Deployment Example: SAML v2 Using Sun OpenSSO Enterprise 8.0

Part IV Configuring and Testing the SAML v2 Communications

This fourth part of Deployment Example: SAML v2 Using Sun OpenSSO Enterprise 8.0 contains the procedures used to configure for SAML v2 communications and test the configurations between the environment we prepared in Part III, Building the Service Provider Environment and Part II, Building the Identity Provider Environment. It contains the following chapters.

Chapter 11 Configuring OpenSSO Enterprise for SAML v2

This deployment consists of a service provider and an identity provider that communicate for purposes of federation using SAML v2. Towards this end, we configure each instance of OpenSSO Enterprise (respectively) acting as the identity provider and the service provider as hosted. Additionally, we configure each hosted instance with the necessary information to communicate with the remote provider — in essence, with each other. In this chapter, we configure the instances of OpenSSO Enterprise as SAML v2 providers.

11.1 Configuring OpenSSO Enterprise as the Hosted Identity Provider

This section provides the procedures for configuring OpenSSO Enterprise on the identity provider side as a hosted identity provider using the Common Tasks wizard. Use the following list of procedures as a checklist for completing the task.

  1. To Configure the Hosted Identity Provider

  2. To View the Hosted Identity Provider Metadata in XML Format

ProcedureTo Configure the Hosted Identity Provider

Configure the instance of OpenSSO Enterprise deployed in Part II, Building the Identity Provider Environment and situated behind Load Balancer 2, as a hosted identity provider. This procedure creates the idpcot circle of trust.

  1. Access https://lb2.idp-example.com:1081/opensso/console from a web browser.

  2. Log in to the OpenSSO Enterprise console as the administrator.

    Username

    amadmin

    Password

    ossoadmin

    The Common Tasks tab is displayed.

  3. Click Create Hosted Identity Provider under Create SAML v2 Providers.

    The Create a SAML v2 Identity Provider on this Server page is displayed.

  4. Make the following changes on the Create a SAML v2 Identity Provider on this Server page.

    • Select the No radio button for Do you have metadata for this provider?

    • Under metadata properties, type https://lb2.idp-example.com:1081/opensso as the value for Name.

    • Under metadata properties, select test as the value for Signing Key.

    • Under Circle of Trust properties, type idpcot as the value for the New Circle of Trust.

    • Accept the default values for any remaining properties.

  5. Click Configure.

  6. Select Finish to end the task.

    This instance of OpenSSO Enterprise is now configured as a SAML v2 identity provider.

  7. Click the Federation tab to verify the hosted identity provider configurations.

    • Confirm that idpcot was created under the Circle of Trust table with one entity: https://lb2.idp-example.com:1081/opensso|saml2.

    • Confirm that https://lb2.idp-example.com:1081/opensso|saml2 was created under the Entity Providers table.

ProcedureTo View the Hosted Identity Provider Metadata in XML Format

This optional procedure displays, in a browser window, the standard and extended metadata for the hosted identity provider in XML format. The XML can be viewed as displayed or copied into a text file and saved.

Before You Begin

This procedure assumes that you have just completed To Configure the Hosted Identity Provider and are still logged in to the OpenSSO Enterprise console.

  1. Access https://lb2.idp-example.com:1081/opensso/ssoadm.jsp from the web browser.

    ssoadm.jsp is a Java Server Page (JSP) version of the ssoadm command line interface. In this procedure it is used to display the hosted identity provider metadata.

  2. Click export-entity.

    The export-entity page is displayed.

  3. Enter the following values for each option and click Submit.

    entityid

    The EntityID is the unique uniform resource identifier (URI) used to identify a particular provider. In this deployment, type https://lb2.idp-example.com:1081/opensso.

    realm

    The OpenSSO Enterprise realm in which the data resides. In this deployment as all data resides in the top-level realm, type /.

    sign

    Leave this unchecked.

    meta-data-file

    Set this flag to export the standard metadata for the provider.

    extended-data-file

    Set this flag to export the extended metadata for the provider.

    spec

    Type saml2.

  4. View the XML-formatted metadata in the browser window.

    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <EntityDescriptor entityID="https://lb2.idp-example.com:1081/opensso" 
     xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
      <IDPSSODescriptor WantAuthnRequestsSigned="false" 
       protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
      <KeyDescriptor use="signing">
       <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
        <ds:X509Certificate>
    MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh
    bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w
    ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw
    CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK
    BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B
    AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of+
    RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY
    Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U
    QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA
    cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC
    /FfwWigmrW0Y0Q==
        </ds:X509Certificate>
        </ds:X509Data>
        </ds:KeyInfo>
      </KeyDescriptor>
      <ArtifactResolutionService index="0" isDefault="true" Binding=
       "urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location=
       "https://lb2.idp-example.com:1081/opensso/ArtifactResolver/metaAlias/idp"/>
      <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:
       HTTP-Redirect" Location="https://lb2.idp-example.com:1081/opensso/
       IDPSloRedirect/metaAlias/idp" ResponseLocation="
       https://lb2.idp-example.com:1081/opensso/IDPSloRedirect/metaAlias/idp"/>
      <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:
       HTTP-POST" Location="https://lb2.idp-example.com:1081/opensso/IDPSloPOST/
       metaAlias/idp" ResponseLocation="https://lb2.idp-example.com:1081/opensso/
       IDPSloPOST/metaAlias/idp"/>
      <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" 
       Location="https://lb2.idp-example.com:1081/opensso/IDPSloSoap/metaAlias/idp"/>
      <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:
       HTTP-Redirect" Location="https://lb2.idp-example.com:1081/opensso/
       IDPMniRedirect/metaAlias/idp" ResponseLocation=
       "https://lb2.idp-example.com:1081/opensso/IDPMniRedirect/metaAlias/idp"/>
      <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
       Location="https://lb2.idp-example.com:1081/opensso/IDPMniPOST/metaAlias/idp" 
       ResponseLocation="https://lb2.idp-example.com:1081/opensso/
       IDPMniPOST/metaAlias/idp"/>
      <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" 
       Location="https://lb2.idp-example.com:1081/opensso/IDPMniSoap/metaAlias/idp"/>
      <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
      <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
      <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
      <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
      <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" 
       Location="https://lb2.idp-example.com:1081/opensso/SSORedirect/metaAlias/idp"/>
      <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
       Location="https://lb2.idp-example.com:1081/opensso/SSOPOST/metaAlias/idp"/>
      <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" 
       Location="https://lb2.idp-example.com:1081/opensso/SSOSoap/metaAlias/idp"/>
      <NameIDMappingService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" 
       Location="https://lb2.idp-example.com:1081/opensso/NIMSoap/metaAlias/idp"/>
       <AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" 
        Location="https://lb2.idp-example.com:1081/opensso/AIDReqSoap/
        IDPRole/metaAlias/idp"/>
       <AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:2.0:bindings:URI" 
        Location="https://lb2.idp-example.com:1081/opensso/AIDReqUri/
        IDPRole/metaAlias/idp"/>
      </IDPSSODescriptor>
    </EntityDescriptor>
    
    Entity descriptor was exported to file, web.
    
