Sun logo      Previous      Contents      Index      Next     

Sun ONE Portal Server 6.2 Administrator's Guide

Appendix H  
SSO Adapter Templates and Configurations

This appendix describes how to configure the single sign-on (SSO) adapter in order to adjust options available to end users.

This appendix contains the following sections:

Overview of the Single Sign-On Adapter

The single sign-on adapter service allows end users to use applications, such as a portal server provider or any other web application, to gain authenticated access to various resource servers after signing in once. The resource servers that can be accessed depend on the implementations of the SSO Adapter interface that are available in the system. Currently, Sun™ ONE Portal Server provides SSO Adapters for the following resource servers: Address Book, Calendar, and Mail. Single Sign-On for the Instant Messaging channel is not achieved through SSO Adapter but through the use of the Sun ONE Identity Server authentication method. For information on this method, see the authMethod property in Table 12-1. The Address Book, Calendar, and Mail services are available through the products:

Resource servers are typically accessed by an application using a standard application programming interface (API), such as JavaMail for accessing a mail server. To create an authenticated connection using the API, the API must be provided the configuration data for the connection. The purpose of the SSO Adapter is to provide this configuration data, and the SSO Adapter service is used to store that data.

The SSO Adapter service defines two levels of data, templates and configurations. An SSO Adapter template defines a class of connections that are going to be made available to users. A single template is used by many users. It defines data values that are the same for all users that use the template including default values and identification of what values can be edited by a user. Therefore, SSO Adapter templates are defined at a global service level.

An SSO Adapter configuration builds upon a template by providing data values that are specific to an organization, role, or user. A configuration references a template, and takes data values from the template for those properties that are not editable by the user. When an end user changes the user-editable properties of an SSO Adapter configuration, that configuration would then apply only to that one user.

A Sun ONE Portal Server communication channel that uses the SSO Adapter service references either a template or a configuration to get data values needed to obtain a connection to a resource server. If the channel references a template, and the user saves configuration information, the reference is changed to refer to a configuration instead. The configuration then references the template.

SSO Adapter Template Format: Global

Global Attributes for the SSO Adapter

Table 14-25 describes the global attributes—which is actually just one attribute—for the SSO Adapter. The table contains three columns: the first column identifies the attribute, the second column provides the default value for the attribute, and the third column describes the attribute.

Table 14-25  SSO Adapter - Global Attributes

Attribute

Default Value

Description

SSOAdapterTemplates

The default value depends on the services that were configured during installation

The SSOAdapterTemplates attribute is a list of strings where each string is in the format of a URL. This string effectively defines a set of name/value pairs. This attribute defines all of the SSO adapters that are available in the system. It also defines all of the ways in which an SSO adapter can be configured.

The default values for an SSO adapter are defined in the SSOAdapterTemplates attribute, and organization, role, or user-specific instances are stored in the SSOAdapterConfigurations attribute.

Accessing SSO Adapter Templates

To access the SSO Adapter Template from the Sun™ ONE Identity Server admin console:

  1. From an Internet browser, log on to the Sun ONE Identity Server admin console at http://hostname:port/amconsole, for example http://psserver.company22.example.com:80/amconsole
  2. Click the Service Configuration tab to display the list of configurable services in the navigation pane (the lower left frame).
  3. Scroll down the navigation pane to the Single Sign-on Adapter Configuration heading and click the arrow next to SSO Adapter to bring up the SSO Adapter page in the data pane (lower right frame).

About SSO Adapter Templates

SSO Adapter templates are created in order to handle server settings.The templates are represented as uniform resource locators (URLs) described in RFC 1738 published by the World Wide Web Consortium (W3C).

The template string contains various properties that—when configured—provide required information to back-end systems.

Template strings are editable in order to allow administrators to assign values to properties within the strings and to apply certain rules of use to those properties.

Template strings start with the word “default” followed by the pipe symbol, “|.” Therefore, any template string entered by an administrator is required to start with the “default|” combination. Each template string contains a protocol that follows the pipe symbol. Strings that contain the IMAP and POP protocols apply to Mail SSO Adapter implementations; strings that begin with the HTTP protocol are used by Calendar SSO Adapter implementations; and strings that begin with the LDAP protocol are used by Address Book SSO Adapter implementations.

