Chapter 8 Federated Operations

This chapter contains procedures illustrating how to use OpenSSO Enterprise to configure interactions based on the ID-FF and SAMLv2 protocols. The sections contained in this chapter are:

• Finding an Identity Provider for Authentication

• Bulk Federation

• ID-FF Federation Operations

• SAMLv2 Operations

• WS-Federation Operations

Finding an Identity Provider for Authentication

If there is only one Identity Provider in a Circle-of-Trust, Service Providers will send users directly to the Identity Provider for authentication. In the case when there are multiple Identity Providers in a Circle-of-trust, a Service Provider requires a way to determine which identity provider is used by a principal requesting authentication. Because Service Providers are configured without regard to their location, this function must work across DNS-defined domains. OpenSSO Enterprise implements the following solutions for this use case:

• Identity Provider Discovery Service in SAMLv2

• Identity Provider Introduction Service in ID-FF

• Home Realm Discovery Service in WS-Federation

When these services are configured, the Service Provider determines and redirects the user agent to the appropriate identity provider for authentication. The following sections contain more information.

• Configuring the SAMLv2 Identity Provider Discovery Service

• Configuring the ID-FF Identity Provider Introduction Service

• Configuring WS-Federation Home Realm Discovery Service

• Customizing SAMLv2 the Identity Provider Discovery Service and the ID-FF Identity Provider Introduction Service

Configuring the SAMLv2 Identity Provider Discovery Service

The SAMLv2 Identity Provider Discovery Service is provided by OpenSSO Enterprise after deployment. Alternatively, the Identity Provider Discovery Service can be configured as a standalone service. After the SAMLv2 Identity Provider Discovery Service is configured, an administrator creates and configures a Circle-of-Trust to use the Identity Provider Discovery service for the IDPs and SPs. In OpenSSO Enterprise, the Identity Provider Discovery Service for SAMLv2 providers is configured using two URLs that point to servlets developed for writing and reading a special cookie called Common Domain cookie. Go to the circle-of-trust entity and configure the following:

• SAMLv2 Writer Service URL

• SAMLv2 Reader Service URL

SAMLv2 Writer Service URL

The Writer Service URL is used by the identity provider. After successful authentication, the common domain cookie is appended with the query parameter _saml_idp=entity-ID-of-identity-provider. This parameter is used to redirect the principal to the Writer Service URL defined for the identity provider. The URL is configured as the value for the SAML2 Writer Service URL attribute when a circle of trust is created. Use the format http://idp-discovery-host:port/deployment-uri/writer where idp-discovery-host:port refers to the machine on which the SAMLv2 Identity Provider Discovery service is installed and deployment-uri tells the web container where to look for information specific to the application (such as classes or JARs).

SAMLv2 Reader Service URL

The Reader Service URL is used by the service provider. The service provider redirects the principal to this URL in order to find the preferred identity provider. Once found, the principal is redirected to the identity provider for single sign-on. The URL is defined as the value for the Reader Service URL attribute when a circle of trust is created. It is formatted as http://idp-discovery-host:port/deployment-uri/transfer where idp-discovery-host:port refers to the machine on which the SAMLv2 IDP Discovery service is installed and deployment-uri tells the web container where to look for information specific to the application (such as classes or JARs).

Configuring the ID-FF Identity Provider Introduction Service

OpenSSO Enterprise provides the Liberty ID-FF Identity Provider Introduction Service upon deployment. Alternatively, the Identity Provider Introduction Service could be configured as a standalone service (refer to later section for details).

After the Liberty ID-FF Identity Provider Introduction Service is configured, an administrator needs create and configure a Circle-of-Trust to use the service. In OpenSSO Enterprise, the Identity Provider Introduction Service for ID-FF providers is configured using two URLs that point to servlets developed for writing and reading a special cookie called Common Domain cookie. Go to the circle-of-trust entity and configure the following:

• ID–FF Writer Service URL

• ID-FF Reader Service URL

ID–FF Writer Service URL

The Writer Service URL is used by the identity provider. After successful authentication, the common domain cookie is appended with the query parameter _liberty_idp=entity-ID-of-identity-provider. This parameter is used to redirect the principal to the ID-FF Writer Service URL defined for the identity provider. The URL is configured as the value for the ID-FF Writer Service URL attribute when a circle of trust is created. Use the format http://idp-introduction-host:port/deployment-uri/idffwriter where idp-introduction-host:port refers to the machine on which the ID-FF Identity Provider Introduction service is installed and deployment-uri tells the web container where to look for information specific to the application (such as classes or JARs).

ID-FF Reader Service URL

The ID-FF Reader Service URL is used by the service provider. The service provider redirects the principal to this URL in order to find the preferred identity provider. Once found, the principal is redirected to the identity provider for single sign-on. The URL is defined as the value for the ID-FF Reader Service URL attribute when a circle of trust is created. It is formatted as http://idp-introduction-host:port/deployment-uri/transfer where idp-intorductoin-host:port refers to the machine on which the ID-FF Identity Provider Introduction service is installed and deployment-uri tells the web container where to look for information specific to the application (such as classes or JARs).

Configuring WS-Federation Home Realm Discovery Service

To configure a WS-Federation service provider to use the Home Realm Discovery Service, click on the WS-Federation entity name in the OpenSSO Enterprise console, select the Service Provider (SP) tab and configure the following:

Home Realm Discovery

Specifies the service so that the service provider can identify the preferred identity provider. The service URL is specified as a contact endpoint by the service provider.

Account Realm Selection

Specifies the identity provider selection mechanism and configuration. Either the cookie or HTTP Request header attribute can be used to locate the identity provider.

Customizing SAMLv2 the Identity Provider Discovery Service and the ID-FF Identity Provider Introduction Service

There are two ways to obtain the SAMLv2 IDP Discovery Service/ID-FF IDP Introduction service:

1. Create and deploy a specialized WAR file used for the SAMLv2 Identity Provider Discovery Service and ID-FF Identity Provider Introduction Service only. See To Create a Specialized WAR file for the Identity Provider Services.

2. Customize the SAMLv2 Identity Provider Discovery Service and ID-FF Identity Provider Introduction Service through the console. See To Customize the Identity Provider Services Through the Console.

To Create a Specialized WAR file for the Identity Provider Services

OpenSSO Enterprise provides a mechanism to create a specialized WAR file for the SAMLv2 Identity Provider Discovery Service and the ID-FF Identity Provider Introduction Service. The WAR file can be deployed as standalone application, independent of Identity Provider and Service Provider domains. See Creating and Deploying Specialized OpenSSO Enterprise WAR Files in Sun OpenSSO Enterprise 8.0 Installation and Configuration Guide.

1. After you deploy and run the Configurator for the specialized WAR file, locate the configuration property file named libIDPDiscoveryConfig.properties.

   This file is created under the web container user's home directory. This file is the same for both the SAMLv2 IDP Discovery service and the ID-FF IDP Introduction service.

2. Customize the following properties to meet your specific deployment needs:

   com.sun.identity.federation.services.introduction.cookiedomain

   The value of this property is the name of the common domain.

   com.sun.identity.federation.services.introduction.cookietype

   This property takes a value of either PERSISTENT or SESSION. PERSISTENT defines the cookie as one that will be stored and reused after a web browser is closed and reopened. SESSION defines the cookie as one that will not be stored after the web browser has been closed.

   com.iplanet.am.cookie.secure

   This property takes a value of either false or true. It defines whether the cookie needs to be secured or not.

   com.iplanet.am.cookie.encode

   This property takes a value of either false or true. It defines whether the cookie will be URL encoded or not. This property is useful if, for example, the web container that reads or writes the cookie decrypts or encrypts it by default.

To Customize the Identity Provider Services Through the Console

1. Login to the console as top level administrator.

2. Click the Configuration tab.

3. Click the Global sub-configuration tab.

4. Select the SAMLv2 Service Configuration service.

5. Customize the following attributes. These attributes are applicable for both the SAMLv2 Identity Provider Discovery Service and ID-FF Identity Provider Introduction Service:

   Cookie Domain for IDP Discovery Service

   Specifies the cookie domain for the SAMLv2 IDP discovery cookie.

   Cookie Type for IDP Discovery Service

   Specifies cookie type used in SAMLv2 IDP Discovery Service, either Persistent or Session. Default is Session.

   URL Scheme for IDP Discovery Service

   Specifies URL scheme used in SAMLv2 IDP Discovery Service.

Bulk Federation

OpenSSO Enterprise handles the federation of user accounts in bulk through the ssoadm command line tool. From the service provider, import the metadata to create the bulk federation data. The full command is as follows:

ssoadm do-bulk-fed-data --metaalias meta_alias --remote-entity-id 
entity_ID--useridmapping id-mapping-filename --name-id-mapping 
created_nameid_filename --adminid administrator_ID
 --password-file password_filename --spec idff_or_saml2_or_wsfed

As input, the command takes a file that maps the user distinguished name (DN) of the identity provider to the user DN of the service provider. You specify this in the –useridmapping option of the do-bulk-federation subcommand. The format is the full DN of local-user-id|remote-user-id. For example:

id=spuser1,ou=user,dc=red,dc=iplanet,dc=com|id=idpuser1,
ou=user,dc=red,dc=iplanet,dc=com
id=spuser2,ou=user,dc=red,dc=iplanet,dc=com|id=idpuser2,
ou=user,dc=red,dc=iplanet,dc=com
id=spuser3,ou=user,dc=red,dc=iplanet,dc=com|id=idpuser3,
ou=user,dc=red,dc=iplanet,dc=com
id=spuser4,ou=user,dc=red,dc=iplanet,dc=com|id=idpuser4,
ou=user,dc=red,dc=iplanet,dc=com

The users defined in this file must already exist in the identity provider and service provider.

To load the bulk data into an identity provider, use the following command. The bulk federation file created by the do-bulk-federation subcommand is specified in the bulk-data-file option:

ssoadm import-bulk-fed-data --meta-aslias meta_alias --bulk-data-file 
bulk_federation_filename --adminid administrator_ID --password-
file password_filename --spec idff_or_saml2_or_wsfed

ID-FF Federation Operations

This section describes Federation operations that are specific to the ID-FF protocol.

• The Pre-Login URL

• Configuring ID-FF Single Sign-on

• ID-FF Auto-Federation

• Enabling ID-FF XML Signing

• Dynamic Identity Provider Proxying

The Pre-Login URL

The pre-login process is the entry point for applications participating in Liberty-based single sign-on. The principal would be redirected to the location defined by the pre-login URL if no OpenSSO Enterprise session token is found. This default process, though, can be modified based on the values of query parameters passed to OpenSSO Enterprise by the service provider within a URL.

A query parameter is a name/value pair appended to the end of a URL. The parameter starts with a question mark (?) and takes the form name=value. A number of parameters can be combined in one URL; when more than one parameter exists, they are separated by an ampersand (&). Use the format http://hostname:port/deploy-uri/preLogin?metaAlias=metaAlias. Additional parameters are appended to the URL as &param1=value1&param2=value2 and so on. These parameters and their usage and values are described in the following table.

In order to modify the pre-login URL, edit the relevant properties in either the AMConfig.properties file or the AMAgent.properties file, dependent on your deployment.

To Configure for Pre-login

In a federation setup, OpenSSO Enterprise acts as a service provider and manages an application that runs on a separate instance of Sun Java System Web Server. You must configure the agent that is protecting this application as follows:

1. Point the com.sun.am.policy.loginURL property in the AMAgent.properties file to the pre-login service URL running on OpenSSO Enterprise.

   For example: com.sun.am.policy.loginURL = http://www.sp1.com:58080/opensso/preLogin?metaAlias=www.sp1.com

2. Point the com.sun.am.policy.am.library.loginURL in the AMAgent.properties file to the login URL of the instance of OpenSSO Enterprise acting as the service provider.

   For example: com.sun.am.policy.am.library.loginURL = http://www.sp1.com:58080/opensso/UI/Login

To Configure for Global Logout

To implement the logout process for all service providers using the Liberty Logout method, do the following:

1. Copy the AMClient.properties file to the service provider's web container.

2. Revise the Logout method, as follows:

   ResourceBundle rsbu =ResourceBundle.getBundle("AMClient"); String logouturl = rsbu.getString ("com.sun.identity.federation.client.samples.logoutURL"); response.sendRedirect(logouturl);

   This revision is equivalent to a redirection to http://www.sp1.com:58080/opensso/liberty-logout?metaAlias=www.sp1.com.

Configuring ID-FF Single Sign-on

To setup single sign-on between two OpenSSO Enterprise instances for ID-FF protocol, one as an identity provider and one as a service provider, follow these steps:

To Configure ID-FF Single Sign-on

1. Create an ID-FF identity provider. For instructions, see To Create an ID-FF Entity Provider.

2. Export the standard identity provider metadata into an XML file using the ssoadm command's export-entity subcommand. The example filename for these instructions is IDP.xml.

3. Create an ID-FF service provider. For instructions, see To Create an ID-FF Entity Provider

   ---

   Note –

   If the identity provider and service provider reside in the same domain, you need to modify the cookie name of one instance to be different from the other. To do so, log in to the OpenSSO Enterprise and go to Configuration>Servers and Sites, then choose the server instance. Click the Security>Inheritance Settings, and uncheck the Cookie Name field. Click Save.