    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <EntityConfig entityID="https://lb2.idp-example.com:1081/opensso" hosted="true" 
     xmlns="urn:sun:fm:SAML:2.0:entityconfig">
        <IDPSSOConfig metaAlias="/idp">
          <Attribute name="wantNameIDEncrypted">
              <Value/>
          </Attribute>
          <Attribute name="AuthUrl">
              <Value/>
          </Attribute>
          <Attribute name="nameIDFormatMap">
            <Value>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified=</Value>
            <Value>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos=</Value>
            <Value>urn:oasis:names:tc:SAML:1.1:nameid-format:
             WindowsDomainQualifiedName=</Value>
             <Value>urn:oasis:names:tc:SAML:1.1:nameid-format:
              X509SubjectName=</Value>
             <Value>urn:oasis:names:tc:SAML:1.1:nameid-format:
              emailAddress=mail</Value>
           </Attribute>
           <Attribute name="cotlist">
             <Value>idpcot</Value>
           </Attribute>
           <Attribute name="saeIDPUrl">
             <Value>https://lb2.idp-example.com:1081/opensso/idpsaehandler/
              metaAlias/idp</Value>
           </Attribute>
           <Attribute name="idpAuthncontextClassrefMapping">
             <Value>urn:oasis:names:tc:SAML:2.0:ac:classes:
              PasswordProtectedTransport|0||default</Value>
           </Attribute>
           <Attribute name="appLogoutUrl">
             <Value/>
           </Attribute>
           <Attribute name="idpAccountMapper">
             <Value>com.sun.identity.saml2.plugins.
              DefaultIDPAccountMapper</Value>
           </Attribute>
           <Attribute name="autofedEnabled">
             <Value>false</Value>
           </Attribute>
            <Attribute name="signingCertAlias">
                <Value>test</Value>
            </Attribute>
            <Attribute name="assertionCacheEnabled">
                <Value>false</Value>
            </Attribute>
            <Attribute name="idpAuthncontextMapper">
                <Value>com.sun.identity.saml2.plugins.
                 DefaultIDPAuthnContextMapper</Value>
            </Attribute>
            <Attribute name="assertionEffectiveTime">
                <Value>600</Value>
            </Attribute>
            <Attribute name="wantMNIResponseSigned">
                <Value/>
            </Attribute>
            <Attribute name="wantMNIRequestSigned">
                <Value/>
            </Attribute>
            <Attribute name="attributeMap">
                <Value>EmailAddress=mail</Value>
                <Value>Telephone=telephonenumber</Value>
            </Attribute>
            <Attribute name="discoveryBootstrappingEnabled">
                <Value>false</Value>
            </Attribute>
            <Attribute name="basicAuthUser">
                <Value/>
            </Attribute>
            <Attribute name="idpAttributeMapper">
                <Value>com.sun.identity.saml2.plugins.
                 DefaultIDPAttributeMapper</Value>
            </Attribute>
            <Attribute name="idpECPSessionMapper">
                <Value>com.sun.identity.saml2.plugins.
                 DefaultIDPECPSessionMapper</Value>
            </Attribute>
            <Attribute name="basicAuthPassword">
                <Value/>
            </Attribute>
            <Attribute name="basicAuthOn">
                <Value>false</Value>
            </Attribute>
            <Attribute name="wantLogoutResponseSigned">
                <Value/>
            </Attribute>
            <Attribute name="wantLogoutRequestSigned">
                <Value/>
            </Attribute>
            <Attribute name="encryptionCertAlias">
                <Value/>
            </Attribute>
            <Attribute name="wantArtifactResolveSigned">
                <Value/>
            </Attribute>
            <Attribute name="assertionNotBeforeTimeSkew">
                <Value>600</Value>
            </Attribute>
            <Attribute name="autofedAttribute">
                <Value/>
            </Attribute>
            <Attribute name="saeAppSecretList"/>
        </IDPSSOConfig>
    </EntityConfig>
    
    Entity configuration was exported to file, web.
  5. Log out of the OpenSSO Enterprise console.

11.2 Configuring OpenSSO Enterprise as the Hosted Service Provider

This section provides the procedures for configuring OpenSSO Enterprise on the service provider side as a hosted service provider using the Common Tasks wizard. Use the following list of procedures as a checklist for completing the task.

  1. To Configure the Hosted Service Provider

  2. To View the Hosted Service Provider Metadata in XML Format

ProcedureTo Configure the Hosted Service Provider

Configure the instance of OpenSSO Enterprise deployed in Part III, Building the Service Provider Environment, situated behind Load Balancer 2 on the service provider side, as a hosted service provider. This procedure creates the spcot circle of trust.

  1. Access https://lb4.sp-example.com:1081/opensso/console from a web browser.

  2. Log in to the OpenSSO Enterprise console as the administrator.

    Username

    amadmin

    Password

    ossoadmin

    The Common Tasks tab is displayed.

  3. Click Create Hosted Service Provider under Create SAML v2 Providers.

    The Create a SAML v2 Service Provider on this Server page is displayed.

  4. Make the following changes on the Create a SAML v2 Service Provider on this Server page.

    • Select the No radio button for Do you have metadata for this provider?

    • Under metadata properties, type https://lb4.sp-example.com:1081/opensso as the value for Name.

    • Under metadata properties, select test as the value for Signing Key.

    • Under Circle of Trust properties, select the Add to New radio button and type spcot as the value for the New Circle of Trust.

    • Accept the default values for any remaining properties.

  5. Click Configure.

    A pop up screen is displayed that reads:


    Service provider is configured.
    You can modify the provider's profile under the Federation tab.
    
    Do you want to create a remote identity provider?
  6. Click No on the pop up screen.

    The OpenSSO Enterprise console is displayed and this instance is now configured as a SAML v2 service provider.

ProcedureTo View the Hosted Service Provider Metadata in XML Format

This optional procedure displays, in a browser window, the standard and extended metadata for the hosted service provider in XML format. The XML can be viewed as displayed or copied into a text file and saved.

Before You Begin

This procedure assumes that you have just completed To Configure the Hosted Service Provider and are still logged in to the OpenSSO Enterprise console.

  1. Access https://lb4.sp-example.com:1081/opensso/ssoadm.jsp from the web browser.

    ssoadm.jsp is a Java Server Page (JSP) version of the ssoadm command line interface. In this procedure it is used to display the hosted service provider metadata.

  2. Click export-entity.

    The export-entity page is displayed.

  3. Enter the following values for each option and click Submit.

    entityid

    The EntityID is the unique uniform resource identifier (URI) used to identify a particular provider. In this deployment, type https://lb4.sp-example.com:1081/opensso.

    realm

    The OpenSSO Enterprise realm in which the data resides. In this deployment as all data resides in the top-level realm, type /.

    sign

    Leave this box unchecked.

    meta-data-file

    Set this flag to export the standard metadata for the provider.

    extended-data-file

    Set this flag to export the extended metadata for the provider.

    spec

    Type saml2.

