test

Sun OpenSSO Enterprise 8.0 Administration Guide

Chapter 7 Configuring and Managing Federation

OpenSSO Enterprise has a federation framework that can be used to configure and manage federation configurations based on the Liberty Alliance Project Identity Federation Framework (Liberty ID-FF), the Liberty Alliance Project Web Services Framework (Liberty ID-WSF), the WS-Federation specifications and the Security Assertion Markup Language (SAML) versions 1.x and 2. Federation configurations can be implemented using the OpenSSO Enterprise console or the ssoadm command line utility. For a detailed overview of the Federation framework architecture, see Chapter 10, Federation Management with OpenSSO Enterprise, in Sun OpenSSO Enterprise 8.0 Technical Overview. This chapter contains:

Configuring Federation

To configure for federation, create a circle of trust and populate it with entity types using the following high-level procedure.

  1. Decide whether the instance of OpenSSO Enterprise you are configuring will act as an identity provider, a service provider, or both, and create standard and extended metadata XML files containing the specific protocols, profiles, endpoints, and security mechanisms being used by the instance.

    • Standard metadata properties are defined in the Liberty ID-FF and SAMLv2 specification.

    • Extended metadata properties are proprietary and used by features specific to OpenSSO Enterprise.

  2. Create an entity to hold the metadata for every identity and service provider that will become a member of the circle of trust (including the instance of OpenSSO Enterprise for which you previously created metadata).

    The metadata for other entities may come from the providers themselves. See Creating an Entity.

  3. Configure a circle of trust to denote the group of entities that have joined together to exchange authentication information for purposes of federation.

    See Circle of Trust.

  4. Add the appropriate entities to the circle of trust by configuring both the entity's metadata (to add the authentication domain of the circle of trust) and the circle of trust's properties (to add the entity).

Information on an entity provider's properties are located in Chapter 6, Federation Attributes for Entity Providers, in Sun OpenSSO Enterprise 8.0 Administration Reference. Information on a circle of trust's properties can be found in To Modify a Circle of Trust Profile.

Tip –

In a federation setup, all service providers and identity providers must share a synchronized clock. You can implement the synchronization by pointing to an external clock source or by ensuring that, in case of delays in receiving responses, the responses are captured without fail through adjustments of the time outs.

Managing Federation Using the Console

The Federation component of the OpenSSO Enterprise console provides an interface for creating, modifying, and deleting circles of trust, and the corresponding member entity providers (both identity and service).

Creating an Entity

An entity holds the metadata for individual identity and service providers. (Metadata contains the specific protocols, profiles, endpoints, and security mechanisms being used by the entity.) OpenSSO Enterprise allows you create an entity for communication using either the SAML v2, the Liberty ID-FF, and the WS-Federation specifications. Within each entity type, you can assign roles by configuring the attributes to perform the specific function. The following sections describe the entity types and the roles you can assign.

SAMLv2 Entity

The SAMLv2 entity type is based on the SAML v2 specification. This entity supports various profiles (including single sign-on and single logout) and allows you to assign and configure the following roles:

ProcedureTo Create a SAMLv2 Entity Provider

Use these steps to create a hosted entity provider based on the SAMLv2 protocol. You can assign one, more than one, or all of the provider roles to the entity, but all of the roles that you define will belong to the same entity provider.

  1. Log in as an administrator.

  2. Go to the Federation tab in the console and click New in the Entity Provider table.

  3. When prompted, select SAMLv2 as the entity provider.

  4. Select the Realm to which the entity provider will belong.

  5. Type a name in the Entity Identifier field.

  6. Enter values for the following attributes under the role category to which the entity provider will be assigned.

    Entering data in the Meta Alias field will automatically create and assign the entity provider role to the entity provider upon completion.

    Meta Alias

    Specifies a metaAlias for the provider role being configured. The metaAlias is used to locate the provider's entity identifier and the organization in which it is located. The value is a string equal to the realm or organization name coupled with a forward slash and the provider name. For example, /suncorp/travelprovider.

    Caution – Caution –

    The names used in the metaAlias must not contain a /.