Code Example 14-1 is an Address Book SSO Adapter template. This example uses LDAP port 489 instead of the LDAP default port, 389. Using a non-default LDAP port in this example demonstrates the use of two fragments of code that are not necessary when the default LDAP port is used: a colon paired with the LDAP port number—:489—and the following substring—&default=port.

Template strings appear in the field as one long string; however, for readability purposes, the following string has been divided here into separate lines where line breaks have been added preceding each ampersand (&).

Code Example 14-1  Address Book SSO Adapter Template

default|ldap://company22.example.com:489/?configName=SUN-ONE-ADDRESS-BOOK

    &pabSearchBase=o=pab

    &userSearchBase=o=example.com

    &aid=uid=msg-admin,ou=People,o=company22.example.com,o=example.com

    &adminPassword=admin

    &imapHost=imserver.company22.example.com

    &imapPort=143

    &clientPort=1080

    &enableProxyAuth=false

    &proxyAdminUid=[PROXY-ADMIN-UID]

    &proxyAdminPassword=[PROXY-ADMIN-PASSWORD]

    &userAttribute=uid

    &type=AB-TYPE

    &subType=sun-one

    &ssoClassName=com.sun.ssoadapter.impl.LDAPABSSOAdapter

    &encoded=password

    &default=ssoClassName

    &default=host

    &default=port

    &default=pabSearchBase

    &default=userSearchBase

    &default=aid

    &default=adminPassword

    &default=imapHost

    &default=imapPort

    &default=clientPort

    &default=type

    &default=subType

    &default=enableProxyAuth

    &default=proxyAdminUid

    &default=proxyAdminPassword

    &default=userAttribute

    &merge=uid

    &merge=password

    &default=enablePerRequestConnection

    &enablePerRequestConnection=true

The following line of code is an example of the possible properties in the front portion of an SSO Adapter template string or an SSO Adapter configuration string. This portion when compared to Code Example 14-1 demonstrates how properties are assigned values. Table 14-26 clarifies each property and Table 14-27 explains the property types.

protocol://uid:password@host:port/?configName=configuration-name&ssoClassName=
sso-adapter-class&...

The preceding portion of an SSO Adapter template string is the proper format for both templates—which apply to all users of that Sun ONE Portal Server instance—and configurations—which apply to specific organizations, roles, and users. However, certain fragments of the preceding portion often do not appear within a template or configuration string. For example, the fragment “uid:password@ is not commonly used within templates because it is generally a value that is specific to a particular user.

Using the aforementioned fragment within an SSO Adapter template sets the same user ID and password for all users. This type of configuration is plausible in some situations. For example, a site might want to create a read-only calendar that lists site-wide events. All users would get the Calendar channel on their Desktops using the same user ID and password and they would see the same calendar.

Table 14-26  Some of the Properties in an SSO Adapter Template String

Property Name

Description

Necessity

protocol

The protocol used to talk to the server

Optional

uid

The User ID of the user who is on the server that is referenced by host

Optional

password

The password—which is encoded—of the user on the server referenced by host

Optional

host

The server host name

Optional

port

The server port number

Optional

configName

The name of the SSO Adapter Template

Mandatory

ssoClassName

The fully qualified class name for the SSO Adapter

Mandatory

type

The type of service to which an SSOAdapter template or configuration applies. This property is useful for putting a collection of SSO Adapter templates or configurations into type-related groups; for example, to help select a default configuration when the selection is not explicit. Currently, the value can be one of the following:

  • AB-TYPE
  • MAIL-TYPE
  • CALENDAR-TYPE

Optional

subType

The vendor or product specific platform to which the SSO Adapter template or configuration applies. This property is useful when you want to support features for a specific product or platform. Currently, the value can be one of the following:

  • sun-one
  • notes
  • exchange

Optional

enablePerRequestConnection

A performance tuning option, this boolean property has a default setting of true.

If enablePerRequestConnection=true then every request to the portal desktop opens a new connection to the back-end store and closes the connection.

If enablePerRequestConnection=false then the Portal Desktop opens a new connection to the back-end store at portal log in and closes the connection when the user’s session is terminated.

Optional

SSO Adapter templates recognize the following property types:

Table 14-27  Property Types in an SSO Adapter Template String

Property Type

Description

merge

Denotes that this value is user editable. In Code Example 14-1, notice that only two values can be edited by the user: uid and password.

default

Denotes that an attribute is set to a default, which is actually a two step process. In Code Example 14-1, notice that imapPort is set to a specific port at one point in the string, &imapPort=143, and set as the default later in the string, &default=imapPort.

