To Configure OpenSSO Enterprise as an Identity Provider

1. Create a token signing certificate in a Java Keystore on the OpenSSO Enterprise machine. For example:

   keytool keystore keystore.jks genkey dname "CN=amhost" alias mywsfedidp

   Specify the same password for the keystore and key. Put the keystore in any location, since you will need to specify the full path

2. Encrypt the keystore/key password. The easiest method is to use the OpenSSO Enterprise encode.jsp:

   1. Go to https://host:port/opensso/encode.jsp.

   2. Enter the password.

   3. Create two files, .storepass and .keypass, whose only content is the encrypted password.

3. Set the path to keystore.jks and the two files containing encrypted the passwords. To do so:

   1. Log into the OpenSSO Enterprise console.

   2. Go to Configuration>Sites and Servers.

   3. Click the Default Server Settings button and click the Security tab.

   4. Configure the following attributes:

      Keystore File

      Set to /path/keystore.jks

      Keystore Password File

      Set to /path/.storepass

      Private Key Password File

      Set to /path/.keypass

   5. You must restart the web container for the changes to take effect.

4. Export the token signing certificate in DER format. For example:

   keytool keystore keystore.jks export alias mywsfedidp file cert.der

5. Copy cert.der to the adfsresource machine.

6. Create the metadata and extended metadata for a remote service provider using the ssoadm command line utility.

   For example:

   create-meadata-templ –u amadmin –f password_file –m treyresearrch.xml.xml –x treyresearch.xmlx.xml –s /metaalias –y entity_id –c wsfed

   For this example, the files are named treyresearch.xml and treyresearchx.xml.

7. Create the metadata and extended metadata for a hosted identity provider using the ssoadm command line utility.

   ---

   Note –

   You can also use the OpenSSO Enterprise console to create a hosted service provider or identity provider. For more information, see WS-Federation Entity Provider.

   ---

   For example:

   create-meadata-templ –u amadmin –f password_file –m wsfedidp.xml –x wsfedidpx.xml –i /metaalias –y entity_id –c wsfed

   For this example, the files are named wsfedidp.xml and wsfedidpx.xml.

8. In the remote service provider (treyresearch.xml), change the hostname and port in the <ns3:Address> element to match your configuration.

9. In the remote service provider (wsfedidpx.xml), change the hostname and port in the <HomeRealmDiscoveryService> attribute to match your configuration. For example:

   <FederationConfig xmlns="urn:sun:fm:wsfederation:1.0:federationconfig" xmlns:fm="urn:sun:fm:wsfederation:1.0:federationconfig" hosted="1" FederationID="mywsfedidp"> <IDPSSOConfig metaAlias="/mywsfedidp"> <Attribute name="displayName"> <Value>My Open Federation Identity Provider</Value> </Attribute> <Attribute name="upnDomain"> <Value>red.com</Value> </Attribute> <Attribute name="signingCertAlias"> <Value>mywsfedidp</Value> </Attribute> <Attribute name="assertionEffectiveTime"> <Value>600</Value> </Attribute> <Attribute name="idpAccountMapper"> <Value>com.sun.identity.wsfederation.plugins.DefaultIDPAccoun tMapper</Value> </Attribute> <Attribute name="idpAttributeMapper"> <Value>com.sun.identity.wsfederation.plugins.DefaultIDPAttrib uteMapper</Value> </Attribute> </IDPSSOConfig> </FederationConfig>

10. Load the identity provider and service provider metadata to OpenSSO Enterprise. From the console:

    1. Log in to the console and click the Federation tab and then the Import Entity button.

    2. Choose the realm to which the requesting service provider belongs.

    3. In the Where Does the Meta Data File Reside field, choose File and click Upload.

    4. Choose wsfedidp.xml.

    5. Click OK.

    6. In the Where Does the Extended Meta Data File Reside field, choose File and click Upload.

    7. Choose wsfedidpx.xml.

    8. Click Ok.

    9. Repeat the steps for loading the service provider meta data (treyresearch.xml and treyresearchx.xml).

11. Create a circle of trust and add the identity provider and service provider. For instructions, see Circle of Trust.

12. In the ADFS environment, add a new Account Partner to adfsresource.treyresearch.net and configure the following attributes:

    Display Name

    Enter a name, for example OpenSSO IDP.

    Federation Service URI

    This must be the same as the TokenIssuerName in the identity provider metadata. For example:

    urn:federation:mywsfedidp

    Federation Service endpoint URL

    The last path component of this URL must the match metaAlias in the identity provider extended metadata. For example:

    https://amhost(:amsecureport)/fam/WSFederationServlet

    /metaAlias/mywsfedidp

    Account Partner Verification Certificate

    Import the OpenSSO token signing certificate that you copied to the adfsresource machine.

13. Delete all cookies in your browser and go to the sample claims-aware application at https://adfsweb.treyresearch.net:8081/claimapp/.

    You should see the OpenSSO Enterprise identity provider listed in the drop down list. Select the OpenSSO identity provider. You will be redirected to the standard OpenSSO Enterprise login screen. After logging in, you will be redirected back to the sample application

14. Click the Sign Out link to do a single logout.

    Check that you are logged out by trying the https://adfsweb.treyresearch.net:8081/claimapp/ URL again. You should be redirected to the OpenSSO login page, demonstrating that neither ADFS or OpenSSO have an active session for the browser.

    The realm choice is stored in a persistent cookie. If you close and restart the browser, return to https://adfsweb.treyresearch.net:8081/claimapp/. You should directly proceed to the OpenSSO Enterprise login page.