  4. View the XML-formatted metadata in the browser window.

    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <EntityDescriptor entityID="https://lb4.sp-example.com:1081/opensso" 
      xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
      <SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned=
       "false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
       <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" 
        Location="https://lb4.sp-example.com:1081/opensso/SPSloRedirect/metaAlias/sp" 
        ResponseLocation="https://lb4.sp-example.com:1081/opensso/
        SPSloRedirect/metaAlias/sp"/>
       <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
        Location="https://lb4.sp-example.com:1081/opensso/SPSloPOST/metaAlias/sp" 
        ResponseLocation="https://lb4.sp-example.com:1081/opensso/SPSloPOST/metaAlias/sp"/>
       <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" 
        Location="https://lb4.sp-example.com:1081/opensso/SPSloSoap/metaAlias/sp"/>
       <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:
        HTTP-Redirect" Location="https://lb4.sp-example.com:1081/opensso/SPMniRedirect/
        metaAlias/sp" ResponseLocation="https://lb4.sp-example.com:1081/opensso/
        SPMniRedirect/metaAlias/sp"/>
       <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:
        HTTP-POST" Location="https://lb4.sp-example.com:1081/opensso/SPMniPOST/
        metaAlias/sp" ResponseLocation="https://lb4.sp-example.com:1081/opensso/
        SPMniPOST/metaAlias/sp"/>
       <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" 
        Location="https://lb4.sp-example.com:1081/opensso/SPMniSoap/metaAlias/sp" 
        ResponseLocation="https://lb4.sp-example.com:1081/opensso/SPMniSoap/metaAlias/sp"/>
       <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
       <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
       <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
       <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
       <AssertionConsumerService index="0" isDefault="true" Binding="urn:oasis:names:tc:
        SAML:2.0:bindings:HTTP-Artifact" Location="https://lb4.sp-example.com:1081/opensso/
        Consumer/metaAlias/sp"/>
       <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:
        HTTP-POST" Location="https://lb4.sp-example.com:1081/opensso/
        Consumer/metaAlias/sp"/>
       <AssertionConsumerService index="2" Binding="urn:oasis:names:tc:SAML:2.0:
        bindings:PAOS" Location="https://lb4.sp-example.com:1081/opensso/Consumer/
        ECP/metaAlias/sp"/>
       </SPSSODescriptor>
       <IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration=
        "urn:oasis:names:tc:SAML:2.0:protocol">
            <KeyDescriptor use="signing">
                <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                    <ds:X509Data>
                        <ds:X509Certificate>
    MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh
    bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w
    ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw
    CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK
    BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B
    AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of+
    RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY
    Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U
    QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA
    cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC
    /FfwWigmrW0Y0Q==
                        </ds:X509Certificate>
                    </ds:X509Data>
                </ds:KeyInfo>
            </KeyDescriptor>
        <ArtifactResolutionService index="0" isDefault="true" Binding="urn:oasis:
         names:tc:SAML:2.0:bindings:SOAP" Location="https://lb4.sp-example.com:1081/
         opensso/ArtifactResolver/metaAlias/idp"/>
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" 
         Location="https://lb4.sp-example.com:1081/opensso/IDPSloRedirect/metaAlias/idp" 
         ResponseLocation="https://lb4.sp-example.com:1081/opensso/IDPSloRedirect/
         metaAlias/idp"/>
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
         Location="https://lb4.sp-example.com:1081/opensso/IDPSloPOST/metaAlias/idp" 
         ResponseLocation="https://lb4.sp-example.com:1081/opensso/IDPSloPOST/
         metaAlias/idp"/>
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" 
         Location="https://lb4.sp-example.com:1081/opensso/IDPSloSoap/metaAlias/idp"/>
        <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" 
         Location="https://lb4.sp-example.com:1081/opensso/IDPMniRedirect/metaAlias/idp" 
         ResponseLocation="https://lb4.sp-example.com:1081/opensso/IDPMniRedirect/
         metaAlias/idp"/>
        <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
         Location="https://lb4.sp-example.com:1081/opensso/IDPMniPOST/metaAlias/idp" 
         ResponseLocation="https://lb4.sp-example.com:1081/opensso/IDPMniPOST/
         metaAlias/idp"/>
        <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" 
         Location="https://lb4.sp-example.com:1081/opensso/IDPMniSoap/metaAlias/idp"/>
        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:
         persistent</NameIDFormat>
        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:
         transient</NameIDFormat>
        <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:
         emailAddress</NameIDFormat>
        <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:
         unspecified</NameIDFormat>
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:
         HTTP-Redirect" Location="https://lb4.sp-example.com:1081/opensso/
         SSORedirect/metaAlias/idp"/>
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
         Location="https://lb4.sp-example.com:1081/opensso/SSOPOST/metaAlias/idp"/>
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" 
         Location="https://lb4.sp-example.com:1081/opensso/SSOSoap/metaAlias/idp"/>
         <NameIDMappingService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" 
          Location="https://lb4.sp-example.com:1081/opensso/NIMSoap/metaAlias/idp"/>
          <AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" 
           Location="https://lb4.sp-example.com:1081/opensso/AIDReqSoap/IDPRole/
           metaAlias/idp"/>
          <AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:2.0:bindings:URI" 
           Location="https://lb4.sp-example.com:1081/opensso/AIDReqUri/IDPRole/
           metaAlias/idp"/>
       </IDPSSODescriptor>
    </EntityDescriptor>
    
    Entity descriptor was exported to file, web.
    
    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <EntityConfig entityID="https://lb4.sp-example.com:1081/opensso" hosted="true" 
     xmlns="urn:sun:fm:SAML:2.0:entityconfig">
        <SPSSOConfig metaAlias="/sp">
            <Attribute name="wantNameIDEncrypted">
                <Value/>
            </Attribute>
            <Attribute name="idpProxyList"/>
            <Attribute name="spAccountMapper">
                <Value>com.sun.identity.saml2.plugins.DefaultSPAccountMapper</Value>
            </Attribute>
            <Attribute name="enableIDPProxy">
                <Value>false</Value>
            </Attribute>
            <Attribute name="ECPRequestIDPListGetComplete">
                <Value/>
            </Attribute>
            <Attribute name="cotlist">
                <Value>spcot</Value>
            </Attribute>
            <Attribute name="transientUser">
                <Value>anonymous</Value>
            </Attribute>
            <Attribute name="spAuthncontextComparisonType">
                <Value>exact</Value>
            </Attribute>
            <Attribute name="wantAssertionEncrypted">
                <Value/>
            </Attribute>
            <Attribute name="spAdapter">
                <Value/>
            </Attribute>
            <Attribute name="spAuthncontextClassrefMapping">
                <Value>urn:oasis:names:tc:SAML:2.0:ac:classes:
                 PasswordProtectedTransport|0|default</Value>
            </Attribute>
            <Attribute name="appLogoutUrl">
                <Value/>
            </Attribute>
            <Attribute name="saml2AuthModuleName">
                <Value/>
            </Attribute>
            <Attribute name="autofedEnabled">
                <Value>true</Value>
            </Attribute>
            <Attribute name="localAuthURL">
                <Value/>
            </Attribute>
            <Attribute name="spAttributeMapper">
                <Value>com.sun.identity.saml2.plugins.DefaultSPAttributeMapper</Value>
            </Attribute>
            <Attribute name="signingCertAlias">
                <Value/>
            </Attribute>
            <Attribute name="wantMNIResponseSigned">
                <Value/>
            </Attribute>
            <Attribute name="wantMNIRequestSigned">
                <Value/>
            </Attribute>
            <Attribute name="attributeMap">
                <Value>EmailAddress=EmailAddress</Value>
                <Value>Telephone=Telephone</Value>
            </Attribute>
            <Attribute name="saeSPUrl">
                <Value>https://lb4.sp-example.com:1081/opensso/spsaehandler/
                 metaAlias/sp</Value>
            </Attribute>
            <Attribute name="responseArtifactMessageEncoding">
                <Value>URI</Value>
            </Attribute>
            <Attribute name="idpProxyCount">
                <Value>0</Value>
            </Attribute>
            <Attribute name="basicAuthUser">
                <Value/>
            </Attribute>
            <Attribute name="useIntroductionForIDPProxy">
                <Value>false</Value>
            </Attribute>
            <Attribute name="wantArtifactResponseSigned">
                <Value/>
            </Attribute>
            <Attribute name="intermediateUrl">
                <Value/>
            </Attribute>
            <Attribute name="defaultRelayState">
                <Value/>
            </Attribute>
            <Attribute name="basicAuthPassword">
                <Value/>
            </Attribute>
            <Attribute name="wantPOSTResponseSigned">
                <Value/>
            </Attribute>
            <Attribute name="wantAttributeEncrypted">
                <Value/>
            </Attribute>
            <Attribute name="basicAuthOn">
                <Value>false</Value>
            </Attribute>
            <Attribute name="spAdapterEnv"/>
            <Attribute name="saeSPLogoutUrl">
                <Value>https://lb4.sp-example.com:1081/opensso/samples/
                 saml2/sae/saeSPApp.jsp</Value>
            </Attribute>
            <Attribute name="ECPRequestIDPListFinderImpl">
                <Value>com.sun.identity.saml2.plugins.ECPIDPFinder</Value>
            </Attribute>
            <Attribute name="wantLogoutResponseSigned">
                <Value/>
            </Attribute>
            <Attribute name="wantLogoutRequestSigned">
                <Value/>
            </Attribute>
            <Attribute name="encryptionCertAlias">
                <Value/>
            </Attribute>
            <Attribute name="spAuthncontextMapper">
                <Value>com.sun.identity.saml2.plugins.DefaultSPAuthnContextMapper</Value>
            </Attribute>
            <Attribute name="assertionTimeSkew">
                <Value>300</Value>
            </Attribute>
            <Attribute name="ECPRequestIDPList"/>
            <Attribute name="autofedAttribute">
                <Value>mail</Value>
            </Attribute>
            <Attribute name="saeAppSecretList">
                <Value>url=https://lb4.sp-example.com:1081/opensso/samples/saml2/sae/
                 saeSPApp.jsp|type=symmetric|secret=AQICIbz4afzilWzbmo6QD9lQ9
                 U4kEBrMlvZy</Value>
            </Attribute>
        </SPSSOConfig>
        <IDPSSOConfig metaAlias="/idp">
            <Attribute name="description">
                <Value/>
            </Attribute>
            <Attribute name="signingCertAlias">
                <Value>test</Value>
            </Attribute>
            <Attribute name="encryptionCertAlias">
                <Value/>
            </Attribute>
            <Attribute name="basicAuthOn">
                <Value>false</Value>
            </Attribute>
            <Attribute name="basicAuthUser">
                <Value/>
            </Attribute>
            <Attribute name="basicAuthPassword">
                <Value/>
            </Attribute>
            <Attribute name="autofedEnabled">
                <Value>false</Value>
            </Attribute>
            <Attribute name="autofedAttribute">
                <Value/>
            </Attribute>
            <Attribute name="assertionEffectiveTime">
                <Value>600</Value>
            </Attribute>
            <Attribute name="idpAuthncontextMapper">
                <Value>com.sun.identity.saml2.plugins.DefaultIDPAuthnContextMapper</Value>
            </Attribute>
            <Attribute name="idpAuthncontextClassrefMapping">
                <Value>urn:oasis:names:tc:SAML:2.0:ac:classes:
                  PasswordProtectedTransport|0||default</Value>
            </Attribute>
            <Attribute name="idpAccountMapper">
                <Value>com.sun.identity.saml2.plugins.DefaultIDPAccountMapper</Value>
            </Attribute>
            <Attribute name="idpAttributeMapper">
                <Value>com.sun.identity.saml2.plugins.DefaultIDPAttributeMapper</Value>
            </Attribute>
            <Attribute name="assertionIDRequestMapper">
                <Value>com.sun.identity.saml2.plugins.DefaultAssertionIDRequestMapper</Value>
            </Attribute>
            <Attribute name="nameIDFormatMap">
                <Value>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress=mail</Value>
                <Value>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName=</Value>
                <Value>urn:oasis:names:tc:SAML:1.1:nameid-format:
                 WindowsDomainQualifiedName=</Value>
                <Value>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos=</Value>
                <Value>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified=</Value>
            </Attribute>
            <Attribute name="idpECPSessionMapper">
                <Value>com.sun.identity.saml2.plugins.DefaultIDPECPSessionMapper</Value>
            </Attribute>
            <Attribute name="attributeMap"/>
            <Attribute name="wantNameIDEncrypted">
                <Value/>
            </Attribute>
            <Attribute name="wantArtifactResolveSigned">
                <Value/>
            </Attribute>
            <Attribute name="wantLogoutRequestSigned">
                <Value/>
            </Attribute>
            <Attribute name="wantLogoutResponseSigned">
                <Value/>
            </Attribute>
            <Attribute name="wantMNIRequestSigned">
                <Value/>
            </Attribute>
            <Attribute name="wantMNIResponseSigned">
                <Value/>
            </Attribute>
            <Attribute name="cotlist">
                <Value>spcot</Value>
            </Attribute>
            <Attribute name="discoveryBootstrappingEnabled">
                <Value>false</Value>
            </Attribute>
            <Attribute name="assertionCacheEnabled">
                <Value>false</Value>
            </Attribute>
            <Attribute name="assertionNotBeforeTimeSkew">
                <Value>600</Value>
            </Attribute>
            <Attribute name="saeAppSecretList"/>
            <Attribute name="saeIDPUrl">
                <Value>https://lb4.sp-example.com:1081/opensso/idpsaehandler/metaAlias/
                 idp</Value>
            </Attribute>
            <Attribute name="AuthUrl">
                <Value/>
            </Attribute>
            <Attribute name="appLogoutUrl">
                <Value/>
            </Attribute>
        </IDPSSOConfig>
    </EntityConfig>
    