The following example—which includes fragments of an SSO Adapter template and an SSO Adapter configuration—demonstrates how the default property works:

  • SSO Adapter template:

configName=t1&ex1=ex2&exa=exb&default=exa

  • SSO Adapter configuration:

configName=c1&configDesc=t1

Then the resulting list of properties that is seen by the SSOAdapter implementation is just:

exa=exb

The ex1=ex2 value in the template is ignored because it is not listed as a default attribute.

encoded

Denotes that the attribute is not passed in clear text, but instead is obfuscated. In Code Example 14-1, notice that only one value password, is encoded.

The value adminPassword is not encoded. To encode a property such as adminPassword:

1.  Enter the encrypted value into the SSO Adapter template string. For this example, the encrypted value follows the equal sign of the following substring:

&adminPassword=

  • To encrypt a plain text value, use the Sun ONE Identity Server Software Development Kit (SDK) class that follows, where plain-text-value is the value of a property before it is encrypted:

AMPaswordUtil.encrypt plain-text-value

  • Use the encrypt method with the preceding class to obtain the encrypted value.

2.  Add a substring that assigns encoded to the property you want to encrypt. For this example the property is adminPassword and it is added to the end of the string (a convenient location):

&encoded=adminPassword

This action changes the SSO Adapter template to end as follows:

...merge=uid&merge=password&encoded
=adminPassword

SSO Adapter Configuration Format: Dynamic

Dynamic Attributes for the SSO Adapter

Table 14-28 describes the dynamic attributes for the SSO Adapter. The table contains three columns: the first column identifies the attribute, the second column provides the default value for the attribute, and the third column describes the attribute.

Table 14-28  SSO Adapter - Dynamic Attributes

Attribute

Default Value

Description

Conflict ResolutionLevel

Highest

Sets the conflict resolution level for the SSO adapter template used to resolve conflicts when multiple templates are merged. There are seven conflict resolution settings available ranging from Highest to Lowest.

When an attribute conflict occurs, the attribute on the template set with the highest conflict resolution level is returned.

SSOAdapterConfigurations

The default value depends on the services that were configured during installation

The SSOAdapterConfigurations attribute is a list of strings where each string is in the format of a URL. This string defines specific instances of the SSO adapters that are defined in the SSOAdapterTemplates attribute.

The default values for an SSO adapter are defined in the SSOAdapterTemplates attribute, and organization, role, or user-specific instances are stored in the SSOAdapterConfigurations attribute.

Accessing SSO Adapter Configurations

Note

To edit the SSO Adapter configurations, follow the steps as shown subsequently—which access the configurations by selecting the Identity Management tab, as described in step 2. Do not access the configurations in the Service Configuration tab as described in "Accessing SSO Adapter Templates."

To access the SSO Adapter configurations from the Sun ONE Identity Server admin console:

  1. From an Internet browser, log on to the Sun ONE Identity Server admin console at http://hostname:port/amconsole, for example http://psserver.company22.example.com:80/amconsole
  2. Click the Identity Management tab to display the View drop down list in the navigation pane.
  3. Select Services in the View drop down list to display the list of configurable services.
  4. Scroll down the navigation pane to the Single Sign-on Adapter Configuration heading and click the arrow next to SSO Adapter to bring up the SSO Adapter page in the data pane.

About SSO Adapter Configurations

Code Example 14-2  Mail SSO Adapter Configuration

default|imap:///?configName=sunOneMail&configDesc=SUN-ONE-MAIL

Code Example 14-2 is a Mail SSO Adapter configuration.

As mentioned previously, Dynamic SSO Adapter configurations have the same format as the Global SSO Adapter Service templates:

protocol://uid:password@host:port/?configName=configuration-name
configDesc=sso-adapter-template&....

For SSO Adapter templates, certain fragments of the preceding portion, such as uid:password@host:port,” tend not to appear; however, for SSO Adapter configuration strings, while that type of fragment would tend not to appear at the organization or role level, it would tend to appear at the user level.

The properties recognized at the dynamic level are:

Table 14-29  Properties in an SSO Adapter Configuration String

Properties

Description

Necessity

configName

This is the unique identifier of the SSO Adapter template or configuration definition.