   Click Back to Server Profile, go to the Cookie section, and modify the value for Cookie Name. Click Save. Restart the web container.

   ---

4. Export the standard identity provider metadata into an XML file using the ssoadm command's export-entity subcommand. The example filename for these instructions is SP.xml.

5. Load the remote service provider metadata to the OpenSSO Enterprise instance of the identity provider. To do so:

   1. Copy the SP.xml file to the identity provider instance.

   2. Log in to the console on the identity provider instance and click on the Federation tab.

   3. Click the Import Entity button.

   4. Choose the realm to which the identity provider resides.

   5. Select the File option and click upload to locate the SP.xml file. You can leave the extended metadata field blank.

6. In the Federation tab, create a circle of trust and add the identity provider and service provider. For instructions, see To Create a New Circle of Trust.

7. Load the identity provider metadata to the OpenSSO Enterprise instance of the service provider. To do so:

   1. Copy the IDP.xml file to the identity provider instance.

   2. Log in to the console on the identity provider instance and click on the Federation tab.

   3. Click the Import Entity button.

   4. Choose the realm to which the identity provider resides.

   5. Select the File option and click upload to locate the IDP.xml file. You can leave the extended metadata field blank.

8. In the Federation tab, create a circle of trust and add the identity provider and service provider. For instructions, see To Create a New Circle of Trust.

   Single Sign-on is now established between the OpenSSO Enterprise instances.

ID-FF Auto-Federation

The auto-federation feature in OpenSSO Enterprise will automatically federate a user's disparate provider accounts based on a common attribute. This common attribute will be exchanged in a single sign-on assertion so that the consuming service provider can identify the user and create account federations. If auto-federation is enabled and it is deemed that a user at provider A and a user at provider B have the same value for the defined common attribute (for example, emailaddress), the two accounts will be federated automatically without principal interaction on the service provider side (that is, without login on the service provider side).

Auto-federating a principal's two distinct accounts at two different providers requires each provider to have agreed to implement support for this functionality beforehand.

To Enable ID-FF Auto Federation

Ensure that single sign-on is properly configured. For more information, see To Configure ID-FF Single Sign-on. Remote providers would not be configured in your deployment.

1. In the OpenSSO Enterprise Console, click the Federation tab.

2. Select the name of the identity provider to edit its profile.

3. Click on the Auto Federation link at the top of the page, or scroll down to the Auto Federation subsection.

4. Enable Auto Federation by checking the box.

5. Type a value for the Auto Federation Common Attribute Name attribute.

   For example, enter emailaddress or userID. You should be sure that each participating user profile (at both providers) has a value for this attribute.

6. Click the Identity Provider Attribute Mapper link, or scroll down to the Identity Provider Attribute Mapper subsection. Enter the following attribute values:

   Attribute Mapper Class

   com.sun.identity.federation.services.FSDefaultRealmAttributeMapper

   Identity Provider Attribute Mapping

   Enter the mapping for the Auto-Federation attribute name.

7. Click the Plug-ins link, or scroll down to the Plug-ins subsection. Enter the following attribute value:

   Attribute Statement Plug-in

   com.sun.identity.federation.services.FSDefaultRealmAttributePlugin

8. Click Save to complete the identity provider configuration.

9. Go back to the Federation tab and select the service provider you wish to edit.

10. Click on the Auto Federation link at the top of the page, or scroll down to the Auto Federation subsection.

11. Enable Auto Federation by checking the box.

12. Type a value for the Auto Federation Common Attribute Name attribute.

    For example, enter emailaddress or userID. You should be sure that each participating user profile (at both providers) has a value for this attribute.

13. Click the Service Provider Attribute Mapper link, or scroll down to the Service Provider Attribute Mapper subsection. Enter the following attribute values:

    Attribute Mapper Class

    com.sun.identity.federation.services.FSDefaultRealmAttributeMapper

    Identity Provider Attribute Mapping

    Enter the mapping for the Auto-Federation attribute name.

14. Click Save to complete the configuration.

Enabling ID-FF XML Signing

By default, ID-FF singing is turned off. To enable ID-FF XML signing on OpenSSO Enterprise server, see the following section:

To Enable ID-FF XML Signing

1. Login to the console as the top-level administrator.

2. Select the Configuration tab, select Global, and then Liberty ID-FF Service Configuration.

3. Select YES for the XML Signing On attribute and save the configuration.

4. Go to the Federation tab and select the service provider and/or identity provider that needs to be enabled.

5. Under the Common Attributes section, make sure a signing certificate alias is chosen for the provider. Otherwise, you must enter your certification alias.

   If the certificate alias is added or changed, you need to send the new metadata (to be exported using ssoadm CLI) to the remote party to update its metadata.

6. Click Save.

7. Restart the server.

Dynamic Identity Provider Proxying

An identity provider that is asked to authenticate a principal that has already been authenticated with another identity provider may proxy the authentication request, on behalf of the requesting service provider, to the authenticating identity provider. This is called dynamic identity provider proxying. When the first identity provider (referred as Proxying Identity Provider) receives an authentication request regarding a principal, it prepares a new authentication assertion on its own behalf by referencing the relevant information from the original assertion and sending the assertion to the authenticating identity provider. After receiving the Assertion from the authenticating identity provider, the proxying identity provider generates a new Assertion based on the information from the original Assertion, and sends to the requesting service provider.

The service provider requesting authentication may control this proxy behavior by setting a list of preferred identity providers or by defining the amount of times the identity provider can proxy the request.

To Configure and Test Dynamic Identity Provider Proxying

The following steps describe the procedure to enable three machines for identity provider proxying and test the configuration. The procedure assumes the three machines have OpenSSO Enterprise installed and are configured as follows:

1. Install and configure three OpenSSO instances.

   If those three instances resides on the same domain, you need to modify the cookie name of all three instances to be different from one another. To do so:

   1. Login to administration console and click the Configuration tab.

   2. Click Servers and Sites and choose your server instance.

   3. Click the Security tab, then click Inheritance Settings.

   4. Uncheck the box for the Cookie Name attribute.

   5. Click Save.

   6. Click the Back to Server Profile button.

   7. Modify the value for the Cookie Name attribute under the Cookie section.

   8. Click Save.

   9. Restart the web container on which the server instance is deployed.

2. Create hosted ID-FF metadata on the requesting service provider instance on machine 3.

   For more information, see ID-FF Entity Provider. When creating the provider:

   1. Enter the service provider entity ID in the Entity Identifier field

   2. Under the Service Provider section, specify meta alias, signing/encryption cert alias if needed.

3. Export the requesting Service Provider's standard metadata to a XML file. This could be done using the export-entity option in ssoadm CLI or the ssoadm.jsp. The rest of these steps use the file name sp.xml as an example.

4. Create hosted metadata on the proxying Identity provider instance, o machine 2.

   1. Login to machine 2 as the top-level administrator, click Federation, then click New under Entity Providers table.

   2. Select IDFF in the pop up window

   3. Save the configuration.

   4. Enter the entity ID in the Entity Identifier field.

   5. Under the Identity Provider section, specify a meta alias, and enter signing/encryption cert alias if needed.

   6. Under the Service Provider section, specify a meta alias different from that entered for Identity Provider section, and enter signing/encryption cert alias if needed.

   7. Click create.

5. Export the proxying identity provider's standard metadata to a XML file. This is done using the export-entity option in ssoadm CLI or ssoadm.jsp. The rest of these steps use the file name proxy.xml as an example.

6. Create the hosted metadata on the authenticating Identity provider instance, machine 1.

   For more information, see ID-FF Entity Provider. When creating the provider:

   1. Enter the service provider entity ID in the Entity Identifier field

   2. Under the Service Provider section, specify meta alias, signing/encryption cert alias if needed.

7. Export the authenticating Identity provider's standard metadata to a XML file using the export-entity option in the ssoadm CLI or by using the ssoadm.jsp. The rest of these steps use the file name idp.xml as an example.

8. Load the remote proxying identity provider metadata on the requesting service provider instance.

   1. Copy the proxy.xml to machine 3.

   2. In the console of machine 3, click the Federation tab and then the Import Entity button.

   3. Choose the realm to which the requesting service provider belongs.

   4. Under Where Does the Meta Data File Reside field, choose File and click Upload.

   5. Choose proxy.xml. The Where Does the Extended Data File Reside can be left blank.

   6. Click Ok.

9. Create a circle of trust on the requesting service provider instance to include the proxying IDP and requesting SP entity. For information, see Circle of Trust.

10. Load the remote authenticating identity provider and requesting service provider metadata to the proxying identity provider instance.

    1. Copy the idp.xml and sp.xml files to machine 2.

    2. In the console of machine 2, click the Federation tab and then the Import Entity button.

    3. Choose the realm to which the requesting service provider belongs.

    4. Under Where Does the Meta Data File Reside field, choose File and click Upload.

    5. Choose idp.xml. The Where Does the Extended Data File Reside field can be left blank.

    6. Click OK.

    7. Repeat the steps for loading the requesting service provider meta data (sp.xml).

11. Create circles of trust on the proxying identity provider instance, machine 2. For information, see Circle of Trust

    Add the requesting service provider and proxying identity provider to the circle of trust. Repeat this step to create a circle of trust for both the authenticating identity provider and the proxying identity provider. Make sure the circles of trust have different names.

12. Load the remote proxying identity provider metadata on the authenticating identity provider instance, machine 1.

    1. Copy the proxy.xml to machine 1.

    2. In the console of machine 1, click the Federation tab and then the Import Entity button.

    3. Choose the realm to which the requesting service provider belongs.

    4. Under Where Does the Extended Data File Reside field, choose File and click Upload.

    5. Choose proxy.xml. The Where Does the Extended Data File Reside can be left blank.

    6. Click Ok.

13. Create a create a circle of trust on the authenticating identity provider instance to include the proxying identity provider and authenticating identity provider entities.

14. Enable Dynamic Identity provider proxying on the requesting service provider instance.

    1. In the console of machine 3, click the Federation tab.

    2. Select the hosted requesting service provider.

    3. Go to Proxy Authentication Configuration.

    4. Check the box for Proxy Authentication to enable it.

    5. Enter 10 for the value in the Maximum Number of Proxies attribute.

    6. Click Save.

15. Enable dynamic identity provider proxying on the proxying identity provider instance.

    1. In the console of machine 2, click the Federation tab.

    2. Select the hosted proxying identity provider.

    3. Go to Proxy Authentication Configuration.

    4. Check the box for Proxy Authentication to enable it.

    5. Enter 10 for the value in the Maximum Number of Proxies attribute.

    6. Add the authenticating identity provider's entity ID in the Proxy Identity Providers List file.

    7. Click Save.

16. Federate a user between machine 3 (acting as a service provider) and machine 2 (acting as an identity provider).

17. Federate a user between machine 2 (acting as a service provider) and machine 1 (acting as an identity provider).

18. Close the browser and attempt to perform a single sign-on again from machine 3. You will be redirected to machine 1 rather than machine 2 for authentication.

    Enter the username and password used on machine 1. You will have a successful single sign-on to machine 3.

SAMLv2 Operations

The SAMLv2 specification defines the assertion security token format as well as profiles that standardize the HTTP exchanges required to transfer XML requests and responses between an asserting authority and a trusted partner. OpenSSO Enterprise supports a number of the defined profiles. This section describes how to configure for the operations defined by the SAMLv2 profiles using OpenSSO Enterprise. It covers the following topics.

• POST Binding with Single Sign-on and Single Logout

• Creating Affiliations

• Requesting Attribute Values Using a SAMLv2 Assertion

• Requesting a SAMLv2 Assertion

• Requesting a SAMLv2 Assertion for Authentication Context

• Encoding Artifacts

• Managing SAMLv2 Name Identifiers

• Mapping SAMLv2 Name Identifiers

• Enhanced Client and Proxy

• Formatting Name Identifiers

• Configuring SAMLv2 Single Sign-on without Service Provider User Accounts

• Auto-creation of User Accounts

• Using Non-Default Federation Attributes

• Enabling XML Signing and Encryption

• Securing SOAP Binding

• Load Balancing

• Access Control

• Certificate Revocation List Checking

• SAMLv2 IDP Discovery Service

• Bootstrapping the Liberty ID-WSF with SAML v2

POST Binding with Single Sign-on and Single Logout

HTTP POST binding is used for an identity provider response to a request from a service provider. To configure for POST binding, the following tags must be present in the identity provider standard metadata.

<IDPSSODescriptor
WantAuthnRequestsSigned="false"
protocolSupportEnumeration="urn:oasis:names:tc:
SAML:2.0:protocol">.
  <SingleLogoutService
   Binding="urn:oasis:names:tc:SAML:2.0:
   bindings:HTTP-POST"
   Location="http://isdev-3.red.com:
   58080/fam/IDPSloPOST/metaAlias/idp"
   ResponseLocation="http://isdev-3.red.com:
   58080/opensso/IDPSloPOST/metaAlias/idp"/>
  <SingleSignOnService
   Binding="urn:oasis:names:tc:SAML:2.0:bindings:
   HTTP-POST"
   Location="http://isdev-3.red.iplanet.com:58080/opensso/
   SSOPOST/metaAlias/idp"/>
</IDPSSODescriptor> 

To configure on the service provider side the standard metadata must include the following tags.