    Entity configuration was exported to file, web.
  5. Log out of the OpenSSO Enterprise console.

11.3 Configuring the Hosted Service Provider to Communicate with the Remote Identity Provider

After configuring the providers, enable the hosted service provider to communicate with the remote identity provider by loading the identity provider metadata into the instance of OpenSSO Enterprise acting as the service provider.

ProcedureTo Import the Remote Identity Provider Metadata into the Hosted Service Provider

  1. Access https://lb4.sp-example.com:1081/opensso/console from a web browser.

  2. Log in to the OpenSSO Enterprise console as the administrator.

    Username

    amadmin

    Password

    ossoadmin

    The Common Tasks tab is displayed.

  3. Click Register Remote Identity Provider under Create SAML v2 Providers.

    The Create a SAML v2 Remote Identity Provider page is displayed.

  4. Make the following changes on the Create a SAML v2 Remote Identity Provider page.

    • Select the URL radio button for Where does the metadata file reside?

    • Type https://lb2.idp-example.com:1081/opensso/saml2/jsp/exportmetadata.jsp as the value of URL where metadata is located.

    • Under Circle of Trust, select the Add to Exiting radio button and select the spcot circle of trust from the drop down menu.

  5. Click Configure.

  6. Select Finish to end the task.

Chapter 12 Testing the SAML v2 Profiles

Following are the SAML v2 profiles used for testing the SAML v2 configurations.

SAML v2 profiles can be initiated from the service provider side or from the identity provider side of the deployment. There are two ways in which the SAML v2 configurations can be tested and the procedures for these options are in the following sections.

12.1 Using the OpenSSO Enterprise Common Tasks Wizard

This automated test uses the Test Federation Connectivity work flow option under the Common Tasks tab of the OpenSSO Enterprise console.

ProcedureTo Test SAML v2 Using the Common Tasks Wizard

  1. Access https://lb2.idp-example.com:1081/opensso/console from a web browser.

  2. Log in to the OpenSSO Enterprise console as the administrator.

    Username

    amadmin

    Password

    ossoadmin

    The Common Tasks tab is displayed.

  3. Under the Common Tasks tab, click Test Federation Connectivity.

    The Validate Federation Setup page is displayed.

  4. Select the radio button next to idpcot, the circle of trust that contains the providers you are testing.

    The providers in idpcot are displayed.

  5. Click Start Test.

    A pop up is displayed.

  6. Click OK on the pop up.

    Your administrator session is terminated and the test is run.

  7. When displayed, log in to the OpenSSO Enterprise console on the identity provider side with the following information.

    Username

    idpuser

    Password

    idpuser

    With successful authentication, the OpenSSO Enterprise console on the service provider side is displayed.

  8. Log in to the OpenSSO Enterprise console on the service provider side with the following information.

    Username

    spuser

    Password

    spuser

    With successful authentication, the two accounts are linked. Single logout follows the successful federation.

  9. When displayed to test single sign on, log in to the OpenSSO Enterprise console on the identity provider side with the following information.

    Username

    idpuser

    Password

    idpuser

    Following successful authentication on the identity provider side, the user is logged in to the service provider through a back channel, demonstrating single sign on. Finally, the user profile federation is terminated. Thus, the following has occurred:

    • A user is successfully authenticated with two different providers and the user's separate profiles are federated.

    • The user is logged out of both providers verifying single logout.

    • The user is logged back in to both providers by providing credentials to only one of them verifying single sign on.

    • The federation between the two user profiles is terminated.

  10. Click Cancel to return to the OpenSSO Enterprise console login page.

12.2 Using Specially Constructed URLs

In this section, test SAML v2 communications for the following profiles and bindings using specially constructed URLs.

Tests can be initiated from the identity provider side or the service provider side. The following procedures provide the constructed URLs and procedures for accessing them.

12.2.1 Testing Identity Provider Initiated URLs

The following tests are initiated on the identity provider side to test SAML v2 communications with the service provider.

12.2.1.1 Testing Persistent Federation

Name identifiers are used by the identity provider and the service provider to communicate with each other regarding a user. In this test, a persistent identifier is used to federate the identity provider's user profile with the same user's profile on the service provider side.