Mandatory

configDesc

This is an SSO Adapter Template value. The value for the configDesc property from a Dynamic SSO Adapter configuration string is the same as the value for the configName property from a Global SSO Adapter string (assuming the two strings begin with the same protocol).

Mandatory

SSO Adapter Template and Configuration Examples

Two examples follow of how to create and share portal channel configurations. For both examples the data that is distributed between the SSO Adapter template and configuration is almost exactly the same. However, the first example demonstrates how to share the properties globally while the second example demonstrates how to share the properties within a single organization. For both of these examples, users are limited (in the editing they need to do) to entering user ID and password information, which then enables them to launch that channel from the desktop.

Server Is Defined within the SSO Adapter Template

Server Is Defined at the Organization Level

Some Users Won’t See Configuration Changes

When you make changes to the SSO Adapter templates and configurations, which are described in the next two examples, not all users will see the changes on their desktops. Users who have already edited their channel preferences by editing a channel from the desktop will not see future changes made by administrators to any channels, existing or new. The steps for implementing administrators’ configurations to these users are described in "Some Users Won’t See Configuration Changes."

Server Is Defined within the SSO Adapter Template

This section describes configuring an SSO Adapter template on a server that is shared globally. Therefore, all subdivisions of the global level—from organizations to roles—share the same configuration. For information on configuring a server at the organizational level see "Server Is Defined at the Organization Level".

For this configuration, the outcome is that users will have a Mail channel on their Desktop where the Mail channel is editable and where the user only needs to enter their credentials—user ID (uid) and password— to complete the configuration.

The following example creates a new SSO Adapter template, SSO Adapter configuration, and Mail channel.

  1. Add a new SSO Adapter template, which for this example is named credentialMailTemplate.
    1. From an Internet browser, log on to the Sun ONE Identity Server admin console at http://hostname:port/amconsole, for example http://psserver.company22.example.com:80/amconsole
    2. Click the Service Configuration tab to display the list of configurable services in the navigation pane.
    3. Scroll down the navigation pane to Single Sign-on Adapter Configuration and click the arrow next to SSO Adapter to bring up the SSO Adapter page in the data pane.
    4. Click in the blank configuration description field—which is just above the Add and Remove buttons— it is in the box labeled SSO Adapter Templates under the heading Global as opposed to Dynamic.
    5. In the blank configuration description field, type in the entire SSO Adapter Template string as shown subsequently in Code Example 14-3; replace the variable information with the specific information for your site, unless a particular example also fits the information for your site (therefore, replace some, if not all, the following values: credentialMailTemplate,company22.example.com:143, company22.example.com,true,and 1080).

      6. If the field is not blank when you get to it, select all the text in the field and delete it.

      Code Example 14-3  Mail SSO Adapter Template for Sharing Globally

      default|imap://company22.example.com:143/?configName=credentialMailTemplate

          &encoded=password

          &default=protocol

          &default=clientProtocol

          &default=type

          &default=subType

          &default=enableProxyAuth

          &default=proxyAdminUid

          &default=proxyAdminPassword

          &default=ssoClassName

          &default=enablePerRequestConnection

          &default=userAttribute

          &default=host

          &default=port

          &default=smtpServer

          &default=clientPort

          &default=smtpPort

          &enableProxyAuth=false

          &proxyAdminUid=[PROXY-ADMIN-UID]

          &proxyAdminPassword=[PROXY-ADMIN_PASSWORD]

          &type=MAIL-TYPE

          &subType=sun-one

          &ssoClassName=com.sun.ssoadapter.impl.JavaMailSSOAdapter

          &enablePerRequestConnection=true

          &userAttribute=uid

          &clientProtocol=http

          &smtpServer=company22.example.com

          &sentFolderCopy=true

          &clientPort=1080

          &smtpPort=25

          &merge=uid

          &merge=password

    6. Click Add.
    7. Click Save.

      8. At this point, there may be more than one string that begins with the IMAP protocol. This is acceptable.

  2. Add a new SSO Adapter Configuration, which for this example is named credentialMail.Chose your own template name for your site.
    1. From an Internet browser, log on to the Sun ONE Identity Server admin console at http://hostname:port/amconsole, for example http://psserver.company22.example.com:80/amconsole
    2. Click the Identity Management tab to display the View drop down list in the navigation pane.
    3. Select Services in the View drop down list to display the list of configurable services.
    4. Scroll down the navigation pane to the Single Sign-on Adapter configuration heading and click the arrow next to SSO Adapter to bring up the SSO Adapter page in the data pane.
    5. Click in the blank configuration description field—which is just above the Add and Remove buttons.
    6. In the blank configuration description field, type in the following line of code, where for this example the configuration name is credentialMail and the configuration description is credentialMailTemplate (replace the names used for configuration name and configuration description with the specific information for your site):