    Signing Certificate Alias

    Specifies the provider certificate alias used to find the correct signing certificate in the keystore.

    Encryption Certificate alias

    Specifies the provider certificate alias used to find the correct encryption certificate in the keystore.

    Owner ID (Hosted Affiliation only)

    An identifier for the owner of the affiliation.

    Affiliation Members (Hosted Affiliation only)

    A provider must be a member of a circle of trust, or it cannot participate in SAMLv2-based communications. The provider can belong to one or more affiliations. The selected provider must have the Affiliation Federation attribute enabled. Enter the meta alias of the provider in the New Value field and click Add.

  7. Click Create.

    The entity provider, its assigned provider roles, and location will be displayed in the Entity Providers table. To customize the entity providers' roles behavior, click the name of the entity provider from the list and choose the tab that corresponds to the role you wish to customize. See Chapter 6, Federation Attributes for Entity Providers, in Sun OpenSSO Enterprise 8.0 Administration Reference for definitions attributes for provider customization.

SAMLv2 Hosted Affiliation Customization

A Hosted Affiliation contains a grouping of service providers. The affiliation is formed and maintained by an affiliation owner who chooses the member providers from already configured provider entities. The affiliation enables a user to federate amongst the group of associated sites. The chosen providers may invoke services either as a member of the affiliation, or individually as a provider. If services are invoked as an affiliation member, a service provider might issue an authentication request for a user on behalf of an affiliation. When authentication is secured, the user can achieve single sign-on with all members of the affiliation.

A hosted affiliation provider holds the metadata that defines the grouping of one or more provider entities that comprise the affiliation. It does not contain the configuration information for any providers (which is defined in a provider entity), only the configuration information for the affiliation itself. If there are several service providers and identity providers in the same circle of trust, use an affiliate entity to avoid having to generate different name identifiers for commonly shared services. Hosted Affiliation contains the following attributes for customization:

Meta Alias

Specifies a metaAlias for the provider being configured. The metaAlias is used to locate the provider's entity identifier and the organization in which it is located. The value is a string equal to the realm or organization name (dependent on whether the SAML v2 Plug-in for Federation Services is installed in OpenSSO Enterprise) coupled with a forward slash and the provider name. For example, /suncorp/travelprovider.

Caution – Caution –

The names used in the metaAlias must not contain a /.

Members

A provider must be a member of a circle of trust, or it cannot participate in Liberty-based communications. The provider can belong to one or more affiliations. Enter the entity ID of the provider in the New Value field and click Add.

Cert Alias

This attribute defines the certificate alias elements for the provider. Signing specifies the provider certificate alias used to find the correct signing certificate in the keystore. Encryption specifies the provider certificate alias used to find the correct encryption certificate in the keystore.

ID-FF Entity Provider

The ID-FF provider entity is based on the Liberty Alliance Project Identity Federation Framework for implementing single sign-on with federated identities. The ID-FF provider entity allows you to assign and configure the following roles:

ProcedureTo Create an ID-FF Entity Provider

Use these steps to create an entity provider based on the ID-FF protocol for Federation Services. You can assign the identity provider or service provider (or both) role to the entity, but multiple roles will belong to the same entity provider.

  1. Log in as an administrator.

  2. Go to the Federation tab in the console and click New in the Entity Provider table.

  3. When prompted, select ID-FF as the entity provider.

  4. Select the Realm to which the entity provider will belong.

  5. Type a name in the Entity Identifier field.

  6. Choose the entity provider role you wish to assign to the entity provider.

    Entering data in the Meta Alias field will automatically create and assign the entity provider role to the entity provider upon completion.

  7. Enter values for the following attributes for one or more roles:

    Meta Alias

    Specifies a metaAlias for the provider role being configured. The metaAlias is used to locate the provider's entity identifier and the organization in which it is located. The value is a string equal to the realm or organization name coupled with a forward slash and the provider name. For example, /suncorp/travelprovider.

    Caution – Caution –

    The names used in the metaAlias must not contain a /.

    Signing Certificate Alias

    Specifies the provider certificate alias used to find the correct signing certificate in the keystore.