ProcedureTo Test Persistent Federation Using the Browser Artifact Profile

  1. Enter the persistent federation URL in a web browser: https://lb2.idp-example.com:1081/opensso/saml2/jsp/idpSSOInit.jsp?metaAlias=/idp&spEntityID=https://lb4.sp-example.com:1081/opensso.

    The request is directed to OpenSSO Enterprise on the service provider side.

  2. Log in to the OpenSSO Enterprise console as a test user.

    User Name:

    spuser

    Password:

    spuser

    The login request is redirected to OpenSSO Enterprise on the identity provider side.

  3. Log in to the OpenSSO Enterprise console as a test user.

    User Name:

    idpuser

    User Name:

    idpuser

    The browser message “Single Sign-On succeeded” is displayed confirming that federation has succeeded.

  4. (Optional) To view the SAML v2 assertion used, see the debug file in /export/ossoadm/config/opensso/debug/Federation.

ProcedureTo Test Persistent Federation Using the Browser POST Profile

  1. Enter the persistent federation URL in a web browser: https://lb2.idp-example.com:1081/opensso/saml2/jsp/idpSSOInit.jsp?metaAlias=/idp&spEntityID=https://lb4.sp-example.com:1081/opensso&binding=HTTP-POST.

    The request is directed to OpenSSO Enterprise on the service provider side.

  2. Log in to the OpenSSO Enterprise console as a test user.

    User Name:

    spuser

    Password:

    spuser

    The login request is redirected to OpenSSO Enterprise on the identity provider side.

  3. Log in to the OpenSSO Enterprise console as a test user.

    User Name:

    idpuser

    User Name:

    idpuser

    The browser message “Single Sign-On succeeded” is displayed confirming that federation has succeeded.

  4. (Optional) To view the SAML v2 assertion used, see the debug file in /export/ossoadm/config/opensso/debug/Federation.

12.2.1.2 Testing Single Logout

Single logout permits session termination of all participants in the session. The logout request can be initiated by any participant in the session.

ProcedureTo Test Single Logout Using Back Channel SOAP Over HTTP

  1. Enter the single logout URL in a web browser: https://lb2.idp-example.com:1081/opensso/saml2/jsp/idpSingleLogoutInit.jsp?metaAlias=/idp&spEntityID=https://lb4.sp-example.com:1081/opensso&binding=urn:oasis:names:tc:SAML:2.0:bindings:SOAP

    The browser message “IDP initiated single logout succeeded” is displayed.

  2. (Optional) To view the SAML v2 assertion used, see the debug file in /export/ossoadm/config/opensso/debug/Federation.

ProcedureTo Test Single Logout Using Front Channel HTTP

  1. Enter the single logout URL in a web browser: https://lb2.idp-example.com:1081/opensso/saml2/jsp/idpSingleLogoutInit.jsp?metaAlias=/idp&spEntityID=https://lb4.sp-example.com:1081/opensso

    The message “IDP initiated single logout succeeded” is displayed.

  2. (Optional) To view the SAML v2 assertion used, see the debug file in /export/ossoadm/config/opensso/debug/Federation.

12.2.1.3 Testing Single Sign On

In this test, the user accomplishes single sign on through the back channel.

ProcedureTo Test Single Sign-On Using the Browser Artifact Profile

  1. Enter the single sign on URL in a web browser: https://lb2.idp-example.com:1081/opensso/saml2/jsp/idpSSOInit.jsp?metaAlias=/idp&spEntityID=https://lb4.sp-example.com:1081/opensso.

    The request is directed to OpenSSO Enterprise on the service provider side.

  2. Log in to the OpenSSO Enterprise console as a test user.

    User Name:

    spuser

    Password:

    spuser

    The browser message “Single Sign-On succeeded” is displayed.

  3. (Optional) To view the SAML v2 assertion used, see the debug file in /export/ossoadm/config/opensso/debug/Federation.

ProcedureTo Test Single Sign-On Using the Browser POST Profile

  1. Enter the single sign on URL in a web browser: https://lb2.idp-example.com:1081/opensso/saml2/jsp/idpSSOInit.jsp?metaAlias=/idp&spEntityID=https://lb4.sp-example.com:1081/opensso&binding=HTTP-POST.

    The login request is redirected to Access Manager.

  2. Log in to the OpenSSO Enterprise console as a test user.

    User Name:

    spuser

    Password:

    spuser

    The browser message “Single Sign-On succeeded” is displayed.

  3. (Optional) To view the SAML v2 assertion used, see the debug file in /export/ossoadm/config/opensso/debug/Federation.

12.2.1.4 Testing Federation Termination

In this test, the federation previously authorized is terminated.

ProcedureTo Test Federation Termination Using Back Channel SOAP Over HTTP

  1. Enter the federation termination URL in a web browser: https://lb2.idp-example.com:1081/opensso/saml2/jsp/idpMNIRequestInit.jsp?metaAlias=/idp&spEntityID=https://lb4.sp-example.com:1081/opensso&binding=urn:oasis:names:tc:SAML:2.0:bindings:SOAP&requestType=Terminate.

    The browser message “ManageNameID Request succeeded” is displayed confirming the federation has been terminated.

  2. (Optional) To view the SAML v2 assertion used, see the debug file in /export/ossoadm/config/opensso/debug/Federation.

ProcedureTo Test Federation Termination Using Front Channel HTTP

  1. Enter the federation termination URL in a web browser: https://lb2.idp-example.com:1081/opensso/saml2/jsp/idpMNIRequestInit.jsp?metaAlias=/idp&spEntityID=https://lb4.sp-example.com:1081/opensso&requestType=Terminate.

    The browser message “ManageNameID Request succeeded” is displayed confirming the federation has been terminated.

  2. (Optional) To view the SAML v2 assertion used, see the debug file in /export/ossoadm/config/opensso/debug/Federation.

12.2.2 Testing Service Provider Initiated URLs

The following tests are initiated on the service provider side to test SAML v2 communications with the identity provider.

12.2.2.1 Testing Persistent Federation

Name identifiers are used by the identity provider and the service provider to communicate with each other regarding a user. In this test, a persistent identifier is used to federate the identity provider's user profile with the same user's profile on the service provider side.

ProcedureTo Test Persistent Federation Using the Browser Artifact Profile

  1. Enter the persistent federation URL in a web browser: https://lb4.sp-example.com:1081/opensso/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=https://lb2.idp-example.com:1081/opensso.

    The request is directed to OpenSSO Enterprise on the identity provider side for authentication.

  2. Log in to the OpenSSO Enterprise console as test user.

    User Name:

    idpuser

    Password:

    idpuser

    The request is redirected to OpenSSO Enterprise on the service provider side.

  3. Log in to the OpenSSO Enterprise console as the test user.

    User Name:

    spuser

    User Name:

    spuser

    The browser message “Single Sign-On succeeded” is displayed confirming federation has succeeded.

  4. (Optional) To view the SAML v2 assertion used, see the debug file in /export/ossoadm/config/opensso/debug/Federation.

ProcedureTo Test Persistent Federation Using the Browser POST Profile

  1. Enter the persistent federation URL in a web browser: https://lb4.sp-example.com:1081/opensso/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=https://lb2.idp-example.com:1081/opensso&binding=HTTP-POST.

    The request is directed to OpenSSO Enterprise on the identity provider side for authentication.

  2. Log in to the OpenSSO Enterprise console as a test user.

    User Name:

    idpuser

    Password:

    idpuser

    The request is redirected to OpenSSO Enterprise on the service provider side.

  3. Log in to the OpenSSO Enterprise console as a test user.

    User Name:

    spuser

    User Name:

    spuser

    The browser message “Single Sign-On succeeded” is displayed confirming federation has succeeded.

  4. (Optional) To view the SAML v2 assertion used, see the debug file in /export/ossoadm/config/opensso/debug/Federation.

12.2.2.2 Testing Single Logout

Single logout permits session termination of all participants in the session. The logout request can be initiated by any participant in the session.

