Chapter 5 Creating Subjects

The Subjects interface enables basic identity management within a realm. Any identity created using this OpenSSO Enterprise console interface is created in the identity repository that was defined during the installation process. (If no external user data store is defined during installation, the user data store is the OpenSSO Enterprise embedded configuration data store; this configuration should be used for testing and demonstration purposes only.) The following sections contain more information on the entities you can create and modify:

• Storing Subjects

• Creating Users

• Creating Groups

• Administrative Users and Default Subjects

Storing Subjects

Any subject created using the OpenSSO Enterprise console is stored in the identity repository that was defined during the installation process. If no external user data store is defined, the user data store is, in effect, the OpenSSO Enterprise embedded configuration data store, and Subjects will be stored in it. This deployment should be used for testing and demonstration purposes only. Defining an external data store during OpenSSO Enterprise configuration, or pointing a realm to an instance of an identity repository after configuration, allows you to store subjects for real deployments.

Creating Users

A user represents an individual’s identity. Users can be created and deleted, and can be added or removed from roles and/or groups. You can also assign services to the user. The following procedures contain more information.

• To Create a User

• To Modify a User

To Create a User

Before You Begin

This procedure assumes you are logged into the OpenSSO Enterprise console as the administrator; by default, amadmin.

1. Under the Access Control tab, click the name of the realm in which you are creating the user.

2. Click the Subjects tab.

3. Click New.

4. Enter data for the following fields:

   ID This field takes the identifier of the user purposes of logging into the OpenSSO Enterprise console. This property does not have to be a DN.

   First Name This field takes the first name of the user.

   Last Name This field takes the last name of the user.

   Full Name This field takes the full name of the user.

   Password. This field takes the password for the user.

   Password (Confirm) Confirm the password.

   User Status This option indicates whether the user is allowed to authenticate through OpenSSO Enterprise.

5. Click OK.

   You can now modify the user profile by clicking the name of the user. For information on the user attributes, see the User attributes. Other modifications you can perform:

To Modify a User

To add a user to a group or role, assign a service to a user profile or add values to the additional user profile attributes, modify the user profile.

Before You Begin

This procedure assumes you are logged into the OpenSSO Enterprise console as the administrator; by default, amadmin.

1. Under the Access Control tab, click the name of the realm in which you are creating the user.

2. Click the Subjects tab.

3. Click the name of the user you want to modify.

   The Edit User page is displayed under the General tab.

4. (Optional) Add values to the following user profile attributes.

   • Password can be used to change the user's defined password.

     ---

     Note –

     The top level administrator's username and password is created when you configure OpenSSO Enterprise. This password can be changed at any time through the console, or with the ampassword command line utility. This attribute is used to change the top level administrator password through the console. For more information on ampassword, see Chapter 3, The ampassword Command Line Tool, in Sun OpenSSO Enterprise 8.0 Administration Reference.

     ---

   • Email Address

   • Employee Number

   • Telephone Number

   • Home Address

   • Account Expiration Date

   • User Authentication Configuration defines the process to which the user must successfully authenticate.

   • User Alias List defines a list of aliases that may be applied to the user. In order to use any aliases configured in this attribute, the LDAP service has to be modified by adding the iplanet-am-user-alias-list attribute to the User Entry Search Attributes field in the LDAP service.

   • Success URL specifies the URL that the user will be redirected to upon successful authentication.

   • Failure URL specifies the URL that the user will be redirected to upon failed authentication.

   • Password Reset Options forces the user to change a defined password at the next login.

   • MSISDN Number defines the user's Mobile Station International Subscriber Directory Number if using MSISDN authentication.

5. Click Save to save the values.

6. Click the Services tab.

7. Click Add.

8. Select from the displayed services and click Next.

9. Modify the service's attributes and click Finish.

10. Click Finish.

11. Click the Groups tab to add the user to a specific group.

12. Add a group displayed in the Available list to the Selected list and click Save.

13. Click Back to Subjects.

Creating Groups

A group represents a collection of users with a common function, feature or interest. Typically, a group has no privileges associated with it. Groups can exist at two levels; within a realm and within other managed groups. The following procedures have more information.

• To Create a Group

• To Add Users to a Group

To Create a Group

Before You Begin

This procedure assumes you are logged into the OpenSSO Enterprise console as the administrator; by default, amadmin.

1. Under the Access Control tab, click the name of the realm in which you are creating the user.

2. Click the Subjects tab.

3. Click the Group tab.

4. Click New under the Group list.

5. Enter a name for the group in the ID field.

6. Click OK.

   Once you have created the group, you can add users to it. See To Add Users to a Group.