    Encryption Certificate alias

    Specifies the provider certificate alias used to find the correct encryption certificate in the keystore.

  8. Click Create.

    The entity provider, its assigned provider roles, and location will be displayed in the Entity Providers list.

  9. To customize the entity providers' roles behavior, click on the name of the entity provider and choose the tab that corresponds to the role you wish to customize. See Chapter 6, Federation Attributes for Entity Providers, in Sun OpenSSO Enterprise 8.0 Administration Reference for definitions attributes for provider customization.

WS-Federation Entity Provider

The WS-Federation entity provider type is based on the WS-Federation protocol. The implementation of this protocol allows single sign-on between OpenSSO Enterprise and the Microsoft Active Directory Federation Service. The WS-Federation provider entity allows you to assign and configure the following roles:

ProcedureTo Create a WS-Federation Entity Provider

Use these steps to create to create an entity provider based on the WS-Federation protocol for Federation Services. You can assign the identity provider or service provider (or both) role to the entity, but multiple roles will belong to the same entity provider.

  1. Log in as an administrator.

  2. Go to the Federation tab in the console and click New in the Entity Provider table.

  3. When prompted, select WS-FED as the entity provider.

  4. Select the Realm to which the entity provider will belong.

  5. Type a name in the Entity Identifier field.

  6. Choose the entity provider role you wish to assign to the entity provider.

    Entering data in the Meta Alias field will automatically create and assign the entity provider role to the entity provider upon completion.

  7. Enter values for the following attributes for one or more roles:

    Meta Alias

    Specifies a metaAlias for the provider role being configured. The metaAlias is used to locate the provider's entity identifier and the organization in which it is located. The value is a string equal to the realm or organization name coupled with a forward slash and the provider name. For example, /suncorp/travelprovider.

    Caution – Caution –

    The names used in the metaAlias must not contain a /.

    Signing Certificate Alias

    Specifies the provider certificate alias used to find the correct signing certificate in the keystore.

    Encryption Certificate alias

    Specifies the provider certificate alias used to find the correct encryption certificate in the keystore.

  8. Click Create.

    The entity provider, its assigned provider roles, and location will be displayed in the Entity Providers list.

  9. To customize the entity providers' roles behavior, click on the name of the entity provider and choose the tab that corresponds to the role you wish to customize. See Chapter 6, Federation Attributes for Entity Providers, in Sun OpenSSO Enterprise 8.0 Administration Reference for definitions attributes for provider customization.

Circle of Trust

A circle of trust, previously referred to as an authentication domain, is a federation of any number of service providers (and at least one identity provider) with whom principals can transact business in a secure and apparently seamless environment. To create and populate a circle of trust, you first create an entity to hold the metadata (configuration information that defines a particular identity service architecture) for each provider that will become a member of the circle of trust. Then, you configure and save the circle of trust. Finally, to add an entity (a configured provider) to the circle of trust, you edit the entity's properties.

The following tasks are associated with circles of trust:

ProcedureTo Create a New Circle of Trust

Follow this procedure to create a new circle of trust. The starting point is New Circle of Trust under the Federation interface.

  1. Click New to display the circle of trust attributes.

    The New circle of trust profile page is displayed.

  2. Type a name for the circle of trust.

  3. Type a description of the circle of trust in the Description field.

  4. Type a value for the IDFF Writer Service URL.

    The IDFF Writer Service URL specifies the location of the servlet that writes the common domain cookie. Use the format http://common-domain-host :port/deployment_uri/idffwriter.

  5. Type a value for the IDFF Reader Service URL.

    The IDFF Reader Service URL specifies the location of the servlet that reads the common domain cookie. Use the format http://common-domain-host :port/deployment_uri/idffreader.

  6. Type a value for the SAML2 Writer Service URL.

    This specifies the location of the SAML2 Writer service that writes the cookie to the common domain. Use the format http://common-domain-host :port/deployment_uri/saml2writer.

  7. Type a value for the SAML2 Reader Service URL.

    This specifies the location of the SAML2 Reader service that reads the cookie from the common domain. Use the format http://common-domain-host :port/deployment_uri/saml2reader.