ProcedureTo Test Single Logout Using Back Channel SOAP Over HTTP

  1. Enter the single logout URL in a web browser: https://lb4.sp-example.com:1081/opensso/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&binding=urn:oasis:names:tc:SAML:2.0:bindings:SOAP&idpEntityID=https://lb2.idp-example.com:1081/opensso.

    The message “SP initiated single logout succeeded” is displayed and both user profile sessions are ended.

  2. (Optional) To view the SAML v2 assertion used, see the debug file in /export/ossoadm/config/opensso/debug/Federation.

ProcedureTo Test Single Logout Using Front Channel HTTP

  1. Enter the single logout URL in a web browser: https://lb4.sp-example.com:1081/opensso/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=https://lb2.idp-example.com:1081/opensso.

    The message “SP initiated single logout succeeded” is displayed and both user profile sessions are ended.

  2. (Optional) To view the SAML v2 assertion used, see the debug file in /export/ossoadm/config/opensso/debug/Federation.

12.2.2.3 Testing Single Sign On

In this test, the user accomplishes single sign on through the back channel.

ProcedureTo Test Single Sign On Using the Browser Artifact Profile

  1. Enter the single sign on URL in a web browser: https://lb4.sp-example.com:1081/opensso/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=https://lb2.idp-example.com:1081/opensso.

    The request is directed to OpenSSO Enterprise on the identity provider side for authentication.

  2. Log in to the OpenSSO Enterprise console as a test user.

    User Name:

    idpuser

    Password:

    idpuser

    The browser message “Single Sign-On succeeded” is displayed.

  3. (Optional) To view the SAML v2 assertion used, see the debug file in /export/ossoadm/config/opensso/debug/Federation.

ProcedureTo Test Single Sign-On Using the Browser POST Profile

  1. Enter the single sign on URL in a web browser: https://lb4.sp-example.com:1081/opensso/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=https://lb2.idp-example.com:1081/opensso&binding=HTTP-POST.

    The request is directed to OpenSSO Enterprise on the identity provider side for authentication.

  2. Log in to the OpenSSO Enterprise console as a test user.

    User Name:

    idpuser

    Password:

    idpuser

    The message “Single Sign-On succeeded” is displayed.

  3. (Optional) To view the SAML v2 assertion used, see the debug file in /export/ossoadm/config/opensso/debug/Federation.

12.2.2.4 Testing Federation Termination

In this test, the federation previously authorized is terminated.

ProcedureTo Terminate Federation Using Back Channel SOAP Over HTTP

  1. Enter the federation termination URL in a web browser: https://lb4.sp-example.com:1081/opensso/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=https://lb2.idp-example.com:1081/opensso&requestType=Terminate&binding=urn:oasis:names:tc:SAML:2.0:bindings:SOAP.

    The browser message “ManageNameID Request succeeded” is displayed confirming the federation has been terminated.

  2. (Optional) To view the SAML v2 assertion used, see the debug file in /export/ossoadm/config/opensso/debug/Federation.

ProcedureTo Terminate Federation Using Front Channel HTTP

  1. Enter the federation termination URL in a web browser: https://lb4.sp-example.com:1081/opensso/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=https://lb2.idp-example.com:1081/opensso&requestType=Terminate.

    The browser message “ManageNameID Request succeeded” is displayed confirming the federation has been terminated.

  2. (Optional) To view the SAML v2 assertion used, see the debug file in /export/ossoadm/config/opensso/debug/Federation.

Chapter 13 Testing Secure Attribute Exchange

Secure Attribute Exchange (also referred to as Virtual Federation Proxy) provides a mechanism for one application to communicate identity information to a second application in a different domain. More specifically, it provides a secure gateway that enables legacy applications to communicate authentication attributes without having to deal with federation protocols and processing. Secure Attribute Exchange uses SAML v2 to transfer identity data between the communicating entities. This chapter contains the following sections for setting up and testing Secure Attribute Exchange.


Note –

This chapter assumes you have completed Part II, Building the Identity Provider Environment and Part III, Building the Service Provider Environment; in effect, creating two domains that can communicate using SAML v2. In this test, we use symmetric key encryption (one shared secret is used for both encryption and decryption) between all providers and applications.


13.1 Patching the Secure Attribute Exchange Host Machines

Patch the host machines that will be used to deploy the sample Secure Attribute Exchange JavaServer Pages application (bundled with OpenSSO Enterprise Client SDK). Towards this end, use different web containers from those on which OpenSSO Enterprise is installed. On our lab machines, the required Application Server patch is 117461–08. Results for your machine might be different. Read the latest documentation for your web container to determine if you need to install patches and, if so, what they might be. You can search for patches directly at http://sunsolve.sun.com. Navigate to the PatchFinder page, enter the patch number, click Find Patch, and download the appropriate patch for the Secure Attribute Exchange identity provider application host machine (sae.idp-example.com) and the Secure Attribute Exchange service provider application host machine (sae.sp-example.com).

ProcedureTo Patch the OpenSSO Enterprise Host Machines

  1. Log in to the sae.idp-example.com host machine as a root user.

  2. Run patchadd to see if the patch is already installed.


    # patchadd -p | grep 117461-08
    

    A series of patch numbers are displayed, and patch 117461–08 is present so there is no need to install any patches at this time.

  3. Log out of the sae.idp-example.com host machine.

  4. Log in to the sae.sp-example.com host machine as a root user.

  5. Run patchadd to see if the patch is already installed.


    # patchadd -p | grep 117461-08
    

    A series of patch numbers are displayed, and patch 117461–08 is present so there is no need to install any patches at this time.

  6. Log out of the sae.sp-example.com host machine.

13.2 Installing Application Server on the Secure Attribute Exchange Identity Provider Host Machine

To test a Secure Attribute Exchange we configure and use JavaServer Pages (bundled with the OpenSSO Enterprise Client SDK) to emulate real world applications. saeIDPApp.jsp represents the identity provider application that will invoke a remote service provider application and pass attributes to it. It will be installed on the sae.idp-example.com host machine. The following procedures will install and configure one instance of Application Server as the web container for the identity provider application.

ProcedureTo Install Application Server on the Secure Attribute Exchange Identity Provider Host Machine

Before You Begin

This procedure assumes you have completed 13.1 Patching the Secure Attribute Exchange Host Machines.

  1. Log in to the sae.idp-example.com host machine as a root user.

  2. Create a directory into which the Application Server bits can be downloaded and change into it.


    # mkdir /export/AS91
    # cd /export/AS91
    
  3. Download the Sun Java System Application Server 9.1 Update 1 binary from the Sun Microsystems Product Download page to the /export/AS91 directory.

  4. Grant the downloaded binary execute permission using the chmod command.


    # chmod +x sjsas-9_1_01-solaris-sparc.bin
    
  5. Install the software.


    # ./sjsas-9_1_01-solaris-sparc.bin -console
    
  6. When prompted, provide the following information.


    You are running the installation program 
    for the Sun Java System Application Server. This 
    program asks you to supply configuration preference
    settings that it uses to install the server.
    
    This installation program consists of one or 
    more selections that provide you with information
    and let you enter preferences that determine
    how Sun Java System Application Server is 
    installed and configured. 
    
    When you are presented with the following
    question, the installation process pauses to 
    allow you to read the information that has 
    been presented When you are ready to continue, 
    press Enter.

    Press Enter to continue. 


    Have you read, and do you accept, all of 
    the terms of the preceding Software License 
    Agreement [no] {"<" goes back, "!" exits}?

    Enter yes.


    Installation Directory [/opt/SUNWappserver]
    {"<" goes back, "!" exits}

    Enter /opt/SUNWappserver91


    The specified directory "/opt/SUNWappserver91"
    does not exist. Do you want to create it now or 
    choose another directory?
    
    1. Create Directory
    2. Choose New.
    
    Enter the number corresponding to your choice [1] 
    {"<" goes back, "!" exits}

    Enter 1 to create the directory.