      7. default|imap:///?configName=credentialMail
      &configDesc=credentialMailTemplate

      If the field is not blank when you get to it, select all the text in the field and delete it.

    7. Click Add.
    8. Click Save
  3. Add a new Mail Channel to the Desktop. For this example the name of the new channel is CredentialMailChannel.
    1. From an Internet browser, log on to the Sun ONE Identity Server admin console at http://hostname:port/amconsole, for example http://psserver.company22.example.com:80/amconsole
    2. Click the Identity Management tab to display the View drop down list in the navigation pane.
    3. Select Services in the View drop down list to display the list of configurable services.
    4. Scroll down the navigation pane to the Portal Server Configuration heading, click the arrow next to Portal Desktop to bring up the Portal Desktop page in the data pane.
    5. Click the Channel and Container Management link.
    6. Under the Channels heading, click New.
    7. In the Channel Name field, type the name for the new channel, which for this example is CredentialMailChannel.
    8. In the Provider drop down menu, select MailProvider.
    9. Click OK, which returns you to the Channel and Container Management Web page where the channel you just created now exists.
    10. Under the Channels heading, click Edit Properties next to the name of the channel you just created, which for this example is CredentialMailChannel.
    11. In the “title” field, select and delete any words that currently exist, for example mail, and type a provider title, which for this example is Credential Only Mail Account.
    12. In the description field, select and delete any words that currently exist, for example mail, and type a provider description, which for this example is again Credential Only Mail Account.
    13. Scroll down the page (still in the data pane); select and delete any words that currently exist in the “ssoAdapter” field, for example SunOneMail; and type the same SSO Adapter configuration name used in Step 2, which for this example is credentialMail.
    14. Scroll as needed and click Save.
    15. Scroll back up the page to click the word top, which is the first item following the words Container Path.
    16. Scroll down to the Container Channels heading and click the link for the container that you want to add the new channel to. For example, MyFrontPageTabPanelContainer. Do not click the accompanying Edit Properties link.
    17. Under the Channel Management heading, click the name of the channel you just created. For example, CredentialMailChannel, which is in the Existing Channels list.
    18. Click the Add button that is next to the Available and Visible list. This makes the channel available to users and visible without any further configuration.
    19. Scroll back up the page to click Save under the Channel Management heading.

      20. You have finished adding a new Mail channel to the Desktop. Now, limit the fields that end users will see (and be able to edit) when they click the edit button in the Mail channel. You will only keep the User ID and password fields.

  4. Use the Identity Server admin console to retrieve the organization’s display profile document from the directory server. See "To Download and Upload a Display Profile" and follow the steps for downloading and saving (locally) the display profile document.
  5. Use the editor of your choice to open the display profile document and to locate the name of the channel you created in Step 3, for example, CredentialMailChannel. The section of text you need to locate will look similar to the following:

    6. <Channel name="CredentialMailChannel" provider="MailProvider" merge="replace">

             <Properties>

                 <String name="title" value="Credential Only Mail Account"/>

                 <String name="description" value="Credential Only Mail Account"/>

                 <String name="ssoAdapter" value="credentialMail"/>

             </Properties>

    </Channel>

  6. Add an SSOEditAttributes collection that only contains a uid and password. Such a collection looks similar to the following:

    7. <Collection name="ssoEditAttributes">

             <String name="uid" value="string|User Name:"/>

             <String name="password" value="password|User Password:"/>

    </Collection>

    After adding this type of collection, the channel definition will look similar to the following:

    <Channel name="CredentialMailChannel" provider="MailProvider" merge="replace">

             <Properties>

                 <String name="title" value="Credential Only Mail Account"/>

                 <String name="description" value="Credential Only Mail Account"/>

                 <String name="ssoAdapter" value="credentialMail"/>

                 <Collection name="ssoEditAttributes">

                       <String name="uid" value="string|User Name:"/>

                       <String name="password" value="password|User Password:"/>

                 </Collection>

             </Properties>

    </Channel>

  7. Use the Identity Server admin console to upload the newly edited display profile document. Again, see "To Download and Upload a Display Profile" . This time, follow the steps for uploading a display profile.
  8. Create a new portal end user and authenticate to the desktop (optional).