<SPSSODescriptor
 AuthnRequestsSigned="false"
 WantAssertionsSigned="false"
 protocolSupportEnumeration=
 "urn:oasis:names:tc:SAML:2.0:protocol">
.....
<SingleLogoutService
 Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
 Location="http://mach1.red.com:58080/opensso/
 SPSloPOST/metaAlias/sp"
 ResponseLocation="http://mach1.red.com:58080/
 opensso/SPSloPOST/metaAlias/sp"/>
</SPSSODescriptor> 

idpSSOInit.jsp, spSSOInit.jsp, spSingleLogoutInit.jsp and idpSingleLogoutInit.jsp will initiate single sign-on or single logout using the proper binding. Supported values are urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect and urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST. An example URL for service provider initiated single logout might be http://mach1.red.com:58080/opensso/saml2/jsp/spSingleLogoutInit.jsp?metaAlias=/sp&idpEntityID=isdev-3.red.com&binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

Creating Affiliations

To configure for affiliations, the following tags must be in the identity provider standard metadata.

<AffiliationDescriptor
 affiliationOwnerID="affi.red.com">
  <AffiliateMember>mach1.red.com</AffiliateMember>
  <AffiliateMember>mach2.red.com</AffiliateMember>
</AffiliationDescriptor>

The following tags must also be present in the identity provider extended metadata.

<AffiliationConfig metaAlias="/ff">
  <Attribute name="signingCertAlias">
   <Value>test</Value>
  </Attribute>
  <Attribute name="encryptionCertAlias">
   <Value>test</Value>
  </Attribute>
</AffiliationConfig> 

The ssoadm command line interface can be used to create and import the identity provider metadata. Use the following options to create the appropriate tags in the metadata. See Part I, Command Line Interface Reference, in Sun OpenSSO Enterprise 8.0 Administration Reference for more information.

--affiliation, -F

Specify a metaAlias for the hosted affiliation. The format must be realm name/identifier.

--affiscertalias, -J

Specify a signing certificate alias for the hosted affiliation.

--affiecertalias, -K

Specify an encryption certificate alias for the hosted affiliation.

--affimembers, -M

Specify affiliation members.

--affiownerid, -N

Specify the identifier for the Affiliation Owner.

An example illustrating how the command line might be used to create the metadata:

ssoadm create-metadata-templ -u amadmin 
-f /tmp/pw -m /home/tmp/affimm -x /home/tmp/affixx 
-F /ff -y affi.red.com -K test -J test -M sp1.red.com 
sp2.red.com -N affiownerID

See Chapter 1, ssoadm Command Line Interface Reference, in Sun OpenSSO Enterprise 8.0 Administration Reference for information on the other options.

idpMNIRequestInit.jsp, idpSSOInit.jsp, spMNIRequestInit.jsp and spSSOInit.jsp can initiate single sign-on based on a configured affiliation. The affiliationID parameter should match the value of the entity ID for the affiliation in the standard metadata. A URL to initiate single sign-on from the service provider might be:

http://mach1.red.com:58080/opensso/saml2/jsp/
spSSOInit.jsp?metaAlias=/sp&idpEntityID=isdev-3.red.com&reqBinding=
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST&affiliationID=affi.red.com

Requesting Attribute Values Using a SAMLv2 Assertion

Providers may request attributes (and the corresponding values) from a specific identity profile. A successful response is the return of an assertion containing the requested information. The identity provider acting as the attribute authority uses an implementation of the com.sun.identity.saml2.plugins.AttributeAuthorityMapper interface to process queries. The implementation uses the attribute map table configured in the identity provider's extended metadata which maps attributes in the SAMLv2 assertion to attributes in the local user data store. (If an attribute map is not configured, no attributes will be returned.)

OpenSSO Enterprise contains two custom mappers:

com.sun.identity.saml2.plugins.DefaultAttributeAuthorityMapper

com.sun.identity.saml2.plugins.DefaultAttributeAuthorityMapper maps using the NameID from a single sign-on interaction. To set OpenSSO Enterprise to use a different attribute mapper implementation, modify the value of the default_attributeAuthorityMapper property in the extended metadata of the provider defined as the attribute authority. The mapper value of default_attributeAuthorityMapper is used for a standard attribute queries

com.sun.identity.saml2.plugins.X509SubjectAttributeAuthorityMapper

com.sun.identity.saml2.plugins.X509SubjectAttributeAuthorityMapper maps using the value of the X.509 Subject in the certificate in the NameID. To set OpenSSO Enterprise to use a different attribute mapper implementation, modify the value of the x509Subject_attributeAuthorityMapper property in the extended metadata of the provider defined as the attribute authority. The mapper value of x509Subject_attributeAuthorityMapper is used for attribute queries with an X509 certificate. The X509 mapper maps an X509 subject to a user by searching the identity data store for the attribute defined as the value of the x509SubjectDataStoreAttrName property in the identity provider extended metadata of the attribute authority. If the user has the specified attribute and the attribute's value is the same as that of the X509 subject in the attribute query, the user will be used.

Only SOAP binding is supported for these communications. Signing is required so make sure the Signing Certificate Alias attribute of any provider acting as the attribute requester and the attribute authority is configured. The ssoadm command line interface can be used to create and import the service provider metadata. The following tags must be in the standard metadata of the service provider (querying provider).

<RoleDescriptor
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns:query="urn:oasis:names:tc:SAML:metadata:ext:query"
  xsi:type="query:AttributeQueryDescriptorType"
  protocolSupportEnumeration=
  "urn:oasis:names:tc:SAML:2.0:protocol">
</RoleDescriptor>

The following tags must be in the extended metadata of the service provider (querying provider).

<AttributeQueryConfig metaAlias="/attrq">
  <Attribute name="signingCertAlias">
   <Value>test2</Value>
  </Attribute>
  <Attribute name="encryptionCertAlias">
    <Value>test2</Value>
  </Attribute>
</AttributeQueryConfig>

Use the following options to create the appropriate tags in the service provider's metadata. See Part I, Command Line Interface Reference, in Sun OpenSSO Enterprise 8.0 Administration Reference for more information.

--attrqueryprovider, -S

Specify a metaAlias for the hosted querying provider. The format must be realm name/identifier.

--attrqscertalias, -A

Specify a signing certificate alias.

--attrqecertalias, -R

Specify an encryption certificate alias.

The ssoadm command line interface can also be used to create and import the identity provider metadata. The following tags must be in the standard metadata of the identity provider (attribute authority).

<AttributeAuthorityDescriptor
  protocolSupportEnumeration=
  "urn:oasis:names:tc:SAML:2.0:protocol">
</AttributeAuthorityDescriptor>

The following tags must be in the extended metadata of the identity provider (attribute authority). Note the presence of the x509SubjectDataStoreAttrName attribute.

<AttributeAuthorityConfig metaAlias="/attra">
  <Attribute name="signingCertAlias">
   <Value>test2</Value>
  </Attribute>
  <Attribute name="encryptionCertAlias">
   <Value>test2</Value>
  </Attribute>
  <Attribute name="default_attributeAuthorityMapper">
   <Value>com.sun.identity.saml2.plugins.DefaultAttributeAuthorityMapper</Value>
  </Attribute>
  <Attribute name="x509Subject_attributeAuthorityMapper">
   <Value>com.sun.identity.saml2.plugins.X509SubjectAttributeAuthorityMapper</Value>
  </Attribute>
  <Attribute name="x509SubjectDataStoreAttrName">
   <Value></Value>
  </Attribute>
</AttributeAuthorityConfig>

Use the following options to create the appropriate tags in the identity provider's metadata. See Part I, Command Line Interface Reference, in Sun OpenSSO Enterprise 8.0 Administration Reference for more information.

--attrauthority, -I

Specify a metaAlias for the hosted attribute authority. The format must be realm name/identifier.

--attrascertalias, -B

Specify a signing certificate alias.

--attraecertalias, -G

Specify an encryption certificate alias.

To initiate this query, create and import the standard and extended metadata for both the service provider and identity provider. Add the mapped values to the attributeMap property in the extended identity provider metadata in the following format:

attribute in SAML assertion=local attribute

You can specify the attributes to be returned in the Attribute tag of the AttributeAuthorityDescriptor element of the identity provider standard metadata. If this attribute has no value, all requested attributes will be returned.

To send an attribute query from the provider use the method of com.sun.identity.saml2.profile.AttributeQueryUtil.

public static Response sendAttributeQuery(
  AttributeQuery attrQuery,
  String attrAuthorityEntityID, 
  String realm, 
  String attrQueryProfile,
  String attrProfile, String binding) throws SAML2Exception;

To construct an AttributeQuery object, use the com.sun.identity.saml2.assertion.* and com.sun.identity.saml2.protocol.* packages.

Requesting a SAMLv2 Assertion

The Assertion Query/Request profile specifies a means for requesting existing assertions using a unique identifier. The requester initiates the profile by sending an assertion request, referenced by the identifier, to a SAMLv2 authority. The SAMLv2 authority processes the request, checks the assertion cache for the identifier, and issues a response to the requester.

To store assertions generated during single sign-on, add the following attribute to the metadata file of the identity provider acting as the SAMLv2 authority.

<IDPSSOConfig metaAlias="/idp">
<Attribute name="assertionCacheEnabled">
<Value>true</Value>
</Attribute>
</IDPSSOConfig>

To configure for assertion queries, the following tags must be defined in the identity provider standard metadata.

<IDPSSODescriptor WantAuthnRequestsSigned=
"false" protocolSupportEnumeration="urn:oasis:names:tc:
SAML:2.0:protocol">

  <AssertionIDRequestService Binding="urn:oasis:names:tc:
   SAML:2.0: bindings:SOAP" Location=
   "http://isdev-3.red.iplanet.com:58080/
   fam/AIDReqSoap/IDPRole/metaAlias/idp"/>
    <AssertionIDRequestService Binding=
     "urn:oasis:names:tc:SAML:
     2.0:bindings:URI" Location=
     "http://isdev-3.red.iplanet.com:
     58080/fam/AIDReqUri/IDPRole/metaAlias/idp"/>
</IDPSSODescriptor>

<AttributeAuthorityDescriptor protocolSupportEnumeration=
"urn:oasis:names:tc:SAML:2.0:protocol">
  <AssertionIDRequestService Binding=
   "urn:oasis:names:tc:SAML:
   2.0:bindings:SOAP" Location=
   "http://isdev-3.red.iplanet.com:
   58080/fam/AIDReqSoap/AttrAuthRole/metaAlias/attra"/>
    <AssertionIDRequestService Binding=
     "urn:oasis:names:tc:SAML:
     2.0:bindings:URI" Location=
     "http://isdev-3.red.iplanet.com:
     58080/fam/AIDReqUri/AttrAuthRole/
     metaAlias/attra"/>
</AttributeAuthorityDescriptor>

<AuthnAuthorityDescriptor protocolSupportEnumeration=
"urn:oasis:names:tc:SAML:2.0:protocol">
..<AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:
   2.0:bindings:SOAP" Location="http://isdev-3.red.iplanet.com:
   58080/fam/AIDReqSoap/AuthnAuthRole/metaAlias/authna"/>
  <AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:
   2.0:bindings:URI" Location="http://isdev-3.red.iplanet.com:
   58080/fam/AIDReqUri/AuthnAuthRole/metaAlias/authna"/>
..</AuthnAuthorityDescriptor>

The following tags must be defined in the identity provider extended metadata.

<IDPSSOConfig metaAlias="/idp">
..<Attribute name="assertionIDRequestMapper">
   <Value>com.sun.identity.saml2.plugins.
    DefaultAssertionIDRequestMapper</Value>
   </Attribute>
</IDPSSOConfig>

<AttributeAuthorityConfig metaAlias="/attra">
..<Attribute name="assertionIDRequestMapper">
   <Value>com.sun.identity.saml2.plugins.
    DefaultAssertionIDRequestMapper</Value>
  </Attribute>
</AttributeAuthorityConfig>

<AuthnAuthorityConfig metaAlias="/authna">
..<Attribute name="assertionIDRequestMapper">
   <Value>com.sun.identity.saml2.plugins.
    DefaultAssertionIDRequestMapper</Value>
  </Attribute>
</AuthnAuthorityConfig> 

com.sun.identity.saml2.plugins.DefaultAssertionIDRequestMapper is the default implementation used to process the assertion request. (See com.sun.identity.saml2.plugins.AssertionIDRequestMapper in the Sun OpenSSO Enterprise 8.0 Java API Reference.) To define a customized mapper, change the value of the assertionIDRequestMapper property in the IDP, attribute authority or authentication authority extended metadata.

Supported bindings are SOAP and URI however in order to implement URI binding, you must do the following.

1. Write an implementation of com.sun.identity.saml2.plugins.AssertionIDRequestMapper.

   The method authenticateRequesterURI() should be returned without throwing an exception.

2. Modify the value of the assertionIDRequestMapper element in the identity provider metadata to match the name of the custom implementation.

• To send a request for an assertion from a service provider use either of the methods of com.sun.identity.saml2.profile.AssertionIDRequestUtil as below.

  public static Response sendAssertionIDRequest(
    AssertionIDRequest assertionIDRequest, String samlAuthorityEntityID,
    String role, String realm, String binding) throws SAML2Exception;
  
  public static Assertion sendAssertionIDRequestURI(
    String assertionID, String samlAuthorityEntityID,
    String role, String realm) throws SAML2Exception;

• To construct an AssertionIDRequest object, use com.sun.identity.saml2.assertion.* and com.sun.identity.saml2.protocol.*.