    The Sun Java System Application Server
    requires a Java 2 SDK. Please provide the path to
    a Java 2 SDK 5.0 or greater. [/usr/jdk/instances/jdk1.5.0] 
    {"<" goes back, "!" exits}

    Press Enter to accept the default value. 


    Supply the admin user's password and override
    any of the other initial configuration settings as 
    necessary.
    
    Admin User [admin] {"<" goes back, "!" exits}

    Press Enter to accept the default value. 


    Admin User's Password (8 chars minimum):
    Re-enter Password:

    Enter domain1pwd and then re-enter domain1pwd.


    Do you want to store admin user name and 
    password in .asadminpass file in user's home
    directory [yes] {"<" goes back, "!" exits}?

    Press Enter to accept the default value. 


    Admin Port [4848] {"<" goes back, "!" exits}
    HTTP Port [8080] {"<" goes back, "!" exits}
    HTTPS Port [8181] {"<" goes back, "!" exits}

    Press Enter to accept the three default values. 


    Do you want to enable Updatecenter client 
    [yes] {"<" goes back, "!" exits}?

    Press Enter to accept the default value. 


    Do you want to upgrade from previous 
    Application Server version [no] 
    {"<" goes back, "!" exits}?

    Press Enter to accept the default value. 


    The following items for the product Sun Java 
    System Application Server will be installed:
    
    Product: Sun Java System Application Server
    Location: /opt/SUNWappserver91
    Space Required: 161.61 MB
    -------------------------------------------
    Sun Java System message Queue 4.1
    Application Server
    Startup
    
    Ready To Install
    
    1. Install Now
    2. Start Over
    3. Exit Installation
    
    What would you like to do [1] 
    {"<" goes back, "!" exits}?

    Press Enter to accept the default value and begin the installation process. 


    - Installing Sun Java System Application 
    Server
    
    |-1%-----25%-----50%-----75%-----100%|
    
     - Installation Successful.

    When installation is complete, an Installation Successful message is displayed:


    Next Steps:
    
    1. Access the About Application Server 9.1 welcome 
    page at:
     file:///opt/SUNWappserver91/docs/about.html
    
    2. Start the Application Server by executing:
      /opt/SUNWappserver91/bin/asadmin 
      start-domain domain1
    
    3. Start the Admin Console:
      http://sae.idp-example.com:4848
    
    Please press Enter/Return key to exit the 
    installation program. {"!" exits}

    Press Enter to exit the installation program. 

  7. Log out of the sae.idp-example.com host machine.

ProcedureTo Secure Communications from the Identity Provider Host Machine

Create a request for a server certificate and import the certificate authority (CA) root certificate and server certificate to the keystore. This will secure communications initiated by the identity provider application.

Before You Begin

Backup domain.xml before modifying it.

  1. Log in to the sae.idp-example.com host machine as a root user.

  2. Generate a private/public key pair and reference it with the alias, sae-idp.

    sae-idp will be used in a later step to retrieve the public key which is contained in a self-signed certificate.


    # cd /opt/SUNWappserver91/domains/domain1/config
    # keytool -genkey -noprompt -keyalg rsa -keypass changeit 
    -alias sae-idp -keystore keystore.jks -dname "CN=sae.idp-example.com, 
    OU=OpenSSO, O=Sun Microsystems, L=Santa Clara, ST=California, C=US" 
    -storepass changeit
    
  3. Verify that the key pair was successfully created and stored in the certificate store using the following command.


    # keytool -list -v -keystore keystore.jks -storepass changeit
    

    The output of this command lists a key entry with the alias sae-idp.


    Note –

    The output of this command may list more than one certificate based on the entries in the keystore.


  4. Generate a server certificate request.


    # keytool -certreq -alias sae-idp -keypass changeit 
    -keystore keystore.jks -storepass changeit file sae-idp.csr
    

    sae-idp.csr is the server certificate request.

  5. (Optional) Verify that sae-idp.csr was created.


    # ls -la sae-idp.csr
    
     -rw-r--r--   1 osso80adm staff        715 Apr  4 15:04 sae-idp.csr
  6. Send sae-idp.csr to the CA of your choice.

    The CA issues and returns a certified server certificate named sae-idp.cer.

  7. Import ca.cer, the CA root certificate, into the certificate store.

    The root certificate must be imported into two keystores (keystore.jks and cacerts.jks) with Application Server.


    # keytool -import -trustcacerts -alias OpenSSLTestCA 
    -file ca.cer -keystore keystore.jks -storepass changeit
    
    Owner: EMAILADDRESS=nobody@nowhere.com, CN=openssltestca, OU=am, 
      O=sun, L=santa clara, ST=california, C=us
    Issuer: EMAILADDRESS=nobody@nowhere.com, CN=openssltestca, OU=am, 
      O=sun, L=santa clara, ST=california, C=us
    Serial number: f59cd13935f5f498
    Valid from: Thu Sep 20 11:41:51 PDT 2007 until: Thu Jun 17 11:41:51 PDT 2010
    Certificate fingerprints:
      MD5:  78:7D:F0:04:8A:5B:5D:63:F5:EC:5B:21:14:9C:8A:B9
      SHA1: A4:27:8A:B0:45:7A:EE:16:31:DC:E5:32:46:61:9E:B8:A3:20:8C:BA
    
    Trust this certificate? [no]: Yes
    
    Certificate was added to keystore

    # keytool -import -trustcacerts -alias OpenSSLTestCA 
    -file ca.cer -keystore cacerts.jks -storepass changeit
    
    Owner: EMAILADDRESS=nobody@nowhere.com, CN=openssltestca, OU=am, 
      O=sun, L=santa clara, ST=california, C=us
    Issuer: EMAILADDRESS=nobody@nowhere.com, CN=openssltestca, OU=am, 
      O=sun, L=santa clara, ST=california, C=us
    Serial number: f59cd13935f5f498
    Valid from: Thu Sep 20 11:41:51 PDT 2007 until: Thu Jun 17 11:41:51 PDT 2010
    Certificate fingerprints:
      MD5:  78:7D:F0:04:8A:5B:5D:63:F5:EC:5B:21:14:9C:8A:B9
      SHA1: A4:27:8A:B0:45:7A:EE:16:31:DC:E5:32:46:61:9E:B8:A3:20:8C:BA
    
    Trust this certificate? [no]: Yes
    
    Certificate was added to keystore
  8. Replace the self-signed public key certificate (associated with the s1as alias) with the server certificate received from the CA.


    # keytool -import -file sae-idp.cer -alias sae-idp 
    -keystore keystore.jks -storepass changeit
    
    Certificate reply was installed in keystore
  9. (Optional) Verify that the self-signed public key certificate has been overwritten by the server certificate received from the CA.


    # keytool -list -alias sae-idp -v -keystore keystore.jks 
    -storepass changeit
    
    The certificate indicated by the alias "sae-idp" is signed by CA.
  10. Change the certificate alias from the default s1as to the new sae-idp in the domain.xml file for the domain1 domain.

    The Application Server configuration file is domain.xml.

    <http-listener acceptor-threads="1" address="0.0.0.0" 
    blocking-enabled="false" default-virtual-server="server" enabled="true" 
    family="inet" id="http-listener-2" port="1081" security-enabled="true" 
    server-name="" xpowered-by="true">
    <ssl cert-nickname="sae-idp" client-auth-enabled="false" ssl2-enabled="false"
    ssl3-enabled="true" tls-enabled="true" tls-rollback-enabled="true"/>

ProcedureTo Modify the Identity Provider Web Container domain.xml Configuration File

Modify the following Java Virtual Machine (JVM) options in the Application Server configuration file, domain.xml to prepare for the installation of the Client SDK.

Before You Begin
  1. Change to the config directory.


    # cd /opt/SUNWappserver91/domains/domain1/config
    
  2. Open domain.xml in a text editor and make the following changes:

    • Replace <jvm-options>-client</jvm-options> with <jvm-options>-server</jvm-options>.

    • Replace <jvm-options>-Xmx512m</jvm-options> with <jvm-options>-Xmx1024m</jvm-options>.