    9. If you create new users, they will see the configuration changes, you just made, on their portal desktops. Existing users who have not previously configured any of the channels from their desktops will also see the changes you just made. However, existing users who have configured a channel from their desktops won’t see the changes you just made. To allow them to see those changes, refer to "Some Users Won’t See Configuration Changes"

    1. Click the Identity Management tab—if it is not already selected—to display the View drop down list in the navigation pane.
    2. Select Users in the View drop down list.
    3. Click New to display the New User page in the data pane.
    4. Click in the checkboxes next to the services to be assigned to the user.

      5. At a minimum, select Portal Desktop and SSO Adapter.

    5. Enter the user information in the appropriate text fields, scrolling as needed.
    6. Scroll as needed and click Create.

      7. The new user’s name then appears in the navigation pane.

Server Is Defined at the Organization Level

This section describes configuring an SSO Adapter template at the organizational level. The data used in the SSO Adapter template and SSO Adapter configuration in this example is almost exactly the same as the data used in the example in "Server Is Defined within the SSO Adapter Template". However, in the following example, more of the properties appear within the SSO Adapter configuration and fewer appear within the SSO Adapter template. Putting the properties in the SSO Adapter configuration allows you to share those properties within an organization rather than sharing the properties globally.

The following example creates a new SSO Adapter configuration and Mail channel. The default SSO Adapter template is used in this example. You do not need to create another template:

Code Example 14-4  Mail SSO Adapter Template for Sharing within an Organization.

default|imap:///?configName=SUN-ONE-MAIL

    &encoded=password

    &default=ssoClassName

    &default=protocol

    &default=clientProtocol

    &merge=host

    &merge=port

    &merge=uid

    &merge=password

    &merge=smtpServer

    &merge=smtpPort

    &merge=sentFolderCopy

    &merge=clientPort

    &clientProtocol=http

    &ssoClassName=com.sun.ssoadapter.impl.JavaMailSSOAdapter

  1. Add a new SSO Adapter Configuration, which for this example is named orgCredentialMail. Chose your own name for your site.
    1. From an Internet browser, log on to the Sun ONE Identity Server admin console at http://hostname:port/amconsole, for example http://psserver.company22.example.com:80/amconsole
    2. Click the Identity Management tab to display the View drop down list in the navigation pane.
    3. Select Services in the View drop down list to display the list of configurable services.
    4. Scroll down the navigation pane to the Single Sign-on Adapter configuration heading and click the arrow next to SSO Adapter to bring up the SSO Adapter page in the data pane.
    5. Click in the blank configuration description field—which is just above the Add and Remove buttons.
    6. In the blank configuration description field, type in the following line of code, where for this example the configuration name is orgcredentialMail and the configuration description is SUN-ONE-MAIL; replace the variable information with the specific information for your site, unless a variable example used here also fits the information for your site (therefore, replace some, if not all, the following values: company22.example.com:143, orgcredentialMail, ccompany22.example.com, true, 1080, and 25).

      7. default|imap://company22.example.com:143/?configName=orgCredentialMail
      &configDesc=      SUN-ONE-MAIL
      &smtpServer=company22.example.com
      &sentFolderCopy=true
      &clientPort=1080
      &smtpPort=25

      If the field is not blank when you get to it, select all the text in the field and delete it.

