Creating Affiliations (Sun OpenSSO Enterprise 8.0 Administration Guide)

Sun OpenSSO Enterprise 8.0 Administration Guide

Creating Affiliations

To configure for affiliations, the following tags must be in the identity provider standard metadata.

<AffiliationDescriptor
 affiliationOwnerID="affi.red.com">
  <AffiliateMember>mach1.red.com</AffiliateMember>
  <AffiliateMember>mach2.red.com</AffiliateMember>
</AffiliationDescriptor>

The following tags must also be present in the identity provider extended metadata.

<AffiliationConfig metaAlias="/ff">
  <Attribute name="signingCertAlias">
   <Value>test</Value>
  </Attribute>
  <Attribute name="encryptionCertAlias">
   <Value>test</Value>
  </Attribute>
</AffiliationConfig>

The ssoadm command line interface can be used to create and import the identity provider metadata. Use the following options to create the appropriate tags in the metadata. See Part I, Command Line Interface Reference, in Sun OpenSSO Enterprise 8.0 Administration Reference for more information.

--affiliation, -F: Specify a metaAlias for the hosted affiliation. The format must be realm name/identifier.
--affiscertalias, -J: Specify a signing certificate alias for the hosted affiliation.
--affiecertalias, -K: Specify an encryption certificate alias for the hosted affiliation.
--affimembers, -M: Specify affiliation members.
--affiownerid, -N: Specify the identifier for the Affiliation Owner.

An example illustrating how the command line might be used to create the metadata:

ssoadm create-metadata-templ -u amadmin 
-f /tmp/pw -m /home/tmp/affimm -x /home/tmp/affixx 
-F /ff -y affi.red.com -K test -J test -M sp1.red.com 
sp2.red.com -N affiownerID

Note –

See Chapter 1, ssoadm Command Line Interface Reference, in Sun OpenSSO Enterprise 8.0 Administration Reference for information on the other options.

idpMNIRequestInit.jsp, idpSSOInit.jsp, spMNIRequestInit.jsp and spSSOInit.jsp can initiate single sign-on based on a configured affiliation. The affiliationID parameter should match the value of the entity ID for the affiliation in the standard metadata. A URL to initiate single sign-on from the service provider might be:

http://mach1.red.com:58080/opensso/saml2/jsp/
spSSOInit.jsp?metaAlias=/sp&idpEntityID=isdev-3.red.com&reqBinding=
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST&affiliationID=affi.red.com