Requesting a SAMLv2 Assertion for Authentication Context

A SAMLv2 assertion contains information regarding the context of a principal's authentication. The requesting party may require this additional information (for example, the authenticating technology or protocol used) in order to assess the level of confidence they can place in the assertion. To retrieve authentication context information, the service provider issues a query to the authentication authority. Only SOAP binding is supported for this request And signing is required so make sure the Signing Certificate Alias attribute of the service provider and the authentication authority is configured.

To Configure for Authentication Context Queries

1. Create and load the metadata for the service provider.

2. Create the metadata for the identity provider using ssoadm and define these additional options for it's role as an authentication authority.

   -C

   Defines the meta Alias for the hosted authentication authority to be created. The format must be realm name/identifier.

   -D

   Defines the authentication authority signing certificate alias.

   -E

   Defines the authentication authority encryption certificate alias.

   For example:

   ssoadm create-metadata-templ -u amadmin -f /tmp/pw -m /home/user1/tmp/mm -x
   /home/usr1/tmp/xx -s /idp -a test -r test -C /authna -D test2 -E test2 -y
   example.com

3. Add the following attribute to the identity provider metadata file just created.

   This allows the identity provider to store assertions generated during the SAMLv2 Single Sign-on process.

   <IDPSSOConfig metaAlias="/idp">
   <Attribute name="assertionCacheEnabled">
   <Value>true</Value>
   </Attribute>
   </IDPSSOConfig>

4. Configure for SAMLv2 single sign-on as documented in Configuring SAMLv2 Single Sign-on without Service Provider User Accounts.

5. Do either of the following:

   • To send an authentication query from the service provider use the method of com.sun.identity.saml2.profile.AuthnQueryUtil.

     public static Response sendAuthnQuery(AuthnQuery authnQuery,
       String authnAuthorityEntityID, String realm, String binding)
       throws SAML2Exception;

   • To construct an AuthnQuery object, use com.sun.identity.saml2.assertion.* and com.sun.identity.saml2.protocol.*.

Encoding Artifacts

When an identity provider sends a response to a service provider using artifact binding, OpenSSO Enterprise supports either URI or form encoding. To specify the encoding, toggle the value of the responseArtifactMessageEncoding tag in the service provider's extended metadata. Possible values are URI and FORM as in:

<Attribute name="responseArtifactMessageEncoding">
  <Value>FORM</Value>
</Attribute>

Managing SAMLv2 Name Identifiers

With this release, OpenSSO Enterprise enhances its implementation of the Name Identifier Management Profile to include the termination of the association of a name identifier between a service provider and an identity provider (including the accompanying federation) and the issuance of a new name identifier. When metadata is created using OpenSSO Enterprise, XML is defined to support HTTP-Redirect, SOAP and HTTP-POST bindings. Following is the code for an identity provider.

<IDPSSODescriptor
  <ManageNameIDService
   Binding="urn:oasis:names:tc:SAML:2.0:bindings:
   HTTP-Redirect" Location="http://isdev-3.red.iplanet.com:
   58080/fam/IDPMniRedirect/metaAlias/idp" ResponseLocation=
   "http://isdev-3.red.iplanet.com:58080/fam/IDPMniRedirect/
   metaAlias/idp"/>
  <ManageNameIDService
   Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
   Location="http://isdev-3.red.iplanet.com:58080/fam/
   IDPMniPOST/metaAlias/idp" ResponseLocation=
   "http://isdev-3.red.iplanet.com:58080/fam/IDPMniPOST/
   metaAlias/idp"/>
  <ManageNameIDService
   Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
   Location="http://isdev-3.red.iplanet.com:58080/fam/
   IDPMniSoap/metaAlias/idp"/>
</IDPSSODescriptor> 

The ManageNameID (MNI) JSP provide a way to initiate name identifier changes or terminations. For example, after establishing a name identifier for use when referring to a principal, the identity provider may want to change its value and/or format. Additionally, an identity provider might want to indicate that a name identifier will no longer be used to refer to the principal. The identity provider will notify service providers of the change by sending them a ManageNameIDRequest. A service provider also uses this message type to register or change the SPProvidedID value (included when the underlying name identifier is used to communicate with it) or to terminate the use of a name identifier between itself and the identity provider. To initiate termination of a name identifier or creation of a new identifier, access the appropriate JSP using the URL and URL parameter information in the following sections.

• idpMNIRequestInit.jsp

• spMNIRequestInit.jsp

The JSP are located in /OpenSSO-Deploy-base/opensso/saml2/jsp/. idpMNIRedirect.jsp, spMNIRedirect.jsp, idpMNIPOST.jsp, and spMNIPOST.jsp, also in that directory, are process pages served as endpoints.

idpMNIRequestInit.jsp

idpMNIRequestInit.jsp initiates name identifier modifications or termination from the identity provider. The URL for this JSP is protocol://host:port/service-deploy-uri/saml2/jsp/idpMNIRequestInit.jsp. The following URL parameters are appended to it.

• metaAlias: The value of the metaAlias property set in the identity provider's extended metadata configuration file. If the metaAlias attribute is not present, an error is returned.

• spEntityID: The entity identifier of the service provider to which the response is sent.

• requestType: The type of ManageNameIDRequest. Accepted values include Terminate and NewID.

• binding: A URI specifying the binding to use for the communications. The supported values are:

  • urn:oasis:names:tc:SAML:2.0:bindings:SOAP

  • urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect

  • urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

• RelayState: The target URL of the request.

An example URL for using HTTP-POST communication might be:

http://dev-3.sun.com:58080/opensso/saml2/
  jsp/idpMNIRequestInit.jsp?metaAlias=/idp&spEntityID=
  mach1.sun.com&requestType=Terminate&binding=
  urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

spMNIRequestInit.jsp

spMNIRequestInit.jsp initiates name identifier modifications or termination from the service provider. The URL for this JSP is protocol://host:port/service-deploy-uri/saml2/jsp/spMNIRequestInit.jsp. The following URL parameters are appended to it.

• metaAlias: This parameter takes as a value the metaAlias set in the identity provider's extended metadata configuration file. If the metaAlias attribute is not present, an error is returned.

• idpEntityID: The entity identifier of the identity provider to which the request is sent.

• requestType: The type of ManageNameIDRequest. Accepted values include Terminate and NewID.

• binding: A URI specifying the protocol binding to use for the Request. The supported values are:

  • urn:oasis:names:tc:SAML:2.0:bindings:SOAP

  • urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect

  • urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

• RelayState: The target URL of the request.

An example URL for using SOAP communication might be:

http://dev-3.sun.com:58080/opensso/saml2/
  jsp/idpMNIRequestInit.jsp?metaAlias=/sp&idpEntityID=
  mach1.sun.com&requestType=NewID&binding=
  urn:oasis:names:tc:SAML:2.0:bindings:SOAP

Mapping SAMLv2 Name Identifiers

The NameID Mapping Protocol allows a service provider that shares an identifier for a principal with an identity provider to obtain a name identifier for said principal in another format or that is in another federation namespace (for example, is shared between the identity provider and another service provider). The requester initiates the profile by sending a NameIDMappingRequest message to the identity provider. After processing the request, the identity provider issues a NameIdMappingResponse message to the requester.

Only SOAP binding is supported. Signing is required so make sure the Signing Certificate Alias attribute of the identity provider and the service provider is configured.

To send a NameIDMappingRequest message from the service provider, use the method of the com.sun.identity.saml2.profile.NameIDMapping.

public static NameIDMappingResponse initiateNameIDMappingRequest(
  Object session,
  String realm, 
  String spEntityID, 
  String idpEntityID,
  String targetSPEntityID, 
  String targetNameIDFormat,
  Map paramsMap) throws SAML2Exception;

Enhanced Client and Proxy

The Enhanced Client and Proxy (ECP) profile assumes the client can contact an appropriate provider using the reverse SOAP (PAOS) binding. The ECP process flow is as follows:

1. The principal, through the ECP, makes an HTTP request for a secured resource at a service provider, which does not have an established security context for the ECP or principal.

2. The service provider issues an authentication request to the ECP using PAOS binding.

3. The ECP obtains the location of an endpoint at an identity provider for the authentication request protocol that supports its binding.

4. The ECP conveys the authentication request to the identity provider.

5. The identity provider identifies the principal.

6. The identity provider issues a response to the ECP that is to be delivered to the service provider.

7. The ECP conveys a response message to the service provider.

8. The service provider grants or denies access to the principal.

See the following procedures for configuration information.

• To Configure for ECP on the Identity Provider Side

• To Configure for ECP on the Service Provider Side (Optional)

After completing the configuration, use the following URL format to access a resource on the service provider.

SP protocol://SP host:SP port/SP deploy URI/SPECP?metaAlias=sp metaAlias&RelayState=resource url

To Configure for ECP on the Identity Provider Side

1. Click the Federation tab and select the hosted SAMLv2 identity provider you wish to edit.

2. Click on the IDP tab.

3. Click the Advanced tab.

4. Edit the IDP Session Mapper attribute for you deployment.

   The session mapper SPI com.sun.identity.saml2.plugins.IDPECPSessionMapper finds a valid session from the HTTP servlet request on the identity provider side with the ECP profile. The default implementation will construct a session object from the OpenSSO Enterprise server cookie. To construct a session from other cookies or HTTP headers, you need to implement this SPI and set your implementation here.

5. Click Save.

To Configure for ECP on the Service Provider Side (Optional)

1. Click the Federation tab and select the hosted SAMLv2 identity provider you wish to edit.

2. Click on the SP tab.

3. Click the Advanced tab.

4. Click ECP Configuration.

5. Edit Request IDP List Finder Implementation the IDP Finder SPI.

   com.sun.identity.saml2.plugins.SAML2IDPFinder finds a list of preferred identity providers. You can write your own implementation of this interface and set it here. The default implementation will read Request IDP List attribute. Request IDP List Get Complete Specifies an URI reference that can be used to retrieve the complete IDP list if the IDPList element is not complete. Request IDP List Defines a list of IDPs for the ECP to contact. This is used by the default implementation of the IDP Finder.

6. Click Save.

Formatting Name Identifiers

Name identifiers are used by the identity provider and the service provider to communicate with each other regarding a principal. As of this release, OpenSSO Enterprise supports the following name identifier formats.

• urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified (enabled by default)

• urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress (enabled by default)

• urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName

• urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName

• urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos

• urn:oasis:names:tc:SAML:2.0:nameid-format:entity

• urn:oasis:names:tc:SAML:2.0:nameid-format:persistent (enabled by default)

• urn:oasis:names:tc:SAML:2.0:nameid-format:transient (enabled by default)

OpenSSO Enterprise defines these name identifiers in the identity provider's standard metadata. If no specific name identifier format is requested by the service provider, a default format must be used in the authentication response. To enable one or more of the supported formats you must add a name identifier format/user attribute map to the identity provider extended metadata to generate the name identifier based on the specified user profile attribute. The value is formatted as name ID format=user profile attribute as in the following XML sample

<Attribute name="nameIDFormatMap">
  <Value>urn:oasis:names:tc:SAML:1.1:nameid-format:
   emailAddress=mail</Value>
  <Value>urn:oasis:names:tc:SAML:1.1:nameid-format:
   X509SubjectName=</Value>
  <Value>urn:oasis:names:tc:SAML:1.1:nameid-format:
   WindowsDomainQualifiedName=</Value>
  <Value>urn:oasis:names:tc:SAML:2.0:nameid-format:
   kerberos=</Value>
</Attribute>

If a user profile attribute is specified, the name ID value will be the value of the user profile attribute. If no user profile attribute is specified an exception will be thrown. If the name ID format is persistent or transient, a random string will be generated. For more information on persistent and transient identifiers, see Configuring SAMLv2 Single Sign-on without Service Provider User Accounts.

To disable one or more name ID formats, the format XML tags can be removed from the identity provider's standard metadata.

Configuring SAMLv2 Single Sign-on without Service Provider User Accounts

Name identifiers are used by the identity provider and the service provider to communicate with each other regarding a user. Single sign-on interactions can support both persistent and transient identifiers. A persistent identifier is saved to a particular user entry as the value of two attributes. A transient identifier is temporary and no data will be written to the user's data store entry. OpenSSO Enterprise supports persistent identifiers by default and transient identifiers with configuration. NameID formats other than persistent and transient are supported by mapping the NameID format to a user profile attribute.

In some deployments, there might be no user account on the service provider side of an interaction. In this case, single sign-on with the transient name identifier is used. All users passed from the identity provider to the service provider will be mapped to this one user account. All attributes defined in the AttributeStatement will be set as properties of the specific user's single sign-on token. The following procedures describe some interactions using the transient name identifier.

• To Use the Transient Name Identifier

• To Federate Disparate Accounts with Auto Federation

• To Map Attributes to anonymous User Account

• To Achieve Single Sign-on Without Data Store Writes

To Use the Transient Name Identifier

1. Append the NameIDFormat=urn:oasis:names:tc:SAML:2.0:nameid-format:transient query parameter to the URL that initiates a single sign-on JavaServer Page™ (JSP™).

   spSSOInit.jsp and idpSSOInit.jsp both initiate single sign-on interactions.

