Setting Up Liberty ID-WSF 1.1 Profiles

OpenSSO Enterprise automatically detects which version of the Liberty ID-WSF profiles is being used. If OpenSSO Enterprise is the web services provider (WSP), it detects the version from the incoming SOAP message. If OpenSSO Enterprise is the WSC, it uses the version the WSP has registered with the Discovery Service. If the WSP can not detect the version from the incoming SOAP message or the WSC can not communicate with the Discovery Service, the version defined in the com.sun.identity.liberty.wsf.version property in the OpenSSO Enterprise configuration data store will be used. Following are the steps to configure OpenSSO Enterprise to use Liberty ID-WSF 1.1 profiles.

• To Configure OpenSSO Enterprise to Use Liberty ID-WSF 1.1 Profiles

• To Test the Liberty ID-WSF 1.1 Configuration

To Configure OpenSSO Enterprise to Use Liberty ID-WSF 1.1 Profiles

• Don't use the Liberty ID-FF sample as it does not configure a signing key.

• If both machines are in the same domain, change the cookie name on one of them to avoid cookie conflict.

1. Install OpenSSO Enterprise on two different machines.

   Test the installations by logging in to the console at http://server:port/opensso/UI/Login.

2. Configure one instance of OpenSSO Enterprise as a Liberty ID-FF identity provider.

   1. Login to the OpenSSO Enterprise console.

   2. Click the Federation tab.

   3. Click New under Entity Providers.

      The Create IDFF Entity Provider page is displayed.

   4. Enter a value for the Entity Identifier attribute on the Create IDFF Entity Provider page.

   5. Under Identity Provider, enter values for Meta Alias, Signing Certificate Alias, and Encryption Certificate Alias and click Create to create the identity provider metadata.

   6. Using ssoadm.jsp, export the identity provider metadata.

3. Configure the second instance of OpenSSO Enterprise as a Liberty ID-FF service provider.

   1. Login to the OpenSSO Enterprise console.

   2. Click the Federation tab.

   3. Click New under Entity Providers.

      The Create IDFF Entity Provider page is displayed.

   4. Enter a value for the Entity Identifier attribute on the Create IDFF Entity Provider page.

   5. Under Service Provider, enter values for Meta Alias, Signing Certificate Alias, and Encryption Certificate Alias and click Create to create the service provider metadata.

   6. Using ssoadm.jsp, export the service provider metadata.

4. Exchange the standard metadata files and import the identity provider metadata onto the service provider machine and the service provider metadata onto the identity provider machine.

5. Create a circle of trust that includes the Entity Identifier for both providers on each machine.

6. Login to the instance of OpenSSO Enterprise acting as the identity provider.

   1. Click the Web Services tab.

   2. Click the Discovery Service tab.

   3. Scroll down to Resource Offerings for Bootstrapping.

   4. Click urn:liberty:disco:2003-08.

      The Edit Resource Offerings page is displayed.

   5. Remove the default value of Service Type.

   6. Add urn:liberty:security:2005-02:null:X509.

   7. Change the value of the Provider ID attribute to the entity identifier of the identity provider.

   8. Click Save.

      The Discovery Service page is displayed.

   9. Scroll down to the Classes for ResourceID Mapper Plug-in attribute.

   10. Click the link that is the value of the Provider ID.

       The Edit Resource ID Mapping page is displayed.

   11. Change the value of the Provider ID attribute to the entity identifier of the identity provider.

   12. Click Save.

       The Discovery Service page is displayed.

   13. Click the Configuration tab.

   14. Click the Global tab.

   15. Click the Liberty ID-WSF Security Service link.

       The Liberty ID-WSF Security Service page is displayed.

   16. Enter test as the value for the following attributes and click Save.

       • Default WSC Certificate alias

       • Trusted Authority signing certificate alias

       • Trusted CA signing certificate aliases

       ---

       Note –

       test is the default self-signed certificate shipped with OpenSSO Enterprise. Use your own key and CA name for your customized deployment.

       ---

   17. Log out of the console and restart the identity provider instance to allow the changes to take effect.

7. Login to the instance of OpenSSO Enterprise acting as the service provider.

   1. Click the Web Services tab.

   2. Under the Personal Profile tab, change the value of the Provider ID attribute to the entity identifier of the service provider and click Save.

   3. Click the SOAP Binding Service tab.

   4. Scroll down, enable 1.1 as the value of the Liberty Identity Web Services Version attribute and click Save.

   5. Click the Configuration tab.

   6. Click the Global tab.

   7. Click the Liberty ID-WSF Security Service link.

      The Liberty ID-WSF Security Service page is displayed.

   8. Enter test as the value for the following attributes and click Save.

      • Default WSC Certificate alias

      • Trusted Authority signing certificate alias

      • Trusted CA signing certificate aliases

      ---

      Note –

      test is the default self-signed certificate shipped with OpenSSO Enterprise. Use your own key and CA name for your customized deployment.

      ---

   9. Log out of the console and restart the service provider instance to allow the changes to take effect.

To Test the Liberty ID-WSF 1.1 Configuration

1. Deploy the OpenSSO Enterprise client WAR on a third web container.

   • Use opensso-client-jdk15.war for web containers running the Java Development Kit (JDK) 1.5 and above.

   • Use opensso-client-jdk14.war for web containers running JDK 1.4.

2. Configure the client sample and then configure the WSC sample.

3. Find AMConfig.properties for the Client SDK under the user_home/OpenSSOClient directory.

   For example, path_to_client_sample_deployment_AMConfig.properties

4. Edit the following properties in AMConfig.properties.

   • com.sun.identity.liberty.ws.wsc.certalias=test

   • com.sun.identity.liberty.ws.ta.certalias=test

   • com.sun.identity.liberty.ws.trustedca.certalias=test

   ---

   Note –

   test is the default self-signed certificate shipped with OpenSSO Enterprise. Use your own key and CA name for your customized deployment.

   ---

5. Restart the Client SDK web container and follow the client SDK sample README to run the sample.

   All Liberty ID-WSF traffic is using version 1.1 now. You can validate this by looking at the XML message; the name space for the SOAP binding should be urn:liberty:sb:2004-04 as opposed to urn:liberty:sb: 2003-08 for version 1.0.