certificates for signing and encryption (if required)
  • Business Approval: Authorization to establish the federation relationship

Pre-Wizard Preparation

Information Gathering Checklist

Complete this checklist before launching the wizard:

Partner Organization Details

  • Organization name and domain
  • Technical contact information
  • Business relationship context
  • Expected user count and access patterns

Technical Requirements

  • Federation protocol (SAML 2.0 or OIDC)
  • Partner IDP type (Okta, Azure AD, Google, etc.)
  • Metadata URL or XML file
  • Signing certificate (PEM or DER format)
  • Encryption requirements
  • Attribute mapping requirements

Security Configuration

  • Authentication requirements (MFA, certificate-based, etc.)
  • Session timeout policies
  • Access restrictions (IP allowlists, time-based access)
  • Logging and auditing requirements

Certificate Preparation

For SAML federation, prepare certificates in advance:

# Verify certificate format
openssl x509 -in partner-signing.crt -text -noout

# Convert certificate formats if needed
openssl x509 -in partner-cert.der -inform DER -out partner-cert.pem -outform PEM

Federation Wizard Walkthrough

Step 1: Access the Federation Wizard

  1. Navigate to Administration

    • Log into Authonomy dashboard
    • Click Administration → Federation Management
    • Select New Federation Relationship

  2. Choose Federation Type

    • Select Partner Federation for external organizations
    • Choose Customer Federation for client organizations
    • Select Internal Federation for subsidiary relationships

Step 2: Partner Organization Setup

The wizard will prompt for partner organization details:

Basic Information

  • Organization Name: Legal entity name
  • Display Name: User-friendly name for login screens
  • Domain: Primary email domain for automatic user routing
  • Contact Email: Technical contact for federation issues

Business Context

  • Relationship Type: Partner, Customer, Subsidiary, etc.
  • Access Level: Full, Limited, Read-only
  • User Provisioning: Just-in-time, Pre-provisioned, Manual
  • Access Duration: Permanent, Time-limited, Project-based

Step 3: Identity Provider Configuration

Configure the partner’s IDP details:

SAML 2.0 Configuration

  • Metadata Source: Upload XML file or provide metadata URL
  • Entity ID: Partner IDP identifier (auto-populated from metadata)
  • SSO Endpoint: SAML authentication URL
  • SLO Endpoint: Single logout URL (optional)
  • Signing Certificate: Upload partner’s public certificate

OIDC Configuration

  • Discovery Endpoint: OIDC well-known configuration URL
  • Client ID: Provided by partner organization
  • Client Secret: Secure credential (encrypted storage)
  • Scopes: openid, profile, email, groups (customize as needed)
  • Response Type: code (authorization code flow recommended)

Step 4: Attribute Mapping

Map partner IDP attributes to Authonomy user fields:

Standard Mappings

Partner AttributeAuthonomy FieldRequired
emailEmail AddressYes
givenNameFirst NameYes
surnameLast NameYes
departmentDepartmentNo
groupsGroup MembershipsNo

Custom Attribute Mapping

  • Role Mapping: Map partner groups to Authonomy roles
  • Department Mapping: Organizational unit assignments
  • Custom Fields: Map additional attributes as needed

Example role mapping:

Partner Group → Authonomy Role
"Admins" → "Federation Administrator"
"Users" → "Standard User"
"Contractors" → "Limited Access"

Step 5: Security Policies

Configure security policies for the federation:

Authentication Policies

  • Multi-Factor Authentication: Enforce MFA requirements
  • Certificate-Based Auth: Require client certificates
  • IP Restrictions: Limit access by source IP ranges
  • Time-Based Access: Restrict access to business hours

Session Management

  • Session Timeout: Maximum idle time (default: 8 hours)
  • Concurrent Sessions: Maximum sessions per user
  • Session Sharing: Allow session sharing across applications
  • Force Re-authentication: Require periodic re-auth

Data Protection

  • Attribute Release: Control which attributes are shared
  • Audit Logging: Enable detailed access logging
  • Data Residency: Specify data storage requirements
  • Encryption: Force encryption for all communications

Step 6: Testing and Validation

The wizard includes built-in testing capabilities:

Connection Testing

  1. Metadata Validation: Verify metadata format and accessibility
  2. Certificate Validation: Check certificate validity and trust chain
  3. Endpoint Testing: Validate SSO and SLO endpoints
  4. Protocol Testing: Test authentication flow with test user

Test User Creation

  • Create temporary test account in partner IDP
  • Use generic credentials: testuser@partner-domain.com
  • Verify attribute mapping and role assignment
  • Test access to target applications

Validation Checklist

  • Metadata successfully imported
  • Certificates validated and trusted
  • Test authentication successful
  • Attributes properly mapped
  • Roles correctly assigned
  • Access policies enforced

Step 7: Federation Activation

Final steps to activate the federation:

Review Configuration

  • Summary Review: Verify all configuration settings
  • Security Review: Confirm security policies are appropriate
  • Business Review: Validate business rules and access levels

Deployment Options

  • Staging Deployment: Deploy to test environment first
  • Phased Rollout: Gradual activation for user subsets
  • Full Production: Immediate activation for all users

Monitoring Setup

  • Health Checks: Configure federation health monitoring
  • Alert Policies: Set up alerts for authentication failures
  • Usage Reporting: Enable usage and access reporting

Post-Setup Management

Monitoring Federation Health

After activation, monitor federation performance:

Key Metrics

  • Authentication Success Rate: Target >99.5%
  • Response Time: Average authentication latency
  • User Activity: Login frequency and patterns
  • Error Rates: Failed authentications and causes

Health Dashboard

Access federation health through:

  • Administration → Federation Management → [Partner Name] → Health

Common Issues and Solutions

IssueSymptomsSolution
Certificate ExpiryAuthentication failuresUpdate certificates via wizard
Metadata ChangesConnection errorsRe-import metadata
Attribute ChangesMissing user dataUpdate attribute mappings
Policy ChangesAccess denied errorsReview security policies

Managing Federation Changes

Certificate Renewal

  1. Obtain new certificate from partner
  2. Administration → Federation Management → [Partner] → Certificates
  3. Upload new certificate
  4. Test connection
  5. Schedule old certificate removal

Metadata Updates

  1. Download updated metadata from partner
  2. Administration → Federation Management → [Partner] → Configuration
  3. Click Update Metadata
  4. Upload new metadata file
  5. Validate changes and test

User Access Management

  • Add Users: Enable just-in-time provisioning for new users
  • Remove Users: Disable access for departing users
  • Bulk Operations: Use CSV import for large user changes
  • Temporary Access: Grant time-limited access for contractors

Security Best Practices

Regular Security Reviews

  • Quarterly Certificate Audits: Check certificate expiry dates
  • Access Pattern Analysis: Review unusual login patterns
  • Policy Updates: Update policies based on threat landscape
  • Penetration Testing: Include federation in security assessments

Incident Response

  1. Immediate Response: Disable federation if compromise suspected
  2. Investigation: Analyze logs and access patterns
  3. Communication: Coordinate with partner organization
  4. Recovery: Implement fixes and re-enable federation

Troubleshooting Common Issues

Authentication Failures

SAML Issues

  • Invalid Signature: Verify signing certificate is current
  • Clock Skew: Check time synchronization between systems
  • Audience Restriction: Verify Entity ID matches configuration
  • Attribute Format: Check attribute name format and values

OIDC Issues

  • Invalid Client: Verify Client ID and Secret
  • Scope Errors: Check requested scopes are permitted
  • Redirect URI Mismatch: Verify redirect URI configuration
  • Token Expiry: Check token lifetime settings

Attribute Mapping Problems

Missing Attributes

  1. Check partner IDP attribute release policy
  2. Verify attribute names in mapping configuration
  3. Test with partner’s test user account
  4. Review attribute transformation rules

Incorrect Role Assignment

  1. Verify group attribute mapping
  2. Check role assignment rules
  3. Test with users in different groups
  4. Review case sensitivity in group names

Performance Issues

Slow Authentication

  • Network Latency: Check network connectivity to partner
  • Certificate Chain: Optimize certificate validation
  • Metadata Caching: Enable metadata caching
  • Connection Pooling: Configure connection pooling

High Error Rates

  • Load Balancing: Distribute load across IDP endpoints
  • Retry Logic: Configure appropriate retry policies
  • Circuit Breaker: Implement circuit breaker pattern
  • Fallback Authentication: Configure backup authentication methods

Advanced Configuration

Custom Authentication Flows

For complex requirements, configure custom flows:

Multi-Step Authentication

  1. Configure primary authentication with partner IDP
  2. Add secondary authentication factor
  3. Configure conditional access rules
  4. Test multi-step flow

Conditional Access

  • Location-Based: Restrict access by geographic location
  • Device-Based: Require managed devices
  • Risk-Based: Additional verification for high-risk access
  • Time-Based: Restrict access to business hours

API Integration

For programmatic federation management:

Federation API Endpoints

  • POST /api/v1/federation/relationships - Create new federation
  • PUT /api/v1/federation/relationships/{id} - Update configuration
  • GET /api/v1/federation/relationships/{id}/health - Check health
  • DELETE /api/v1/federation/relationships/{id} - Remove federation

Automation Scripts

Use automation for routine tasks:

  • Certificate renewal notifications
  • Metadata synchronization
  • User provisioning automation
  • Health check monitoring

Next Steps

After completing federation setup:

The Federation Wizard streamlines identity federation setup, enabling secure partner access without complex manual configuration. For advanced use cases or custom requirements, contact Authonomy support for assistance.