2. To test, invoke the URL.

   For more information, see Sun OpenSSO Enterprise 8.0 Developer’s Guide.

To Federate Disparate Accounts with Auto Federation

The auto-federation feature in OpenSSO Enterprise will automatically federate a user's disparate provider accounts based on a common attribute. This common attribute will be exchanged in a single sign-on assertion so that the consuming service provider can identify the user and create account federations. If auto-federation is enabled and it is deemed that a user at provider A and a user at provider B have the same value for the defined common attribute (for example, emailaddress), the two accounts will be federated automatically without principal interaction.

Auto-federating a principal's two distinct accounts at two different providers requires each provider to have agreed to implement support for this functionality beforehand.

Ensure that each local service and identity provider participating in auto federation is configured for it. Remote providers would not be configured in your deployment.

1. In the OpenSSO Enterprise Console, click the Federation tab.

2. Select the name of the hosted identity provider to edit its profile.

3. Click the Assertion Processing tab.

4. In the Attribute Map attribute, add the autofedAttribute=local-attribute value. For example, employeeNumber=employeeID.

5. Click Save.

6. Go back to the Federation tab and select the name of the hosted service provider to edit its profile.

7. If the Auto Federation Common Attribute Name is the same as local attribute name, skip to next step. If not, enter the autofedAttribute=local-attribute value in the New Value field under Attribute Map. For example:

   employeeNumber=employeeID

8. Click on the Auto Federation link at the top of the page, or scroll down to the Auto Federation subsection.

9. Enable Auto Federation by checking the box.

10. Click Save to complete the configuration.

To Map Attributes to anonymous User Account

In some deployments, the service provider side of an interaction might not store user accounts. The single sign-on solution is for all identity provider user accounts to be mapped to one service provider user account. Any attributes inside the Attribute Statement will be set as properties of the single sign-on token. The following procedure maps an identity provider user to a service provider anonymous user and passes two attributes to the service provider.

1. In the console, select the identity provider you wish to configure.

2. Edit Attribute Map attribute.

   attribute Map defines the mapping between the provider that this metadata is configuring and the remote provider. This attribute takes a value of autofedAttribute-value=remote-provider-attribute. For example:

   mail=mail
   employeeNumber=employeeNumber

3. From the console, select the service provider you wish to configure.

4. Edit the following attributes for the service provider.

   • transient User will take a value of one of the existing transient user identifiers on the service provider side, for example, anonymous.

   • attribut eMap defines the mapping between the provider that this metadata is configuring and the remote provider. This attribute takes a value of autofedAttribute_value=remote_provider_attribute. For example:

     >mail=mail
     employeeNumber=employeeNumber

5. To test, invoke the single sign-on URL with the NameIDFormat=transient query parameter appended to it.

   All identity provider users will be mapped to anonymous on the service provider side. mail and employeeNumber will be set as properties in the identity provider user's single sign-on token.

To Achieve Single Sign-on Without Data Store Writes

This interaction uses auto-federation with the transient name identifier. There is one-to-one mapping between user accounts configured with the identity provider and the service provider based on the value of one attribute. The following procedure describes how to configure single sign-on without writing to the user's data store entry.

1. Edit the following attributes in the OpenSSO Enterprise console for the identity provider.

   • Auto Federation – enable this attribute.

   • Auto Federation Attribute defines the common attribute on the identity provider side. For example, mail.

   • Attribute Map defines the mapping between the identity provider's attribute and the remote provider's attribute. It takes a value of autofedAttribute-value=remote-provider-attribute. For example:

     <Attribute name="attributeMap">
     <Value>mail=mail</Value>
     </Attribute>

2. Edit the following attributes in the OpenSSO Enterprise console for the service provider.

   • Transient User takes a null value.

   • Auto Federation enable this attribute.

   • Auto Federation Attribute defines the common attribute. For example, mail.

   • Attribute Map defines the mapping between the provider that this metadata is configuring and the remote provider. This attribute takes a value of autofedAttribute-value=remote-provider-attribute. For example:

     mail=mail

3. Invoke the single sign-on URL with the NameIDFormat=transient query parameter appended to it to test.

   All identity provider users will be mapped to the corresponding user on the service provider side based on the mail attribute but the auto-federation attributes will not be written to the user entry.

Auto-creation of User Accounts

Auto-creation of user accounts can be enabled on the service provider side. An account would be created when there is none corresponding to the identity provider user account requesting access. This might be necessary, for example, when a new service provider has joined an existing circle of trust.

Auto-creation is supported only when the service provider is running on an instance of OpenSSO Enterprise as it extends that product's Dynamic Profile Creation functionality.

To Enable Auto-creation

Before You Begin

You must configure the attribute mapper on the identity provider side to include an AttributeStatement from the user. The account mapper on the service provider side will perform user mapping based on the AttributeStatement.

1. Enable auto Federation for the Identity Provider. For more information, see To Federate Disparate Accounts with Auto Federation.

2. Click Save.

3. Repeat the above steps to modify the service provider's extended metadata.

4. Enable Dynamic Profile Creation using the OpenSSO Enterprise console.

   1. Log in to the OpenSSO Enterprise console as the top-level administrator, by default, amadmin.

   2. Under the Access Control tab, select the appropriate realm.

   3. Select the Authentication tab.

   4. Select Advanced Properties.

   5. Set User Profile to Dynamic or Dynamic with User Alias and click Save.

   6. Log out of OpenSSO Enterprise.

5. To test, invoke single sign-on from the service provider.

Using Non-Default Federation Attributes

If OpenSSO Enterprise is retrieving data from an LDAPv3–compliant directory, the object class sunFMSAML2NameIdentifier (containing two allowed attributes, sunfm- saml2-nameid-info and sun-fm-saml2-nameid-infokey) needs to be loaded into the entries of all existing users. When the directory contains a large user database the process is time-intensive. The following procedure can be used to modify your SAML v2 Plug-in for Federation Services installation to use existing LDAP attributes to store user federation information. In this case, there is no need to change the schema.

To Store Federation Information in Existing Attributes

1. In the OpenSSO Enterprise console, go to Configuration>Global>SAMLv2 Service Configuration.

2. Modify the following attributes:

   • Attribute name for Name ID information

   • Attribute name for Name ID information key

   See SAMLv2 Service Configuration in Sun OpenSSO Enterprise 8.0 Administration Reference for more information.

3. Restart the web container.

   Federation information will now be written to the specified attributes.

Enabling XML Signing and Encryption

XML signing and encryption is most easily configured through the OpenSSO Enterprise console. To enable request/response signing and encryption, click on the name of the entity provider you wish to edit in the Federation tab. For both service and identity providers, the signing attributes are located under the Assertion Content sub tab.

For definitions for service provider attributes, see SAMLv2 Service Provider Customization in Sun OpenSSO Enterprise 8.0 Administration Reference.

For definitions of identity provider attributes, see SAMLv2 Identity Provider Customization in Sun OpenSSO Enterprise 8.0 Administration Reference.

Securing SOAP Binding

SOAP binding supports the following authentication methods to protect interactions between SAML v2 entities:

• Basic Authentication

• Secure Socket Layer/Transport Layer Security

Basic Authentication

Once basic authentication is set up to protect a SAML v2 SOAP endpoint, all entities communicating with this endpoint must configure three basic authentication-related attributes in the extended metadata as described in the following table. These attributes are located in the Assertion Content tab of the SAMLv2 entity provider profile.

Secure Socket Layer/Transport Layer Security

Secure Socket Layer/Transport Layer Security (SSL/TLS) can also be enabled to protect SOAP endpoints and secure communications between SAML v2 entities. When one SAML v2 entity initiates communication with a SAML v2 entity deployed in an SSL/TLS-enabled web container, the initiating entity is referred to as the SSL/TLS client and the replying entity is referred to as the SSL/TLS server.

Server Certificate Authentication

For SSL/TLS server authentication (the server needs to present a certificate to the client), the following properties need to be set in the Virtual Machine for the Java™ platform (JVM™) running the SSL/TLS client:

In addition, the client's CA certificate needs to be imported into the certificate store/database of the server's web container and marked as a trusted issuer of client certificates.

Client Certificate Authentication

For SSL/TLS client authentication (the client needs to present a certificate to the server), the following properties need to be set in the JVM software running the SSL/TLS client:

On the SSL/TLS server side, the client's CA certificate needs to be imported into the web container's keystore and marked as a trusted issuer of client certificates.

Load Balancing

In cases of large deployments, a load balancer can be put in front of multiple instances of OpenSSO Enterprise that have the SAML v2 Plug-in for Federation Services installed. The following procedure describes how to enable load balancer support.

To Enable Load Balancer Support

1. Install OpenSSO Enterprise and follow the documentation to set up a load balancer.

   Load balancing information for OpenSSO Enterprise can be found in Configuring the Directory Server Load Balancer in Deployment Example: SAML v2 Using Sun OpenSSO Enterprise 8.0.

2. Create an identity provider or a service provider through the OpenSSO Enterprise Console or with the ssoadm CLI.

   • Use the load balancer URL, not the server URL, to access the console. For information on creating an entity provider, see To Create a SAMLv2 Entity Provider.

   • To create the provider through the command line, see Managing Federation Using ssoadm.

3. On any service provider machines, copy the metadata configuration files into the same directory and rename as follows:

   • spMeta.xml to spMeta.xml.lb

   • spExtended.xml to spExtended.xml.lb

4. Edit the new service provider load balancer metadata configuration files as follows:

   • Change the host name of the service provider to that of the load balancer on the service provider side.

   • Change the protocol on the service provider side.

   • Change the port of the service provider to that of the load balancer on the service provider side.

   • Change the metaAlias of the service provider to any new metaAlias, for example, /splb.

5. On any identity provider machines, copy the metadata configuration files into the same directory and rename as follows:

   • idpMeta.xml to idpMeta.xml.lb

   • idpExtended.xml to idpExtended.xml.lb

6. Edit the new identity provider load balancer metadata configuration files as follows:

   • Change the host name of the identity provider to that of the load balancer on the identity provider side.

   • Change the protocol on the identity provider side.

   • Change the port of the identity provider to that of the load balancer on the identity provider side.

   • Change the metaAlias of the identity provider to any new metaAlias, for example, /idplb.

7. Import the new hosted metadata onto the service provider machines.

8. Import the new remote identity provider metadata onto the service provider machines.

9. Import the new hosted metadata onto the identity provider machines.

10. Import the new remote service provider metadata onto the identity provider machines.

11. Restart the web containers.

Access Control

The following procedure will allow user access on the service provider side based on the user's configured roles on the identity provider side. This information is passed to the service provider in an assertion. No matching user entry is necessary on the service provider side.

To Enable Access Control Using Agents

• You must configure the agent to enforce policy. For example, setting com.sun.am.policy.agents.config.do_sso_only=false.

• You must configure the attribute mapper on the identity provider side to include the required attributes in the AttributeStatment.

• You must configure the service provider to set the received attributes as key/value pairs in the user's single sign-on token. The agent will set those attributes in the HTTP header, passing them down to the application.

1. Create a SAMLv2 identity provider. For more information, see To Create a SAMLv2 Entity Provider.

2. Create a SAMLv2 service provider.

3. Install the Sun Policy Agents 3.0 to protect the service provider configured on the instance of OpenSSO Enterprise

   For more information, see the Sun OpenSSO Enterprise Policy Agent 3.0 User’s Guide for Web Agents.

4. In the OpenSSO Enterprise console, go to Access Control>Realms>Agents and select the web policy agent profile you wish to configure.

5. Go to the OpenSSO Services sub tab and edit the OpenSSO Login URL attribute .

   Its value is a URL (appended with the NameIDFormat=transient query parameter) that points to a single sign-on JSP on the service provider side.

   SP-protocol://SP-host:SP-port/service-deploy-uri/ saml2/jsp/spSSOInit.jsp?NameIDFormat=transient&metaAlias=SP-metaAlias& idpEntityID=IDP_EntityID

   For example:

   http://example1.com:58080/ opensso/saml2/jsp/spSSOInit.jsp?NameIDFormat=transient&metaAlias=/sp& idpEntityID=sample.com

6. (Required only if using Web Agent 2.1) Set the value of the com.sun.am.policy.am.library.loginURL property to the service provider's login URL so the agent can authenticate itself.

   If the login URL is a URL that initiates a SAML v2 single sign-on interaction, the value of this property will be used to authenticate the agent itself to your instances of OpenSSO Enterprise. An example value might be http://host:port/opensso/UI/Login.

7. Modify spSSOInit.jsp on the service provider side to use goto parameter as the value for RelayState.

   The differences are as follows:

   *************** *** 143,148 **** --- 143,154 ---- } idpEntityID = request.getParameter("idpEntityID"); paramsMap = SAML2Utils.getParamsMap(request); + String gotoURL = (String) request.getParameter("goto"); + if (gotoURL != null) { + List list = new ArrayList(); + list.add(gotoURL); + paramsMap.put(SAML2Constants.RELAY_STATE, list); + } if ((idpEntityID == null) || (idpEntityID.length() == 0)) { // get reader url

8. Set up single sign-on without requiring writes to the data store by following the procedure described in To Achieve Single Sign-on Without Data Store Writes.