  8. Choose Active or Inactive.

    The default status is Active. Choosing Inactive disables communication within the circle of trust.

  9. Select the Realm in which the circle of trust will be created.

  10. Choose one or more of the available providers and click the Add arrow to select them.

    The list provided contains the names of entities that have been created and populated with providers. For more information, see To Add Providers to a Circle of Trust.

  11. Click OK to complete the configuration.

    The new circle of trust is displayed in the Circle of Trust list.

ProcedureTo Modify a Circle of Trust Profile

Follow this procedure to edit the configured General attributes of an existing circle of trust, or to add providers to it. The starting point is Circle of Trust under the Federation interface.

  1. Click the name of a configured circle of trust to modify its profile, or to add providers to it.

    The Edit Circle of Trust page is displayed.

  2. Type new values or edit existing values for the circle of trust's General attributes:

    Name

    The static value of this attribute is the name provided when you created the circle of trust.

    Description

    The value of this attribute is a description of the circle of trust. You may modify the description already entered, if applicable.

    IDFF Writer Service URL

    This attribute specifies the location of the service that writes the common domain cookie. The URL is in the format http://common-domain-host:port/deployment_uri/idffwriter .

    IDFF Reader Service URL

    This attribute specifies the location of the service that reads the common domain cookie. The URL is in the format http://common-domain-host:port/deployment_uri//idffreader .

    SAML2 Writer URL

    This attribute specifies the location of the SAML2 Writer service that writes the cookie to the Common Domain. The URL is in the format http://common-domain-host:port/deployment_uri/saml2writer

    SAML2 Reader URL

    This attribute specifies the location of the SAML2 Writer service that writes the cookie to the Common Domain. The URL is in the format http://common-domain-host:port/deployment_uri/saml2reader

    Status

    The default status is Active. Selecting Inactive disables communication within the circle of trust.

  3. Choose one or more of the available providers and click the Add arrow to select them.

    The list provided contains the names of entities that have been created and populated with providers. For more information, see To Add Providers to a Circle of Trust.

  4. Click Save to complete the operation.

ProcedureTo Add Providers to a Circle of Trust

Identity providers and service providers must first be configured within an entity before they are available to add to a circle of trust. Once created and populated with providers, the entity (and thus the providers it contains) can be assigned to a circle of trust.

Note –

An entity will not be visible in the Available Providers list until it has been populated with providers.

  1. Select one or more providers from the Available Providers list and click Add.

  2. Finish your configurations and click Save to complete the operation.

ProcedureTo Delete a Circle of Trust Profile

A circle of trust must be empty of providers before you delete it. Follow this procedure to delete an existing circle of trust.

  1. Check the box next to the name of the circle of trust you want to delete.

  2. Click Delete.

    Deleting a circle of trust does not delete the providers that belong to it.

Managing Federation Using ssoadm

The previous sections detailed how to create and configure entities and circles of trust using the OpenSSO Enterprise console. But entities can also be created and configured using the ssoadm command-line interface. Rather than filling in provider attribute values manually, you would create an XML file containing the provider attributes and corresponding values and import it using ssoadm.

Caution – Caution –

The format of the XML file used as input is based on the sms.dtd. Alterations to the DTD files may hinder the operation of OpenSSO Enterprise.

This section contains the following information:

Managing Entity Metadata using ssoadm

ssoadm is used to manage the provider metadata. The following table describes the ssoadm subcommands specific to metadata management.

Table 7–1 ssoadm Subcommands for Managing Metadata

Subcommand 

Description 

import-entity

Loads standard and extended metadata in XML format into a local configuration data store. 

Note –

Use the –spec option to specify saml2 , idff, or wsfed.

export-entity

Exports standard and extended metadata in XML format from a local configuration data store. 

Note –

Use the –spec option to specify saml2 , idff, or wsfed.

create-meadata-templ

Generates a metadata configuration file for any provider type with defined values for default metadata properties. The generated file can be modified for use with import-entity.