To Add Users to a Group

Before You Begin

This procedure assumes you are logged into the OpenSSO Enterprise console as the administrator; by default, amadmin.

1. Under the Access Control tab, click the name of the realm in which you are creating the user.

2. Click the Subjects tab.

3. Click the Group tab.

4. Click the name of the group in the Group list to which you want to add users.

5. Click the User tab.

6. Add any Available users to the Selected list.

7. Click Save.

   Users can also be added to Groups by modifying the User profile. See To Modify a User.

Administrative Users and Default Subjects

A number of administrative (and other) users are created as subjects during installation of OpenSSO Enterprise. The following sections contain information about each.

• amadmin

• amldapuser

• UrlAccessAgent

• Directory Manager

• Administrator

• demo

• test

• dsameuser

• puser

• anonymous

amadmin

The OpenSSO administrative user is amadmin (uid=amAdmin,ou=People,dc=opensso,dc=java,dc=net in the embedded configuration data store). This top-level administrator has unlimited access to all entries managed by OpenSSO. During installation, you must provide a password for amadmin. The amadmin profile is a Subject under the top-level realm. You cannot change the default amadmin identifier.

To Change the amadmin Password

1. Under the Access Control tab, click / (Top Level Realm).

2. Click the Subjects tab.

3. Click amadmin in the Users table.

4. Under the General tab, click the Password attribute's Edit link.

5. Type the old and new passwords as directed and click OK.

6. Click Save on the Edit User page.

amldapuser

amldapuser (cn=amldapuser,ou=DSAME Users,dc=opensso,dc=java,dc=net in the embedded configuration data store) has read and search access to all embedded data store entries; it is used when the OpenSSO schema extends the embedded data store schema. amldapuser binds to the directory to retrieve data for the LDAP and Membership authentication modules and the Policy Configuration Service. The default password for amldapuser is changeit. You can change the password by modifying the value of the AMLDAPUSERPASSWD property in the OpenSSO-Deploy-base/opensso/WEB-INF/classes/serviceDefaultValues.properties file BEFORE running the OpenSSO configurator. Changing the amldapuser password after configuration is not supported.

UrlAccessAgent

UrlAccessAgent is the user that a web agent uses to login to OpenSSO. The password for UrlAccessAgent is defined during OpenSSO configuration.

---

Note –

amService-UrlAccessAgent (cn=amService-UrlAccessAgent,ou=DSAME Users,dc=opensso,dc=java,dc=net in the embedded configuration data store) is the same user as UrlAccessAgent. When entered as UrlAccessAgent on the server side, the Authentication Service prepends to it the string amService-. The Authentication Service then authenticates it is a special user with an entry in the data store.

---

Directory Manager

CN=Directory Manager,CN=Users,dc=opensso,dc=java,dc=net is the default top level administrator for the embedded configuration data store (OpenDS). Directory Manager has read and write access to all entries in the embedded configuration data store and would be used to bind to it if the OpenSSO schema is not installed.

Administrator

CN=Administrator,CN=Users,dc=opensso,dc=java,dc=net is the default top level administrator for Microsoft Active Directory. This is similar to Directory Manager.

demo

demo is the user used to demonstrate the federation-related features of OpenSSO. By default, its password is changeit. This user is displayed as a subject of the top-level realm in the OpenSSO console and its default password can be changed.

test

test user is used to execute some OpenSSO samples. These samples would create the test user and test will be displayed as a subject of the top-level realm in the OpenSSO console after executing them. The default password is test.

dsameuser

dsameuser (cn=dsameuser,ou=DSAME Users,dc=opensso,dc-java,dc=net) binds to the embedded configuration data store when the OpenSSO SDK performs operations on it that are not linked to a particular user (for example, retrieving service configuration information).

After installation, it is recommended that you change the password for dsameuser. Do not use the same password that was set for amadmin or amldapuser. To change the password, use the ampassword utility with the --admin (or -a) option. (This option does not change the amadmin password.) If OpenSSO is deployed on multiple host servers, change the password in the embedded configuration data store and the local serverconfig.xml file on the first server as documented using ampassword. For each additional server, encrypt the new password using ampassword with the --encrypt (or -e) option and swap the new encrypted password with the old in the serverconfig.xml file manually. Restart each OpenSSO web container after the modification.

puser

Proxy user (cn=puser,ou=DSAME Users,dc=opensso,dc=java,dc=net) is a proxy user that works behind the scenes for the legacy AMSDK. This user is created during installation and cannot be modified or found in the OpenSSO console.

anonymous

anonymous is the default anonymous user. If the Anonymous authentication module is enabled, an anonymous user can log into OpenSSO without providing a password. You can define a list of anonymous users by adding user identifiers to the anonymous profile using the OpenSSO console.