    7. Click Add.
    8. Click Save.

      9. At this point, there may be more than one string that begins with the IMAP protocol. This is perfectly acceptable.

  2. Add a new Mail Channel to the My Front Page tab; for this example, the name of the new channel is OrgCredentialMailChannel.
    1. From an Internet browser, log on to the Sun ONE Identity Server admin console at http://hostname:port/amconsole, for example http://psserver.company22.example.com:80/amconsole
    2. Click the Identity Management tab to display the View drop down list in the navigation pane.
    3. Select Services in the View drop down list to display the list of configurable services.
    4. Scroll down the navigation pane to the Portal Server Configuration heading and click the arrow next to Portal Desktop to bring up the Portal Desktop page in the data pane
    5. Click the Channel and Container Management link.
    6. Under the Channels heading, click New.
    7. In the Channel Name field, type the name for the new channel, which for this example is OrgCredentialMailChannel.
    8. In the Provider drop down menu, select MailProvider.
    9. Click Create, which returns you to the Channel and Container Management Web page where the channel you just created now exists.
    10. Under the Channels heading, click Edit Properties next to the name of the channel you just created, which for this example is OrgCredentialMailChannel.
    11. In the title field, select and delete any words that currently exist, for example mail, and type a provider title, which for this example is Organization Defined Credential Only Mail Account.
    12. In the description field, select and delete any words that currently exist, for example mail, and type a provider description, which for this example is again Credential Only Mail Account.
    13. Scroll down the page (still in the data pane); select and delete any words that currently exist in the ssoAdapter field, for example sunOneMail; and type the same SSO Adapter configuration name used in Step 1, which for this example is orgCredentialMail.
    14. Scroll as needed and click Save.
    15. Scroll back up the page to click the word top, which is the first item following the words Container Path.
    16. Scroll down to the Container Channels heading and click the link for the container that you want to add the new channel to. For example, MyFrontPageTabPanelContainer. Do not click the accompanying Edit Properties link
    17. Under the Channel Management heading, click the name of the channel you just created. For example, OrgCredentialMailChannel, which is in the Existing Channels list.
    18. Click the Add button that is next to the Available and Visible list. This makes the channel available to users and visible without any further configuration.
    19. Scroll back up the page to click Save under the Channel Management heading.

      20. You have finished adding a new Mail channel to the Desktop. For this type of configuration, when end users click the edit button for this channel, all the editable fields will be populated except for User ID and password, which they will need to fill in. If you want to remove all the fields except for the User ID and password fields, follow the steps from the Server Is Defined within the SSO Adapter Template section starting with Step 4

  3. Create a new portal user and authenticate to the desktop (optional).

    4. If you create new users, they will see the configuration changes, you just made, on their portal desktops. Existing users who have not previously configured any of the channels from their desktops will also see the changes you just made. However, existing users who have configured a channel from their desktops won’t see the changes you just made. To allow them to see those changes, refer to "Some Users Won’t See Configuration Changes".

    1. Click the Identity Management tab—if it is not already selected—to display the View drop down list in the navigation pane.
    2. Select Users in the View drop down list.
    3. Click New to display the New User page in the data pane.
    4. Click in the checkboxes next to the services to be assigned to the user.

      5. At a minimum, select Portal Desktop and SSO Adapter.

    5. Enter the user information in the appropriate text fields, scrolling as needed.
    6. Scroll as needed and click Create.

      7. The new user’s name then appears in the navigation pane.

Some Users Won’t See Configuration Changes

Administrators make channel configuration changes—including the adding of new channels— by editing or creating SSO Adapter templates and configurations. These changes do not affect all users. The users they affect are:

However, for users who have previously changed one or more of their channel configurations—which they do by editing a channel from their desktops—administrators need to make configuration changes directly at the user level before the changes take affect. For example, when administrators add a channel at the global, organization, or role level, the channel does not appear on these users’ desktops.

This situation occurs because of the way Class of Service functions in the directory server. Users who configure one or more of their channels overwrite the SSO Adapter templates and configurations. Thereafter—for these users—values added by administrators at the global, organization, or role level are no longer inherited at the user level.

Therefore, configure changes directly at the user level for every user who has previously changed one or more of their channel configurations. It is usually more convenient to configure changes for other users first then to copy those template and configuration strings and paste them directly at the user level for the users that need them; the following instructions assume that you will configure changes in this manner. However, you can key in configuration strings directly at the user level without copying and pasting, if you wish.

