314 Novell Access Manager 3.1 SP1 Identity Server Guidenovdocx (en) 19 February 2010C.2 Trusted Provider Reference MetadataMetadata is generated by the Identity Server and is used for server communication andidentification. Metadata can be obtained via URL or XML document, then entered in the systemwhen you create the reference. Metadata is traded with federation partners and supplies variousinformation regarding contact and organization information located at the Identity Server. Metadatais generated automatically for SAML 2.0. You enter it manually for SAML 1.1. (See Chapter 5,“Configuring SAML and Liberty Trusted Providers,” on page 141.)IMPORTANT: The SAML 2.0 and Liberty 1.2 protocols define a logout mechanism whereby theservice provider sends a logout command to the trusted identity provider when a user logs out at aservice provider. SAML 1.1 does not provide such a mechanism. For this reason, when a logoutoccurs at the SAML 1.1 service provider, no logout occurs at the trusted identity provider. A validsession is still running at the identity provider, and no credentials need to be entered. In order to logout at both providers, users must navigate to the identity provider that authenticated them to theSAML 1.1 service provider and log out manually.C.3 Identity FederationIdentity federation is the association of accounts between an identity provider and a serviceprovider, while maintaining privacy protection. From an administrative perspective, this type ofsharing can help reduce identity management costs because multiple organizations do not need toindependently collect and maintain identity-related data, such as passwords. From the end user'sperspective, this results in an enhanced experience by requiring fewer sign-ons.C.4 Authorization ServicesWhen a user has authenticated to a site or application, the user has access to a resource controlled bya Policy Enforcement Point (PEP). The PEP checks for user access to the desired resource. The useris either granted or denied access to the resource. SAML is used as the communication mechanismbetween the PEP and a Policy Decision Point (PDP). In Novell product terminology, a PEP could bethought of as the Novell ® Access Gateway, and the PDP as Novell eDirectoryTM or another service.C.5 What's New in SAML 2.0?SAML 2.0 provides several new features: Pseudonyms: An arbitrary name assigned by the identity provider to identify a user to aservice provider. The identifier has meaning only in the context of the relationship between therelying parties. They can be a principal’s e-mail or account name. Pseudonyms are a keyprivacy feature that inhibits collusion between multiple providers. Metadata: The SAML metadata specification defines how to express configuration and trust-related data to simplify SAML deployment. Metadata identifies the Identity Servers involved inperforming single sign-on between trusted identity providers and service providers.Metadata includes supported roles, identifiers, supported profiles, URLs, certificates, and keys.System entities must agree upon the data. Encryption: SAML permits attribute statements, name identifiers, or entire assertions to beencrypted. Encryption ensures that end-to-end confidentiality of these elements can besupported as needed.