   To test, assume the employeenumber attribute stores the user's role. In addition, the identity provider should have the following configured users:

   • User 1 has employeenumber set to manager (the manager's role).

   • User 2 has employeenumber set to employee (the employee's role).

9. Create a policy with the Session Property condition on the service provider instance of OpenSSO Enterprise.

   1. Log in to the OpenSSO Enterprise console as the top-level administrator, by default, amadmin.

   2. Under the Access Control tab, select the appropriate realm.

   3. Select the Policies tab.

   4. Click New Policy.

   5. Enter a name for the policy.

   6. Click New under Rules.

   7. Select URL Policy Agent (with resource name) and click Next.

   8. Enter a name for the rule.

   9. Enter the application's URL as the value for Resource Name.

   10. Select Allow under both GET and POST and click Finish.

   11. Click New under Conditions.

   12. Select Session Property and click Next.

   13. Enter a name for the condition.

   14. Click Add under Values.

   15. Enter the single sign-on token property name as the value for Property Name.

       To test, use employeenumber.

   16. Add the match value to the Values field and click Add.

       To test, use manager.

   17. Click Add to return to the New Condition page.

   18. Click Finish to save the condition.

   19. Click Create to create the policy.

   For more information on creating policy, see Creating Policies and Referrals.

10. Access the application using a web browser.

    You will be redirected to the service provider single sign-on JSP defined in the previous step. From there, you will be redirected to the identity provider to login. Single sign-on with the service provider will be accomplished using SAML v2 and, finally, you will be redirected back to the application for policy enforcement. If you logged in as User 1, you will be allowed to access the application as a manager which is allowed by the policy. If you logged in as User 2, an employee, you will be denied access to the application.

Certificate Revocation List Checking

The certificate revocation list (CRL) is a list of revoked certificates that contains the reasons for the certificate's revocation, the date of it's issuance, and the entity that issued it. When a potential user attempts to access the OpenSSO Enterprise server, first access is allowed or denied based on the CRL entry for the root certificate included with the request. When the SAML v2 Service receives the incoming XML request, it parses the issuer Distinguished Name (DN) from the root certificate and retrieves the value defined by the com.sun.identity.crl.cache.directory.searchattr attribute in the Advanced properties of the Sites and Server tab. For more information, see Advanced in Sun OpenSSO Enterprise 8.0 Administration Reference. If the attribute value is CN and the issuer DN is, for example, CN="Entrust.net Client Certification Authority", OU=..., the SAML v2 Service uses Entrust.net Client Certification Authority to retrieve the CRL from the LDAP directory which acts as the CRL repository.

With this action, one of the following will occur:

1. If the LDAP directory returns a CRL that is not valid, the SAML v2 Service retrieves the value of the IssuingDistributionPointExtension attribute (usually an HTTP or LDAP URI) from the CRL and uses it to get new CRL from the certificate authority. If the certificate authority returns a valid CRL, it is saved to the LDAP directory and to memory and used for certificate validation.

2. If the LDAP directory returns no CRL but the certificate that is being validated has a defined CRL Distribution Point Extension, the SAML v2 Service retrieves it's value (usually an HTTP or LDAP URI) and uses the value to get a new CRL from the certificate authority. If the certificate authority returns a valid CRL, it is saved to the LDAP directory and to memory and used for certificate validation.

3. If the certificate authority returns a valid CRL, it is saved to the LDAP directory and to memory and used for certificate validation.

Currently, Certificate Revocation List Checking works only with an instance of Sun Directory Server.

After the CRL is loaded into memory and the root certificate validation is successful, the single sign-on process continues with validation of the signed XML message. The following are procedures to set up the SAML v2 Service for CRL checking.

CRL checking currently only works in the case of XML-based signature validation; for example, service provider side POST Artifact profile, or SOAP based logout. CRL checking does not work in the case of URL string based signature validation, XML signing, XML encryption or decryption.

To Set Up for Certificate Revocation List Checking

Before You Begin

A local instance of Directory Server must be designated as the CRL repository. It can be the same directory in which the OpenSSO Enterprise schema is stored or it can be standalone. The Java Development Kit (JDK) must be version 1.5 or higher.

1. Create one entry in Directory Server for each certificate authority.

   For example, if the certificate authority's subjectDN is CN="Entrust.net Client Certification Authority",OU="www.entrust.net/GCCA_CPS incorp. by ref. (limits lib.)",O=Entrust.net and the base DN for Directory Server is dc=sun,dc=com, create an entry with the DN cn="Entrust.net Client Certification Authority",ou=people,dc=sun,dc=com.

   ---

   Note –

   If the certificate authority's subjectDN does not contain uid or cn attributes, do the following:

   1. Create a new object class.

      For example, sun-am-managed-ca-container.

   2. Populate the new object class with the following attributes:

      • objectclass

      • ou

      • authorityRevocationList

      • caCertificate

      • certificateRevocationList

      • crossCertificatePair

   3. Add the following entry (modified per your deployment) to Directory Server.

      dn: ou=1CA-AC1,dc=sun,dc=com
      objectClass: top
      objectClass: organizationalunit
      objectClass: iplanet-am-managed-ca-container
      ou: 1CA-AC1

   You will publish the appropriate CRL to the entry created in the last step.

   ---

2. Publish the appropriate CRL to the corresponding LDAP entry.

   This part can be done automatically by OpenSSO Enterprise or manually. If the certificate being validated has a CRL Distribution Point Extension value, the publishing of the CRL is done automatically. If the certificate being validated has an IssuingDistributionPointExtension value, the initial publishing of the CRL must be done manually but future updates are done in runtime. If the certificate being validated has neither of these values, updates must be done manually at all time. See To Manually Populate a Directory Server with a Certificate Revocation List for information on manual population.

3. Configure OpenSSO Enterprise in the console to point to the instance of Directory Server designated as the CRL repository.

   1. In the OpenSSO Enterprise Console, click the Configuration tab.

   2. Click Servers and Sites tab.

   3. Click the Server Name.

   4. Click Security tab.

   5. Click Inheritance Settings.

   6. Uncheck the following properties:

      • LDAP Search Base DN

      • LDAP Server Bind Password

      • LDAP Server Bind Username

      • LDAP Server Host Name

      • LDAP server port number

      • Search Attributes

      • SSL Enabled

   7. Click Save and then Back to Server Profile.

   8. Click Certificate Revocation List Caching.

   9. Configure the following attributes. See Certificate Revocation List Caching in Sun OpenSSO Enterprise 8.0 Administration Reference for definitions of the properties:

      • LDAP Server Host Name

      • LDAP Server Port Number

      • SSL Enabled

      • LDAP Server Bind User Name

      • LDAP Server Bind Password

      • LDAP Search Base DN

      • Search Attributes

   10. Click Save.

   11. Restart the web container.

4. Import all the certificate authority certificates into the cacerts keystore under the java.home/jre/lib/secure directory using the keytool utility.

   Certificates must be imported as trustedcacert. More information on keytool can be found at http://java.sun.com/j2se/1.5.0/docs/tooldocs/windows/keytool.html.

To Manually Populate a Directory Server with a Certificate Revocation List

1. Use your browser to get the initial CRL from the certificate authority manually.

2. Save the initial CRL file in the binary DER format to your local machine.

3. Convert the DER file to the text-based PEM format and finally LDAP Data Interchange Format (LDIF) using the following command:

   ldif -b certificaterevocationlist;binary crl.ldif

   ---

   Note –

   The ldif command is available in your Directory Server installation.

   ---

   The crl.ldif file contains text similar to the following:

   certificaterevocationlist;binary:: MIH7MIGmMA0GCSqGSIb3DQEBBQUAMGExCzAJBgNVBA
     YTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsTA0RvRDEMMAoGA1UECxMDUE
     tJMRwwGgYDVQQDExNEb0QgQ2xhc3MgMyBSb290IENBFw0wNzA1MDExNDMzMDNaFw0wNzA1MDExNz
     UzMDNaMBQwEgIBTxcNMDcwNDI3MTY1NzMzWjANBgkqhkiG9w0BAQUFAANBADUd7lBe7JeQKQnKCK
     GddnsCXqii7EitbPuYT55M4Nn3qBgPFSG8bX9H5XBGTB4iofb3h0Y9DCqe10vc8dBM0

4. Do one of the following to define the LDAP entry in which the CRL will be stored.

   • For an existing entry, specify the DN in the LDIF file.

     # entry-id: famouseCA dn: CN=famouseCA,ou=People,dc=sun,dc=com 
     certificaterevocationlist;binary:: MIH7MIGmMA0GCSqGSIb3DQEBBQUAMGExCzAJBgNVBA
       YTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsTA0RvRDEMMAoGA1UECxMDUE
       tJMRwwGgYDVQQDExNEb0QgQ2xhc3MgMyBSb290IENBFw0wNzA1MDExNDMzMDNaFw0wNzA1MDExNz
       UzMDNaMBQwEgIBTxcNMDcwNDI3MTY1NzMzWjANBgkqhkiG9w0BAQUFAANBADUd7lBe7JeQKQnKCK
       GddnsCXqii7EitbPuYT55M4Nn3qBgPFSG8bX9H5XBGTB4iofb3h0Y9DCqe10vc8dBM0

   • For a new entry, specify the DN and object classes in the LDIF file.

     # entry-id: tester200
     dn: CN=famouseCA,ou=People,dc=sun,dc=com
     sn: famouseCA
     cn: famouseCA
     employeeNumber: 1001
     telephoneNumber: 555-555-5555
     postalAddress: 555 Test Drive
     iplanet-am-modifiable-by: cn=Top-level Admin Role,dc=iplanet,dc=com
     mail: famouseCA@test.com
     givenName: Test
     inetUserStatus: Active
     uid: tester200
     objectClass: iplanet-am-user-service
     objectClass: inetAdmin
     objectClass: iPlanetPreferences
     objectClass: inetOrgPerson
     objectClass: organizationalPerson
     objectClass: person
     objectClass: iplanet-am-managed-person
     objectClass: inetuser
     objectClass: top
     userPassword: {SSHA}E3TJ4DT7IoOLETVny1ktxUGWNTpBYq8tj3C1Sg==
     creatorsName: cn=puser,ou=dsame users,dc=iplanet,dc=com
     modifiersName: cn=puser,ou=dsame users,dc=iplanet,dc=com
     createTimestamp: 20031125043253Z
     modifyTimestamp: 20031125043253Z
     certificaterevocationlist;binary:: MIH7MIGmMA0GCSqGSIb3DQEBBQUAMGExCzAJBgNVBA
       YTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsTA0RvRDEMMAoGA1UECxMDUE
       tJMRwwGgYDVQQDExNEb0QgQ2xhc3MgMyBSb290IENBFw0wNzA1MDExNDMzMDNaFw0wNzA1MDExNz
       UzMDNaMBQwEgIBTxcNMDcwNDI3MTY1NzMzWjANBgkqhkiG9w0BAQUFAANBADUd7lBe7JeQKQnKCK
       GddnsCXqii7EitbPuYT55M4Nn3qBgPFSG8bX9H5XBGTB4iofb3h0Y9DCqe10vc8dBM0G8=

5. Run one of the following ldapmodify commands based on whether you are adding the LDIF file to an existing entry or creating a new entry.

   • To add a CRL to an existing LDAP entry (using an LDIF file with a specified DN), use the following command:

     ldapmodify -r -h Directory Server_host -p Directory Server_port 
     -f ldif-file -D cn=Directory Manager -w password
     

   • To add a CRL to a new LDAP entry (using an LDIF file with a specified DN and object classes), use the following command:

     ldapmodify -a -h Directory Server_host -p Directory Server_port 
     -f ldif-file -D cn=Directory Manager -w password
     

To Enable Certificate Revocation List Checking for SAMLv2

1. In the OpenSSO Enterprise Console, click the Configuration tab.

2. Click the Global sub tab.

3. Click SAMLv2 Service Configuration.

4. Check the box for XML Signing Certificate Validation.

5. Check the box for CA Certificate Validation. This step is optional.

6. Click Save.

7. Restart the web container.

SAMLv2 IDP Discovery Service

In deployments having more than one identity provider, service providers need to determine which identity provider a principal uses with the Web Browser SSO profile. To allow for this, the SAML v2 IDP Discovery Service relies on a cookie written in a domain that is common to all identity providers and service providers in a circle of trust. This predetermined domain is known as the common domain, and the cookie containing the list of identity providers to chose from is known as the common domain cookie.

The Reader and Writer URLs, used by the SAML v2 IDP Discovery Service, are defined when configuring the circle of trust. When a user requests access from a service provider, and an entity identifier for an identity provider is not received in the request, the service provider redirects the request to the common domain's SAML v2 IDP Discovery Service Reader URL to retrieve the identity provider's entity identifier. If more then one identity provider entity identifier is returned, the last entity identifier in the list is the one to which the request is redirected. Once received, the identity provider redirects to the Discovery Service Writer URL to set the common domain cookie using the value defined in the installation configuration properties file. The following section describes the procedure for setting up and testing the Identity Provider Discovery Service.

For steps to deploy the IDP Discovery Service, see Chapter 10, Deploying the Identity Provider (IDP) Discovery Service, in Sun OpenSSO Enterprise 8.0 Installation and Configuration Guide.

