Although this document describes an example where Identity Manager and OpenSSO Enterprise are configured for both single sign-on and provisioning, it is possible to configure a deployment for single sign-on without provisioning, or for provisioning without single sign-on. If single sign-on between OpenSSO Enterprise and Identity Manager is not required, then the OpenSSO Enterprise Policy Agent does not need to be installed or configured. In that case, you can ignore the steps that involve the OpenSSO Enterprise Policy Agent.
To install and configure the OpenSSO Enterprise policy agent on Identity Manager, follow these steps:
Download Policy Agent 3.0 for Sun Application Server 9.1.
Log in to the OpenSSO Enterprise console.
Navigate to Access Control | / (Top-Level Realm) | Agents | J2EE.
In the Agent section, New and create a new agent profile with these values:
The console displays the J2EE Policy Agent page again with a hyperlink for the agent profile idmagent.
Click on the idmagent hyperlink.
The “Edit idmagent" page is displayed. The agent profile is now created.
If OpenSSO Enterprise is deployed on a web server, in the Agent profile page, navigate to the tab SSO.
Select the property SSO Decode (com.sun.identity.agents.config.sso.decode).
It is necessary to select this property only when OpenSSO Enterprise is deployed on a web server. If you leave this property unselected, then you will find that, after you login to OpenSSO Enterprise, the browser appears to be stuck and hanging on the OpenSSO Enterprise login screen.
Log out of the OpenSSO Enterprise console.
Verify that you can login to the OpenSSO Enterprise console as this user.
Create an policy agent password file named /export/software/agent_pwd.
This file should contain only the password for the Agent profile, in plain text
The Policy Agent provides these capabilities:
Retrieve and map an OpenSSO Enterprise user session attribute (UserToken), to an Identity Manager attribute (sois_user), so that Identity Manager can perform the single sign-on from OpenSSO Enterprise.
Access protection for the Identity Manager pages in addition to the protection offered by the specific capabilities that can be explicitly assigned to a user from the Identity Manager administrator interface.
The sois_user is the authentication property in Identity Manager that is used during single sign-on between OpenSSO Enterprise and Identity Manager. The name sois_user given to the property was an abbreviation for Sun ONE Identity Server User. The Sun ONE Identity Server product was a predecessor to OpenSSO Enterprise.
Follow instructions in the policy agent documentation for installing the Policy Agent on Application Server.
Deploy the agentapp.war on the Sun Application Server.
When the policy agent installation is complete, verify that the agent is installed and functioning properly.
Install the sample application agentsample that is ships with the agent and test the application. Instructions to install and test the sample application are available on the OpenSSO website.
Before you deploy and test the agentsample application, you must remove the following entries in the GlassFish JVM path: :
These entries were added in the procedure To Configure Application Server to Work with Identity Manager.
If you do not remove these entries before deploying the agentsample application, you will get a 500 error on the browser when you try to access the agentsample application.
Configure the OpenSSO Enterprise Agent Profile
Log in to the OpenSSO Enterprise console as amadmin.
Navigate to Access Control | /(Top-Level Real) | Agents | J2EE.
Click the policy agent profile that was created earlier and was associated with the agent installation.
Navigate to the tab OpenSSO Services.
For the property OpenSSO Enterprise Login URL (com.sun.identity.agents.config.login.url), remove the existing entry, and add this entry:
The value must be the login URL that the AM users should use to login to AM
Navigate to the tab Application.
For the property Session Attribute Fetch Mode (com.sun.identity.agents.config.session.attribute.fetch.mode), choose the option HTTP_HEADER.
For the property Session Attribute Mapping (com.sun.identity.agents.config.session.attribute.mapping), remove the existing entry, and add this entry:
For the property Not Enforced URIs (com.sun.identity.agents.config.notenforced.uri), add these entries:
/idm/styles/* /idm/includes/* /idm/images/*
Log out from the OpenSSO Enterprise console.
For detailed information on creating policies on OpenSSO Enterprise, see Creating Policies and Referrals in Sun OpenSSO Enterprise 8.0 Administration Guide.
Create the following roles in the realm where the users will be provisioned. If the policy is to be created in a sub-realm, then you must first create a Referral Policy in the top-level realm for the same URLs.
Identity Manager User Policy
This policy restricts access to the Identity Manager user pages, only to the users in the idm_users role. So regular Identity Manager users will not be allowed to access the Identity Manager administrator interface URIs.
For http://server:port/idm/user, allow GET and POST actions .
For http://server:port/idm/user/*, allow GET and POST actions .
For http://server:port/idm/user/*?*, allow GET and POST actions.
Subject Type: OpensSSO Identity Subject | Role | idm_users
Identity Manager Admin Policy
This policy restricts access to the Identity Manager pages, to only the users in the idm_admins role. The users in this role will be able to access all Identity Manager pages, both administrator and user pages.
For http://server:port/idm, allow GET and POST actions
For http://server:port/idm/*, allow GET and POST actions
For http://server:port/idm/*?*, allow GET and POST actions.
Subject Type: OpenSSO Identity Subject | Role | idm_admins
This task enables you to perform the tasks described in the sections below without the policy agent getting in the way. At this point, the policies haven't been set up on OpenSSO Enterprise. You would be denied access to all Identity Manager URLs until policies are set up. The protection by the policy agent will be re-enabled in a subsequent procedure. See To Re-Enable Identity Manager Protection by the OpenSSO Enterprise Policy Agent .
Log in to the OpenSSO Enterprise console using the following credentials:
Navigate to Access Control | /(Top-Level Realm) | Agents | J2EE | idmagent | Application.
For the property Not Enforced URI (com.sun.identity.agents.config.notenforced.uri), add this entry:
Log out of the OpenSSO Enterprise console.
Modify the Identity Manager application descriptor.
Go to the directory where the application descriptor is present.
# cd /opt/SUNWappserver91/domains/ domain1/applications/j2ee-modules/idm/WEB-INF
Back up the file web.xml.
Change DOCTYPE as follows:
<web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
Delete the single instance of <web-app> in the next line.
Add the following just before the first <filter> definition:
<filter> <filter-name>Agent</filter-name> <filter-class>com.sun.identity.agents.filter.AmAgentFilter</filter-class> </filter> <filter-mapping> <filter-name>Agent</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> <dispatcher>INCLUDE</dispatcher> <dispatcher>FORWARD</dispatcher> <dispatcher>ERROR</dispatcher> </filter-mapping>
Log in to the Application Server console.
Navigate to Application Server > JVM Settings > Path Settings.
Update the classpath suffix.
Remove the following entries that you had added earlier:
/opt/SUNWappserver91/domains/domain1/applications/ j2ee-modules/idm/WEB-INF/lib/openssoclientsdk.jar /opt/SUNWappserver91/domains/domain1/applications/j2ee-modules/ idm/WEB-INF/classes
At this time, you can also physically delete the openssoclientsdk.jar file and the classes directory. They are no longer needed.
In the following steps, the recommended approach is to update the web.xml file (above), recreate the idm.war, and then redeploy the new idm.war file on the Application Server.
Stop the Application Server.
# /opt/SUNWappserver91/bin/asadmin stop-domain domain1
Delete the generated Identity Manager application files.
They will be re-generated when you access the Identity Manager application. If you don't do this step, the changes that you made in the web.xml file may not go into effect.
# cd /opt/SUNWappserver91/domains/domain1/generated/xml/j2ee-modules # rm -rf idm
Start the Application Server.
# /opt/SUNWappserver91/bin/asadmin start-domain domain1
Watch for any errors in the Application Server server.log file.