After making configuration changes for others, make configuration changes directly at the user level—for those who need it—with one of the two following methods:

User-Level Configuration Changes for One to a Few Users

Copy and paste the SSO Adapter template string or the SSO Adapter configuration string that you just edited or created for other users to the users who need the changes made directly at the user level as follows:

  1. Copy a string from an SSO Adapter configuration:
    1. From an Internet browser, log on to the Sun ONE Identity Server admin console at http://hostname:port/amconsole, for example http://psserver.company22.example.com:80/amconsole
    2. Click the Identity Management tab to display the View drop down list in the navigation pane.
    3. Select Services in the View drop down list to display the list of configurable services.
    4. Scroll down the navigation pane to the Single Sign-on Adapter Configuration heading and click the arrow next to SSO Adapter to bring up the SSO Adapter page in the data pane.
    5. Click the string that you want to copy, such as “default|http:///...”,“default|imap:///...”, etc.
    6. With the string you just selected showing in the configuration description field—which is just above Add and Remove buttons—select and copy the entire contents of the field and go on to Step 2.
  2. In the Sun ONE Identity Server admin console, click the Identity Management tab to display the View drop down list in the navigation pane.
  3. Select Users in the View drop down list to display the list of Sun ONE Portal Server users.
  4. Click the arrow next to the user whose user level configuration you want to edit to display another View drop down list, but in the data pane.
  5. Click SSO Adapter in the View drop down list within the data pane.
  6. Click in the configuration description field—which is just above Add and Remove buttons.
  7. Paste the SSO Adapter configuration string that you copied in Step 1 here in the configuration description field.
  8. Scroll to the far right, past the SSO Adapter configurations box.
  9. Select Customize from the drop down list, if it is not already selected (possible selections are Customize, Inherit, and Ignore).
  10. Scroll to the left as needed and click Save.

User-Level Configuration Changes for Many Users (Using a Script)

To apply configuration changes to many users directly at the user level you will create a file made up of simple scripts that—among other things—identify specific users and the specific SSO Adapter template(s) and configuration(s) you want to connect each of these users to.

You will then issue an ldapmodify command that references the file; the file then modifies the directory server by implementing the user configuration changes in the scripts.

  1. Create a file similar to that in Code Example 14-5 using information specific to your site.
    • Name the file using the .ldif suffix.
    • In the file, create a separate entry for every user who needs the SSO Adapter configured for them directly at the user level.
    • Include the four lines of code for each user.

      • The following example file includes only two example entries. This file is named attr.ldif; the two users are named user1 and user2; the organization name is example; the configuration name—which is the name of the SSO Adapter configuration that both users happen to be referencing—is group1imapmail; the configuration description—which identifies which SSO Adapter template the group1imapmail configuration is referencing—is everyoneimap. For this example, it is the same for both users.

      .

      Code Example 14-5  A file named attr.ldif with Scripts for the Directory Server

      dn: uid=user1,ou=People,o=example.com,o=isp

      changetype: modify

      add:sunSSOAdapterConfigurations

      sunSSOAdapterConfigurations:

          default|imap:///?configName=group1imapmail&configDesc=everyoneimap

      dn: uid=user2,ou=People,o=example.com,o=isp

      changetype: modify

      add:sunSSOAdapterConfigurations

      sunSSOAdapterConfigurations:

          imap:///?configName=group1imapmail&configDesc=everyoneimap

  2. Use an ldapmodify command similar to that used in Code Example 14-6 to send the file you created in step 1 to the directory server. When entering the code for these commands, use information specific to your site

    3. The following example lists commands needed to send a file to the directory server to be read. The following information is specific to this example site: the password is mypassword, the host name is localhost; the port number is the default, 389; and the file being sent is named attr.ldif.

    Code Example 14-6  Sending a File Named attr.ldif to the Directory Server

    setenv LD_LIBRARY_PATH Directory-server-install-dir/lib

    Directory-server-install-dir/shared/bin/ldapmodify -D "cn=Directory Manager

        " -w mypassword -h localhost -p 389 -f attr.ldif

    The preceding code first sets the path LD_LIBRARY_PATH and indicates the location of the ldapmodify command. Then, ldapmodify is issued. A summary of each option used with this command follows:

    -D

    specifies the distinguished name, in this case “cn=Directory Manager,” to bind to the directory

    -w

    specifies the password, in this case mypassword, for authenticating to the directory

    -h

    specifies the host, in this case localhost, on which the directory server is running

    -p

    specifies the port, in this case the default port 389,through which the directory server is listening

    -f

    specifies a file, in this case attr.ldif, to be read by the directory server

    For more information about the ldapmodify command see Sun ONE Directory Server Administration Guide.



Previous      Contents      Index      Next     

Copyright 2003 Sun Microsystems, Inc. All rights reserved.