Bootstrapping the Liberty ID-WSF with SAML v2

SAML v2 can be used to bootstrap into the Liberty Alliance Project Identity Web Services Framework (Liberty ID-WSF) version 1.1. For example, a service provider communicating with the SAML v2 specifications might want to communicate with web services based on the Liberty ID-WSF regarding a principal. To do this, the SAML v2 Assertion returned to the service provider must contain a Discovery Service endpoint. The service provider than acts as a web services consumer, using the value included within the Endpoint tag to bootstrap the Discovery Service. This then allows access to other Liberty ID-WSF services.

A sample SAMLv2 assertion is reproduced below. Note the SAML v2 security token stored in the Discovery Service resource offering: urn:liberty:security:2003-08:null:SAML. Both are stored within the attribute statement.

<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" 
ID="s21bdfd298f332ef2ada1d4fd00bab21c0f64cc90a" 
IssueInstant="2007-03-27T08:25:26Z">
<saml:Issuer>http://example.com</saml:Issuer>
<saml:Subject>
<saml:NameID NameQualifier="http://example.com" 
  SPNameQualifier="http://isdev-2.red.iplanet.com" Format=
  "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">
  HuCJIy9v5MdrjJQOgsuT4NWmVUl3</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2007-03-27T08:35:26Z" 
  InResponseTo="s20711ed113989a9bff544f61c700d0bd0a08b78fd" 
  Recipient="http://isdev-2.red.iplanet.com:58080/
  opensso/Consumer/metaAlias/sp"  >
  </saml:SubjectConfirmationData>
  </saml:SubjectConfirmation>
  </saml:Subject>
<saml:Conditions NotBefore="2007-03-27T08:25:26Z" 
  NotOnOrAfter="2007-03-27T08:35:26Z">
<saml:AudienceRestriction>
<saml:Audience>http://isdev-2.red.iplanet.com</saml:Audience>
  </saml:AudienceRestriction>
  </saml:Conditions>
<saml:AuthnStatement AuthnInstant="2007-03-27T08:19:24Z" 
  SessionIndex="s234f01958bf364aff26829d9d9846ba51afc2b201">
  <saml:AuthnContext>
  <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:
  2.0:ac:classes:PasswordProtectedTransport
  </saml:AuthnContextClassRef>
  </saml:AuthnContext>
  </saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="offerings" NameFormat="urn:liberty:disco:2003-08">
<saml:AttributeValue xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<ResourceOffering xmlns="urn:liberty:disco:2003-08">
<ResourceID xmlns="urn:liberty:disco:2003-08">http://example.iplanet.com
  /aWQ9aWRwLG91PXVzZXIsZGM9aXBsYW5ldCxkYz1jb20sYW1zZGtkbj11aWQ9aWRwLG91PXBlb3BsZ
  SxkYz1pcGxhbmV0LGRjPWNvbQ%3D%3D</ResourceID>
<ServiceInstance xmlns="urn:liberty:disco:2003-08">
<ServiceType>urn:liberty:disco:2003-08</ServiceType>
<ProviderID>http://mach1.red.com</ProviderID>
<Description xmlns="urn:liberty:disco:2003-08" 
  id="sf6a6d3dcc16e729eea0d7e5587a5ff27f234f991">
<SecurityMechID>urn:liberty:security:2003-08:null:SAML
  </SecurityMechID>
<CredentialRef>s5dc88819de075e4e9c8db3deb8b46d4d8758b4b901
  </CredentialRef>
<Endpoint>http://mach1.red.com:58080/opensso/Liberty/disco
  </Endpoint></Description>
  </ServiceInstance></ResourceOffering></saml:AttributeValue></saml:Attribute>
<saml:Attribute Name="credentials" NameFormat="urn:liberty:disco:2003-08">
<saml:AttributeValue xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Assertion  xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" 
  MajorVersion="1" MinorVersion="1" 
  AssertionID="s5dc88819de075e4e9c8db3deb8b46d4d8758b4b901" Issuer=
  "http://mach1.red.com" IssueInstant="2007-03-27T08:25:26Z" >
<sec:ResourceAccessStatement xmlns:sec="urn:liberty:sec:2003-08">
<saml:Subject xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
<saml:NameIdentifier NameQualifier="http://isdev-2.red.com" 
  Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">
  HuCJIy9v5MdrjJQOgsuT4NWmVUl3</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sendervouches
  </saml:ConfirmationMethod>
  </saml:SubjectConfirmation>
  </saml:Subject>
<ResourceID xmlns="urn:liberty:disco:2003-08">http://example.com/
aWQ9aWRwLG91PXVzZXIsZGM9aXBsYW5ldCxkYz1jb20sYW1zZG
tkbj11aWQ9aWRwLG91PXBlb3BsZSxkYz1pcGxhbmV
0LGRjPWNvbQ%3D%3D</ResourceID>
<sec:ProxySubject xmlns:sec="urn:liberty:sec:2003-08">
<saml:NameIdentifier xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" 
Format="urn:liberty:iff:nameid:entityID">http://isdev-2.red.com
  </saml:NameIdentifier>
<saml:SubjectConfirmation xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key
  </saml:ConfirmationMethod>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><KeyName>CN=sun-unix, OU=Sun 
  Access Manager, O=Sun, C=US</KeyName><KeyValue><RSAKeyValue><Modulus>AOA/2kpfKFWvRXOMbrmTlKe102ibw/
  aTd3HBVgI8cHsywww8M1J0X+vJvvk6eabTNWY5jBfTo9i1bC4AXXoRlxgsE/
  6Uq5+6NGrd+iwfvj25x8HzHX8LrJ+7EzlGVsKO
  M+A3vTP0tCkmYE4jatZbWlRoto0wyInP2wMFdKPrmYWL</Modulus>
<Exponent>AQAB</Exponent></RSAKeyValue>
  </KeyValue></KeyInfo></saml:SubjectConfirmation>
  </sec:ProxySubject><sec:SessionContext xmlns:sec="urn:liberty:sec:2003-08" AuthenticationInstant=
  "2007-03-27T08:25:26Z" AssertionIssueInstant="2007-03-27T08:25:26Z">
<sec:SessionSubject xmlns:sec="urn:liberty:sec:2003-08">
<saml:NameIdentifier xmlns:saml="urn:oasis:names:tc:SAML:1.0:
  assertion" NameQualifier="http://isdev-2.red.com" 
  Format="urn:oasis:names:tc:SAML:
  2.0:nameid-format:persistent">HuCJIy9v5MdrjJQOgsuT4NWmVUl3
  </saml:NameIdentifier>
<saml:SubjectConfirmation xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:2.0:cm:bearer</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
<lib:IDPProvidedNameIdentifier  xmlns:lib="http://projectliberty.org/
  schemas/core/2002/12" 
  NameQualifier="http://example.com" Format="urn:oasis:names:tc:SAML:2.0:
  nameid-format:persistent"  >HuCJIy9v5MdrjJQOgsuT4NWmVUl3
  </lib:IDPProvidedNameIdentifier>
  </sec:SessionSubject>
<sec:ProviderID>http://mach1.red.com</sec:ProviderID>
  <lib:AuthnContext xmlns:lib="urn:liberty:iff:2003-08"><lib:AuthnContextClassRef>urn:oasis:
  names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</lib:AuthnContextClassRef>
  <lib:AuthnContextStatementRef>http://www.projectliberty.org/schemas/authctx/classes/
  Password</lib:AuthnContextStatementRef></lib:AuthnContext></sec:SessionContext>
  </sec:ResourceAccessStatement>
<saml:AuthenticationStatement xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" 
  AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" 
  AuthenticationInstant="2007-03-27T08:19:24Z">
<saml:Subject>
<saml:NameIdentifier Format="urn:liberty:iff:nameid:entityID">
  http://isdev-2.red.com</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key
  </saml:ConfirmationMethod>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><KeyName>CN=sun-unix, OU=Sun 
  Access Manager, O=Sun, C=US</KeyName><KeyValue><RSAKeyValue><Modulus>AOA/2kpfKFWvRXOMbrmTlKe102ibw/
  aTd3HBVgI8cHsywww8M1J0X+vJvvk6eabTNWY5jBfTo9i1bC4AXXoRlxgsE/6Uq
  5+6NGrd+iwfvj25x8HzHX8LrJ+7EzlGVsKOM+
  A3vTP0tCkmYE4jatZbWlRoto0wyInP2wMFdKPrmYWL</Modulus>
<Exponent>AQAB</Exponent>
  </RSAKeyValue>
  </KeyValue></KeyInfo></saml:SubjectConfirmation>
</saml:Subject>
</saml:AuthenticationStatement>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#s5dc88819de075e4e9c8db3deb8b46d4d8758b4b901">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>td1CqmbWC5eMXCK6IFhzZxn3GJg=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
YJ4g+jV5KIQRpkI9jlsZMbKx9lBhEB5ngB8NrH5nPh8+XFTK2gPZNzovOYOzxlznuxxbvC3A4rpg
UoSeE3N+oE4sl5KnY1GewFgjckAdeWafcLhGd9O68A+9nqMnRW/5fR9mnbk9eqZO8zx2bO8toiWi
pQCTU5XcDYkCNb8LgFs=
</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>
MIICOTCCAeOgAwIBAgIBEjANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJVUzEYMBYGA1UEChMP
cmVkLmlwbGFuZXQuY29tMRwwGgYDVQQDExNDZXJ0aWZpY2F0ZSBNYW5hZ2VyMB4XDTA1MDYwMjE3
NTkxOFoXDTA2MDYwMjE3NTkxOFowVzELMAkGA1UEBhMCVVMxDDAKBgNVBAoTA1N1bjEnMCUGA1UE
CxMeU1VOIEphdmEgU3lzdGVtIEFjY2VzcyBNYW5hZ2VyMREwDwYDVQQDEwhzdW4tdW5peDCBnzAN
BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA4D/aSl8oVa9Fc4xuuZOUp7XTaJvD9pN3ccFWAjxwezLD
DDwzUnRf68m++Tp5ptM1ZjmMF9Oj2LVsLgBdehGXGCwT/pSrn7o0at36LB++PbnHwfMdfwusn7sT
OUZWwo4z4De9M/S0KSZgTiNq1ltaVGi2jTDIic/bAwV0o+uZhYsCAwEAAaNoMGYwEQYJYIZIAYb4
QgEBBAQDAgZAMA4GA1UdDwEB/wQEAwIE8DAfBgNVHSMEGDAWgBQqOASyzZ41LergF+cSQN1Gokpa
XjAgBgNVHREEGTAXgRVoZW5nLW1pbmcuaHN1QHN1bi5jb20wDQYJKoZIhvcNAQEEBQADQQDKxdPy
821aQRVZ0wLqa6LBYZCUcZD5AMvzl3EylwtniHmzPtOeZe4NmFj7qQziSb1H57NSkiwKaLZ7Mt6F
jaUU
</X509Certificate>
</X509Data>
</KeyInfo>
</Signature></saml:Assertion>
</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion>

Following are the procedures to enable bootstrapping of the Liberty ID-WSF Discovery Service using SAML v2.

To Enable an Identity Provider for SAML v2 Bootstrapping of Liberty ID-WSF

1. If metadata for the identity provider you are configuring has not yet been imported, or signing and encryption certificate aliases have not been configured in the for the existing identity provider metadata, create the identity provider in the OpenSSO Enterprise console or with the ssoadm command line utility. See Creating an Entity.

2. In the OpenSSO Enterprise Console, click the Federation tab.

3. Click the hosted Identity Provider you wish to edit.

4. Check Discovery Bootstrapping Enabled check box.

5. Click Save.

6. Go to the Configuration tab.

7. Click the Servers and Sites tab.

8. Click Default Server Settings.

9. Click the Advanced tab.

10. If the com.sun.identity.liberty.ws.util.providerManagerClass property does not exist in the Advanced attribute table, add it and define the following value for it:

    com.sun.identity.liberty.ws.util.providerManagerClass = com.sun.identity.saml2.plugins.SAML2ProviderManager

    ---

    Note –

    By default, this property has no value. In this case, Liberty ID-WSF 1.1 works with ID-FF providers. After you change this value, ID-WSF 1.1 works with SAMLv2 providers but not ID-FF providers. To switch back to ID-FF providers, delete the attribute from the Advanced attribute table.

    ---

11. Click Save.

12. Restart the web container.

To Enable a Service Provider for SAML v2 Bootstrapping of Liberty ID-WSF

1. In the OpenSSO Enterprise Console, click the Federation tab.

2. Click the hosted Service Provider you wish to configure.

3. Click the Assertion Processing tab.

4. In the Attribute Map attribute, add the following value:

   urn:liberty:disco:2003-08:DiscoveryResourceOffering=urn:liberty:disco:2003-08:DiscoveryResourceOffering

5. Click Save.

Retrieving SAMLv2 Bootstrapping of Liberty ID-WSF from the WSC

You can use the following API to retrieve the Discovery Service bootstrap resource offering and included security token from the web services client:

ResourceOffering SAML2SDKUtil.getDiscoveryBootStrapResourceOffering(
HttpServletRequest request)

List SAML2SDKUtil.getDiscoveryBootStrapCredentials(
HttpServletRequest request) 

For more information, see the Sun OpenSSO Enterprise 8.0 Java API Reference.