Note –

Use the –spec option to specify saml2 , idff, or wsfed.

delet-entity

Removes standard or extended metadata from a local configuration data store. 

Note –

Use the –spec option to specify saml2 , idff, or wsfed.

list-entities

Generates a list of all the entity identifiers on the system. 

Note –

Use the –spec option to specify saml2 , idff, or wsfed.

update-entity-key-info

Update XML signing and encryption key information for a hosted IDP or SP. 

There are two types of entity provider metadata (formatted in XML files) that can be used as input to ssoadm:

Information regarding the attributes and possible values of the metadata can be found in Chapter 6, Federation Attributes for Entity Providers, in Sun OpenSSO Enterprise 8.0 Administration Reference. The following sections contain information on loading the metadata.

Loading Standard Metadata Using ssoadm

To load metadata compliant with the Liberty ID-FF, SAMLv2, or WS-Federation protocols, use the following command (options in square brackets are optional):


ssoadm import-entity --amadmin admin-ID
 --password-file password_filename [--realm] 
realm-name[--metadata-file] metadatafilename [--cot] circle_of-trust [--spec] idff_or_saml2_or_wsfed_or_wsfed

This option is usually used to load provider metadata sent from a trusted partner in an XML file Here is an example of a service provider metadata XML file compliant with the Liberty ID-FF.

Example 7–1 Service Provider Standard Metadata XML File


<!--
  Copyright (c) 2005 Sun Microsystems, Inc. All rights reserved
  Use is subject to license terms.
-->

