To Create a Referral Using the OpenSSO Enterprise Console

In order to create policies for peer realms or sub realms, you must first create a referral in the parent (or peer) realm pointing to the appropriate peer or sub realm. The Rule definition in the referral must contain the location of the resource(s) that will be managed. Once the referral is created, policies can be created for the appropriate peer or sub realm.

Before You Begin

This procedure assumes you are logged into the OpenSSO Enterprise console as the administrator.

1. Under the Access Control tab, click the name of the realm in which you are creating the referral.

   This might be the / Top Level Realm or a sub realm.

2. Click the Policies tab.

3. Click New Referral.

4. Enter a name for the referral.

5. (Optional) Enter a description of the referral.

6. (Optional) Select Yes to activate the referral.

7. Click New under Rules.

8. Select the appropriate Service Type and click Next.

   This value can not be changed once the Rule has been created. The options are:

   • Discovery Service (with resource name) defines the authorization actions for Discovery Service query and modify protocol invocations by web services clients.

   • Liberty Personal Profile Service (with resource name) defines the authorization actions for Liberty Personal Profile Service query and modify protocol invocations by web services clients.

   • URL Policy Agent (with resource name) defines authorization actions for the URL Policy Agent service. This is used to define policies that protect HTTP and HTTPS URLs. This is the most common use case.

   You may see a larger list if more services are enabled for the policy. (See Enabling Policy in a Service.) For more information, see Rules.

9. Add a Name for the Rule.

10. Add a URL as the value for Resource Name and click Finish.

    In this procedure, o=example.com is the sub realm that manages access to http://www.example.com and its sub-resources.

11. Click New under Referral.

12. (Optional) Select the Referral Type and click Next.

    The choices are Peer Realm or Sub Realm. This page is displayed only when the realm in which you are creating the referral has both peer and sub realms. It will not be displayed, for example, when creating a referral in the / Top Level Realm because all realms are sub to the / Top Level Realm.

13. Enter a name for the referral.

14. Select the realm to which you are referring policy management from the drop down list and click Finish.

15. Click Save to update.

16. Navigate to the sub realm to create policy.

    Now that policy management for the resource is referred to the peer or sub realm, policies can be created to control access for http://www.example.com or any resource starting with http://www.example.com. See To Add Multiple Policies Using the ssoadm Command Line Utility or To Create a Policy Using the OpenSSO Enterprise Console.