WS-Federation Operations

This section provides steps for configuring OpenSSO Enterprise's implementation of WS-Federation so that single sign-on can work among OpenSSO and ADFS (Microsoft Active Directory Federation Service)-based environments. For a detailed description of deployment considerations, use cases, and configuration overviews, see Chapter 9, Enabling Web Services Federation Between Active Directory Federation Service and OpenSSO Enterprise, in Sun OpenSSO Enterprise 8.0 Deployment Planning Guide. For a detailed overview of OpenSSO Enterprise's implementation, see Using WS-Federation in Sun OpenSSO Enterprise 8.0 Technical Overview.

The steps provided here are based on the assumption that you are proficient in setting up ADFS-based environment as described in

Enabling WS-Federation between an ADFS environment and an OpenSSO Enterprise environment involves exchanging metadata to enable a trust relationship. The steps in this section use host names consistent with those outlined in the Microsoft Active Directory Federation Services (ADFS) Step-by-Step Guide. You can, however, use any host names you wish.

Prior to this, the following requirements must be met:

• All communications between WS-Federation components must be made over SSL.

  ADFS does not perform an HTTP POST of a WS-Federation RequestSecurityTokenResponse (RSTR) to a non-HTTPS URL.

• The ADFS environment can rely on DNS.

• All servers must be time-synchronized. This is essential to proper token validation.

• Token signing certificates must be created and imported for both ADFS and OpenSSO Enterprise endpoints. This process is automated in ADFS, but requires the use of the keytool command for OpenSSO Enterprise.

• You have set up ADFS based on the instructions contained in theMicrosoft Active Directory Federation Services (ADFS) Step-by-Step Guide.

  Make sure that Single Sign-On is configured for the ADFS from adfsaccount to adfsweb through the adfsresource.

• You have created a new user in the adatum.com Active Directory domain. The login name must be the same as the UID you created in OpenSSO. To do so, go to Start>Administrative Tools>Active Directory Users and Computers. Right click Users and click on New>User.

Proceed to the following sections to see the configuration steps.

• To Configure OpenSSO Enterprise as a Service Provider

• To Configure OpenSSO Enterprise as an Identity Provider

To Configure OpenSSO Enterprise as a Service Provider

1. In the ADFS environment, Add a new Resource Partner to adfsaccount.adatum.com and configure the following attributes:

   Display Name

   Enter a name, for example OpenSSO SP.

   Federation Service URI

   This must be the same as the TokenIssuerName in the service provider metadata file that you will create. For example:

   urn:federation:mywsfedsp

   Federation Service endpoint URL

   The last path component of this URL must the match metaAlias in the service provider extended meta data file that you will create. For example:

   https://amhost(:amsecureport)/fam/WSFederationServlet/metaAlias

   /mywsfedsp

2. Convert the Active Directory machine's token signing certificate file (for example, adfsaccount_ts.cer) to PEM format. You use OpenSSL for this conversion. For example:

   openssl x509 in adfsaccount_ts.cer inform DER -out adfsaccount_ts.pem outform PEM

3. Create the metadata and extended metadata for an identity provider using the ssoadm command line utility. For example purposes, the files are named adatum.xml and adatumx.xml..

   For example:

   create-meadata-templ –u amadmin –f password_file –m adatum.xml –x adtumx.xml –i /metaalias –y entity_id –c wsfed

4. Create the metadata and extended metadata for a service provider using the ssoadm command line utility. For example purposes, the files are named wsfedsp.xml and wsfedspx.xml.

   ---

   Note –

   You can also use the OpenSSO Enterprise console to create a hosted service provider or identity provider. For more information, see WS-Federation Entity Provider.

   ---

   For example:

   create-metadata-templ –u amadmin –f password_file –m wsfedsp.xml –x wsfedspx.xml –s /metaalias –y entity_id –c wsfed

5. In adatum.xml, paste the PEM-encoded certificate from adfsaccount_ts.pem into the <ns2:X509Certificate> element.

6. In the hosted service provider (wsfedsp.xml), change the hostname and port in the <ns3:Address> element to match your configuration. For example:

   <?xml version="1.0" encoding="UTF8" standalone="yes"?> <Federation FederationID="mywsfedsp" xmlns="http://schemas.xmlsoap.org/ws/2006/12/federation"> <TokenIssuerName>urn:federation:mywsfedsp</TokenIssuerName> <TokenIssuerEndpoint> <ns3:Address xmlns:ns3="http://www.w3.org/2005/08/addressing">https://patlinux.red.ip lanet.com:8443/fam/WSFederationServlet/metaAlias/mywsfedsp</ns3:Address> </TokenIssuerEndpoint> </Federation>

7. In the hosted service provider (adatumx.xml), change the hostname and port in the <HomeRealmDiscoveryService> attribute to match your configuration. For example:

   <FederationConfig xmlns="urn:sun:fm:wsfederation:1.0:federationconfig" xmlns:fm="urn:sun:fm:wsfederation:1.0:federationconfig" hosted="1" FederationID="mywsfedsp"> <SPSSOConfig metaAlias="/mywsfedsp"> <Attribute name="displayName"> <Value>My Open Federation Service Provider</Value> </Attribute> <Attribute name="AccountRealmSelection"> <Value>cookie</Value> </Attribute> <Attribute name="AccountRealmCookieName"> <Value>amWSFederationAccountRealm</Value> </Attribute> <Attribute name="HomeRealmDiscoveryService"> <Value>http://patlinux.red.com:8180/fam/RealmSelectio n/metaAlias/mywsfedsp</Value> </Attribute> <Attribute name="spAccountMapper"> <Value>com.sun.identity.wsfederation.plugins.DefaultADFSPartn erAccountMapper</Value> </Attribute> <Attribute name="spAttributeMapper"> <Value>com.sun.identity.wsfederation.plugins.DefaultSPAttribu teMapper</Value> </Attribute> </SPSSOConfig> </FederationConfig>

8. Load the identity provider and service provider metadata to OpenSSO Enterprise. From the console:

   1. Log in to the console and click the Federation tab and then the Import Entity button.

   2. Choose the realm to which the requesting service provider belongs.

   3. In the Where Does the Meta Data File Reside field, choose File and click Upload.

   4. Choose adatum.xml.

   5. Click Ok.

   6. In the Where Does the Extended Meta Data File Reside field, choose File and click Upload.

   7. Choose adtumx.xml.

   8. Click Ok.

   9. Repeat the steps for loading the service provider meta data (wsfedsp.xml and wsfedspx.xml).

9. Create a circle of trust and add the identity provider and service provider. For instructions, see Circle of Trust.

10. On the OpenSSO Enterprise instance, go to https://opensssohost(:openssosecureport)/opensso WSFederationServlet/metaAlias/mywsfedsp?goto=https://openssohost(:openssosecureport)/opensso

    You should be forwarded to the realm selection page. Click 'Proceed. You may see a few redirections in the browser's address bar before reaching the user's profile page in OpenSSO Enterprise.

    If you do this from outside the Window domain, you will get an HTTPBasic authentication username/password dialog. Enter the user's Active Directory credentials to gain access.

    The realm selection process sets a persistent cookie. If you enter the same URL a second time, you should not be prompted for a realm and should be redirected to the OpenSSO Enterprise user page.

11. Configure your installed policy agent profile with the WS-Federation servlet as its login URL.

    For the J2EE policy agent profile:

    • Log in to the console and go to Access Control>realm>Agents

    • Click the name of the J2EE policy agent you wish to edit.

    • In the OpenSSO Login URL attribute, enter the WS-Federation servlet, for example:

      https://openssohost(:openssosecureport)/opensso/WSFederationServlet/metaAlias/mywsfedsp

    For the web policy agent profile:

    • Log in to the console and go to Access Control>realm>Agents

    • Click the name of the web policy agent you wish to edit.

    • In the OpenSSO Login URL attribute, enter the WS-Federation servlet, for example:

      https://openssohost(:openssosecureport)/opensso/WSFederationServlet/metaAlias/mywsfedsp

    When accessing the resource protected by the policy agent, you should be authenticated through WS-Federation.

To Configure OpenSSO Enterprise as an Identity Provider

1. Create a token signing certificate in a Java Keystore on the OpenSSO Enterprise machine. For example:

   keytool keystore keystore.jks genkey dname "CN=amhost" alias mywsfedidp

   Specify the same password for the keystore and key. Put the keystore in any location, since you will need to specify the full path

2. Encrypt the keystore/key password. The easiest method is to use the OpenSSO Enterprise encode.jsp:

   1. Go to https://host:port/opensso/encode.jsp.

   2. Enter the password.

   3. Create two files, .storepass and .keypass, whose only content is the encrypted password.

3. Set the path to keystore.jks and the two files containing encrypted the passwords. To do so:

   1. Log into the OpenSSO Enterprise console.

   2. Go to Configuration>Sites and Servers.

   3. Click the Default Server Settings button and click the Security tab.

   4. Configure the following attributes:

      Keystore File

      Set to /path/keystore.jks

      Keystore Password File

      Set to /path/.storepass

      Private Key Password File

      Set to /path/.keypass

   5. You must restart the web container for the changes to take effect.

4. Export the token signing certificate in DER format. For example:

   keytool keystore keystore.jks export alias mywsfedidp file cert.der

5. Copy cert.der to the adfsresource machine.

6. Create the metadata and extended metadata for a remote service provider using the ssoadm command line utility.

   For example:

   create-meadata-templ –u amadmin –f password_file –m treyresearrch.xml.xml –x treyresearch.xmlx.xml –s /metaalias –y entity_id –c wsfed

   For this example, the files are named treyresearch.xml and treyresearchx.xml.

7. Create the metadata and extended metadata for a hosted identity provider using the ssoadm command line utility.

   ---

   Note –

   You can also use the OpenSSO Enterprise console to create a hosted service provider or identity provider. For more information, see WS-Federation Entity Provider.

   ---

   For example:

   create-meadata-templ –u amadmin –f password_file –m wsfedidp.xml –x wsfedidpx.xml –i /metaalias –y entity_id –c wsfed

   For this example, the files are named wsfedidp.xml and wsfedidpx.xml.

8. In the remote service provider (treyresearch.xml), change the hostname and port in the <ns3:Address> element to match your configuration.

9. In the remote service provider (wsfedidpx.xml), change the hostname and port in the <HomeRealmDiscoveryService> attribute to match your configuration. For example:

   <FederationConfig xmlns="urn:sun:fm:wsfederation:1.0:federationconfig" xmlns:fm="urn:sun:fm:wsfederation:1.0:federationconfig" hosted="1" FederationID="mywsfedidp"> <IDPSSOConfig metaAlias="/mywsfedidp"> <Attribute name="displayName"> <Value>My Open Federation Identity Provider</Value> </Attribute> <Attribute name="upnDomain"> <Value>red.com</Value> </Attribute> <Attribute name="signingCertAlias"> <Value>mywsfedidp</Value> </Attribute> <Attribute name="assertionEffectiveTime"> <Value>600</Value> </Attribute> <Attribute name="idpAccountMapper"> <Value>com.sun.identity.wsfederation.plugins.DefaultIDPAccoun tMapper</Value> </Attribute> <Attribute name="idpAttributeMapper"> <Value>com.sun.identity.wsfederation.plugins.DefaultIDPAttrib uteMapper</Value> </Attribute> </IDPSSOConfig> </FederationConfig>

10. Load the identity provider and service provider metadata to OpenSSO Enterprise. From the console:

    1. Log in to the console and click the Federation tab and then the Import Entity button.

    2. Choose the realm to which the requesting service provider belongs.

    3. In the Where Does the Meta Data File Reside field, choose File and click Upload.

    4. Choose wsfedidp.xml.

    5. Click OK.

    6. In the Where Does the Extended Meta Data File Reside field, choose File and click Upload.

    7. Choose wsfedidpx.xml.

    8. Click Ok.

    9. Repeat the steps for loading the service provider meta data (treyresearch.xml and treyresearchx.xml).

11. Create a circle of trust and add the identity provider and service provider. For instructions, see Circle of Trust.

12. In the ADFS environment, add a new Account Partner to adfsresource.treyresearch.net and configure the following attributes:

    Display Name

    Enter a name, for example OpenSSO IDP.

    Federation Service URI

    This must be the same as the TokenIssuerName in the identity provider metadata. For example:

    urn:federation:mywsfedidp

    Federation Service endpoint URL

    The last path component of this URL must the match metaAlias in the identity provider extended metadata. For example:

    https://amhost(:amsecureport)/fam/WSFederationServlet

    /metaAlias/mywsfedidp

    Account Partner Verification Certificate

    Import the OpenSSO token signing certificate that you copied to the adfsresource machine.

13. Delete all cookies in your browser and go to the sample claims-aware application at https://adfsweb.treyresearch.net:8081/claimapp/.

    You should see the OpenSSO Enterprise identity provider listed in the drop down list. Select the OpenSSO identity provider. You will be redirected to the standard OpenSSO Enterprise login screen. After logging in, you will be redirected back to the sample application

14. Click the Sign Out link to do a single logout.

    Check that you are logged out by trying the https://adfsweb.treyresearch.net:8081/claimapp/ URL again. You should be redirected to the OpenSSO login page, demonstrating that neither ADFS or OpenSSO have an active session for the browser.

    The realm choice is stored in a persistent cookie. If you close and restart the browser, return to https://adfsweb.treyresearch.net:8081/claimapp/. You should directly proceed to the OpenSSO Enterprise login page.