<EntityDescriptor meta:providerID="http://sp10.com" meta:cacheDuration="360" 
xmlns:meta="urn:liberty:metadata:2003-08" xmlns="urn:liberty:metadata:2003-08">
  <SPDescriptor cacheDuration="180" xmlns:meta="urn:liberty:metadata:2003-08" 
   aaa="aaa" protocolSupportEnumeration="urn:liberty:iff:2003-08">
   <KeyDescriptor use="signing">
    <EncryptionMethod>http://something/encrypt</EncryptionMethod>
     <KeySize>4567</KeySize>
     <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
     <ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
     <ds:X509Certificate xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      MIIC1DCCApICBD8poYwwCwYHKoZIzjgEAwUAMFAxCzAJBgNVBAYTAlVTMQwwCgYDVQQKEwNTdW4x
      IDAeBgNVBAsTF1NVTiBPTkUgSWRlbnRpdHkgU2VydmVyMREwDwYDVQQDEwhzdW4tdW5peDAeFw0w
      MzA3MzEyMzA5MDBaFw0wNDAxMjcyMzA5MDBaMFAxCzAJBgNVBAYTAlVTMQwwCgYDVQQKEwNTdW4x
      IDAeBgNVBAsTF1NVTiBPTkUgSWRlbnRpdHkgU2VydmVyMREwDwYDVQQDEwhzdW4tdW5peDCCAbcw
      ggEsBgcqhkjOOAQBMIIBHwKBgQD9f1OBHXUSKVLfSpwu7OTn9hG3UjzvRADDHj+AtlEmaUVdQCJR
      +1k9jVj6v8X1ujD2y5tVbNeBO4AdNG/yZmC3a5lQpaSfn+gEexAiwk+7qdf+t8Yb+DtX58aophUP
      BPuD9tPFHsMCNVQTWhaRMvZ1864rYdcq7/IiAxmd0UgBxwIVAJdgUI8VIwvMspK5gqLrhAvwWBz1
      AoGBAPfhoIXWmz3ey7yrXDa4V7l5lK+7+jrqgvlXTAs9B4JnUVlXjrrUWU/mcQcQgYC0SRZxI+hM
      KBYTt88JMozIpuE8FnqLVHyNKOCjrh4rs6Z1kW6jfwv6ITVi8ftiegEkO8yk8b6oUZCJqIPf4Vrl
      nwaSi2ZegHtVJWQBTDv+z0kqA4GEAAKBgCNS1il+RQAQGcQ87GBFde8kf8R6ZVuaDDajFYE4/LNT
      Kr1dhEcPCtvL+iUFi44LzJf8Wxh+eA5K1mjIdxOo/UdwTpNQSqiRrm4Pq0wFG+hPnUTYLTtENkVX
      IIvfeoVDkXnF/2/i1Iu6ttZckimOPHfLzQUL4ldL4QiaYuCQF6NfMAsGByqGSM44BAMFAAMvADAs
      AhQ6yueX7YlD7IlJhJ8D4l6xYqwopwIUHzX82qCzF+VzIUhi0JG7slSpyis=
     </ds:X509Certificate>
     </ds:X509Data>
     </ds:KeyInfo>
   </KeyDescriptor>
   <SingleLogoutServiceURL>http://www.sun.com/slo"</SingleLogoutServiceURL>
   <SingleLogoutServiceReturnURL>http://www.sun.com/sloservice
    </SingleLogoutServiceReturnURL>
   <FederationTerminationServiceURL>http://www.sun.com/fts
    </FederationTerminationServiceURL>
   <FederationTerminationServiceReturnURL>http://www.sun.com/ftsr
    </FederationTerminationServiceReturnURL>
   <FederationTerminationNotificationProtocolProfile>
       http://projectliberty.org/profiles/
    fedterm-sp-http</FederationTerminationNotificationProtocolProfile>
   <SingleLogoutProtocolProfile>http://projectliberty.org/profiles/slo-sp-http
    </SingleLogoutProtocolProfile>
   <RegisterNameIdentifierProtocolProfile>http://projectliberty.org/profiles/
    rni-sp-http</RegisterNameIdentifierProtocolProfile>
   <RegisterNameIdentifierServiceURL>http://www.sun2.com/risu
    </RegisterNameIdentifierServiceURL>
   <RegisterNameIdentifierServiceReturnURL>http://www.sun2.com/rstu
    </RegisterNameIdentifierServiceReturnURL>
   <RelationshipTerminationNotificationProtocolProfile>http://projectliberty.org/
    profiles/rel-term-soap</RelationshipTerminationNotificationProtocolProfile>
   <NameIdentifierMappingBinding AuthorityKind="ppp:AuthorizationDecisionQuery" 
    Location="http://eng.sun.com" Binding="http://www.sun.com" 
    xmlns:ppp="urn:oasis:names:tc:SAML:1.0:protocol"></NameIdentifierMappingBinding>
   <AdditionalMetaLocation namespace="abc">http://www.aol.com</AdditionalMetaLocation>
   <AdditionalMetaLocation namespace="efd">http://www.netscape.com</AdditionalMetaLocation>
   <AssertionConsumerServiceURL id="jh899" isDefault="true">
    http://www.iplanet.com/assertionurl</AssertionConsumerServiceURL>
   <AuthnRequestsSigned>true</AuthnRequestsSigned>
  </SPDescriptor>
  <ContactPerson xmlns:meta="urn:liberty:metadata:2003-08" contactType="technical" 
   meta:libertyPrincipalIdentifier="myid">
  <Company>SUn Microsystems</Company>
  <GivenName>Joe</GivenName>
  <SurName>Smith</SurName>
  <EmailAddress>joe@sun.com</EmailAddress> 
  <EmailAddress>smith@sun.com</EmailAddress>
  <TelephoneNumber>45859995</TelephoneNumber>
  </ContactPerson>	
  <Organization xmlns:xml="http://www.w3.org/XML/1998/namespace">
  <OrganizationName xml:lang="en">sun com</OrganizationName>
  <OrganizationName xml:lang="en">sun micro com</OrganizationName>
  <OrganizationDisplayName xml:lang="en">sun.com</OrganizationDisplayName>
  <OrganizationURL xml:lang="en">http://www.sun.com/liberty</OrganizationURL>
  </Organization>
</EntityDescriptor>

Loading Extended Metadata Using ssoadm

OpenSSO Enterprise provides proprietary attributes that are not a specific part of the Liberty ID-FF, WS-Federation, or SAMLv2 protocols. To load OpenSSO Enterprise proprietary metadata use the following command:


ssoadm import-entity --amadmin admin-ID --password-file 
password_filename [--realm realm-name] [--meta-data-file
 metadatafilename] [--extended-data-file extended_metadata_filename] [--cot circle_of-trust] [--spec]idff_or_saml2_or-wsfed]

After loading the metadata, the ssoadm export-entity option can be used to export metadata. This file can then be exchanged with trusted partners. Here is an example of an identity provider metadata XML file for proprietary attributes.

Example 7–2 Identity Provider Extended Metadata XML File


<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE Requests PUBLIC "-//iPlanet//Sun Access Manager 2005Q4 Admin CLI 
DTD//EN"    "jar://com/iplanet/am/admin/cli/amAdmin.dtd">
<Requests>
   <OrganizationRequests DN="dc=companyA,dc=com">
      <CreateHostedProvider id="http://sp.companyA.com" role="SP" 
       defaultUrlPrefix="http://sp.companyA.com:80">
          <AttributeValuePair>
              <Attribute name="iplanet-am-provider-name"/>
              <Value>sp</Value>
          </AttributeValuePair>
          <AttributeValuePair>
              <Attribute name="iplanet-am-provider-alias"/>
              <Value>sp.companyA.com</Value>
          </AttributeValuePair>
          <AttributeValuePair>
              <Attribute name="iplanet-am-list-of-authenticationdomains"/>
              <Value>samplecot</Value>
          </AttributeValuePair>
          <AttributeValuePair>
              <Attribute name="iplanet-am-certificate-alias"/>
              <Value>cert_alias</Value>
          </AttributeValuePair>
          <AttributeValuePair>
              <Attribute name="iplanet-am-trusted-providers"/>
              <Value>http://idp.companyB.com</Value>
              <Value>http://idp.companyC.com</Value>
          </AttributeValuePair>
          <SPAuthContextInfo AuthContext="Password" AuthLevel="1"/>
          <AttributeValuePair>
              <Attribute name="iplanet-am-provider-homepage-url"/>
              <Value>http://sp.companyA.com:80/idff/index.jsp</Value>
          </AttributeValuePair>
      </CreateHostedProvider>
  </OrganizationRequests>
</Requests>

Managing Circles of Trust Using ssoadm

The ssoadm command line interface creates and manages the circles of trust used by the Federation services. The following table describes the ssoadm subcommands specific to circle of trust management.

Table 7–2 ssoadm Subcommands for Managing Circles of Trust

Subcommand 

Description 

create-cot

Creates a circle of trust. 

delete-cot

Removes a circle of trust. 

Note –

To delete a circle of trust that contains providers, use remove-cot-members to remove each provider first, then use delete-cot to delete the circle itself.

add-cot-member

Adds a trusted provider to an existing circle of trust. 

Note –

add-cot-member can only add a single entity at a time. Add multiple entities when you first create the circle by using create-cot and the ---trustedproviders option.

remove-cot-member

Removes a trusted provider from an existing circle of trust. 

list-cot-members

Lists the member providers in a particular circle of trust. 

list-cots

Lists all the circles of trust configured on the system. 

The following command example will create a circle of trust:


ssoadm create-cot --cot COT-name --adminid 
admin-user --password-file password-filename 
[--realm realm-name] [--trustedproviders 
trusted-providers] [--prefix idp-discovery-URL-prefix]

This second command example will add a trusted provider to an existing circle of trust:


ssoadm add-cot-member --cot COT-name --enitityid 
entitiy_ID --adminid admin-user --password-file 
password [--realm realm-name] 
[--spec saml2-or-idff]

This next command example will remove a trusted provider from an existing circle of trust:


ssoadm remove-cot-member --cot COT-name --enitityid 
entitiy_ID --adminid admin-user --password-file 
password [--realm realm-name] 
[--spec saml2-or-idff]

This command example will list all the providers belonging to an existing circle of trust:


ssoadm list-cot-members --cot COT-name --adminid admin-user 
--password-file password [--realm realm-name]
 [--spec saml2-or-idff]

This command example will list all the available circles of trust:


ssoadm list-cots  --adminid admin-user --password-file password 
[--realm realm-name]