  3. Save the file and close it.

  4. Restart the domain1 domain.


    # cd /opt/SUNWappserver91/bin
    # ./asadmin stop-domain
    
    Server was successfully stopped.
    
    ./asadmin start-domain
    
    Redirecting output to /opt/SUNWappserver91/domains/domain1/logs/server.log
  5. Verify that the certificate used for SSL communication is the root CA certificate.

    1. Access https://sae.idp-example.com/index.html from a web browser.

    2. View the details of the certificate in the security warning to ensure that it is Issued by “OpenSSLTestCA”.

      After inspecting and accepting the certificate, you should see the default index.html page.

    3. Close the browser.

ProcedureTo Deploy the Client SDK on the Identity Provider Host Machine

When you deploy the Client SDK, you also deploy the saeIDPApp.jsp.

Before You Begin

This procedure assumes you are still logged in as the root user to the sae-idp host machine.

  1. Get the Client SDK WAR using the following sub procedure.

    1. Log in to the osso1.idp-example.com host machine.

    2. Change to the /export/OSSO_BITS/opensso/samples/war directory.

    3. Copy opensso-client-jdk15.war to the /export/OSSO_BITS/opensso/samples/war directory on the sae.idp-example.com host machine.

    4. Log out of the osso1.idp-example.com host machine.

  2. Access http://sae.idp-example.com:4848/login.jsf from a web browser.

    User Name:

    admin

    Password:

    domain1pwd

  3. Click Web Applications in the left frame of Application Server.

  4. Click Deploy.

    The Deploy Enterprise Applications/Modules page is displayed.

  5. Click the radio button next to Packaged file to be uploaded to the server and browse for the opensso-client-jdk15.war WAR in the /export/OSSO_BITS/opensso/samples/war directory.

  6. Enter opensso-client as the Application Name.

  7. Click OK to deploy the Client SDK.

  8. (Optional) List the contents of the j2ee-modules directory to verify that the WAR was successfully deployed.

    1. Change to the /opt/SUNWappserver91/domains/domain1/applications/j2ee-modules directory.

    2. List the contents of the directory.


      # ls -al
      
      total 6
      drwxr-xr-x 3 root staff 512 Aug 15 14:01 .
      drwxr-xr-x 6 root staff 512 Aug 15 14:55 ..
      drwxr-xr-x 21 root staff 1024 Aug 15 14:01 opensso-client
  9. Log out of the sae.idp-example.com host machine.

Next Steps

Add the IP address and host machine names to the /etc/hosts file on both the sae.idp-example.com and the sae.sp-example.com host machines as well as the host machine on which the browser is located.

13.3 Installing Application Server on the Secure Attribute Exchange Service Provider Host Machine

To test a Secure Attribute Exchange we configure and use JavaServer Pages (bundled with the OpenSSO Enterprise Client SDK) to emulate real world applications. saeSPApp.jsp represents the service provider application that will receive the attributes from the identity provider. It will be installed on the sae.sp-example.com host machine. The following procedures will install and configure one instance of Application Server as the web container for the service provider application.

ProcedureTo Install Application Server on the Secure Attribute Exchange Service Provider Host Machine

Before You Begin

This procedure assumes you have completed 13.1 Patching the Secure Attribute Exchange Host Machines.

  1. Log in to the sae.sp-example.com host machine as a root user.

  2. Create a directory into which the Application Server bits can be downloaded and change into it.


    # mkdir /export/AS91
    # cd /export/AS91
    
  3. Download the Sun Java System Application Server 9.1 Update 1 binary from the Sun Microsystems Product Download page to the /export/AS91 directory.

  4. Grant the downloaded binary execute permission using the chmod command.


    # chmod +x sjsas-9_1_01-solaris-sparc.bin
    
  5. Install the software.


    # ./sjsas-9_1_01-solaris-sparc.bin -console
    
  6. When prompted, provide the following information.


    You are running the installation program 
    for the Sun Java System Application Server. This 
    program asks you to supply configuration preference
    settings that it uses to install the server.
    
    This installation program consists of one or 
    more selections that provide you with information
    and let you enter preferences that determine
    how Sun Java System Application Server is 
    installed and configured. 
    
    When you are presented with the following
    question, the installation process pauses to 
    allow you to read the information that has 
    been presented When you are ready to continue, 
    press Enter.

    Press Enter to continue. 


    Have you read, and do you accept, all of 
    the terms of the preceding Software License 
    Agreement [no] {"<" goes back, "!" exits}?

    Enter yes.


    Installation Directory [/opt/SUNWappserver]
    {"<" goes back, "!" exits}

    Enter /opt/SUNWappserver91


    The specified directory "/opt/SUNWappserver91"
    does not exist. Do you want to create it now or 
    choose another directory?
    
    1. Create Directory
    2. Choose New.
    
    Enter the number corresponding to your choice [1] 
    {"<" goes back, "!" exits}

    Enter 1 to create the directory.


    The Sun Java System Application Server
    requires a Java 2 SDK. Please provide the path to
    a Java 2 SDK 5.0 or greater. [/usr/jdk/instances/jdk1.5.0] 
    {"<" goes back, "!" exits}

    Press Enter to accept the default value. 


    Supply the admin user's password and override
    any of the other initial configuration settings as 
    necessary.
    
    Admin User [admin] {"<" goes back, "!" exits}

    Press Enter to accept the default value. 


    Admin User's Password (8 chars minimum):
    Re-enter Password:

    Enter domain1pwd and then re-enter domain1pwd.


    Do you want to store admin user name and 
    password in .asadminpass file in user's home
    directory [yes] {"<" goes back, "!" exits}?

    Press Enter to accept the default value. 


    Admin Port [4848] {"<" goes back, "!" exits}
    HTTP Port [8080] {"<" goes back, "!" exits}
    HTTPS Port [8181] {"<" goes back, "!" exits}

    Press Enter to accept the three default values. 


    Do you want to enable Updatecenter client 
    [yes] {"<" goes back, "!" exits}?

    Press Enter to accept the default value. 


    Do you want to upgrade from previous 
    Application Server version [no] 
    {"<" goes back, "!" exits}?

    Press Enter to accept the default value. 


    The following items for the product Sun Java 
    System Application Server will be installed:
    
    Product: Sun Java System Application Server
    Location: /opt/SUNWappserver91
    Space Required: 161.61 MB
    -------------------------------------------
    Sun Java System message Queue 4.1
    Application Server
    Startup
    
    Ready To Install
    
    1. Install Now
    2. Start Over
    3. Exit Installation
    
    What would you like to do [1] 
    {"<" goes back, "!" exits}?

    Press Enter to accept the default value and begin the installation process. 


    - Installing Sun Java System Application 
    Server
    
    |-1%-----25%-----50%-----75%-----100%|
    
     - Installation Successful.

    When installation is complete, an Installation Successful message is displayed:


    Next Steps:
    
    1. Access the About Application Server 9.1 welcome 
    page at:
     file:///opt/SUNWappserver91/docs/about.html
    
    2. Start the Application Server by executing:
      /opt/SUNWappserver91/bin/asadmin 
      start-domain domain1
    
    3. Start the Admin Console:
      http://sae.sp-example.com:4848
    
    Please press Enter/Return key to exit the 
    installation program. {"!" exits}

    Press Enter to exit the installation program. 

  7. Log out of the sae.sp-example.com host machine.

ProcedureTo Secure Communications from the Service Provider Application

Create a request for a server certificate and import the certificate authority (CA) root certificate and server certificate to the keystore. This will secure communications initiated by the service provider application.

Before You Begin

Backup domain.xml before modifying it.

  1. Log in to the sae.sp-example.com host machine as a root user.

  2. Generate a private/public key pair and reference it with the alias, sae-sp.

    sae-sp will be used in a later step to retrieve the public key which is contained in a self-signed certificate.


    # cd /opt/SUNWappserver91/domains/domain1/config
    # keytool -genkey -noprompt -keyalg rsa -keypass changeit 
    -alias sae-sp -keystore keystore.jks -dname "CN=sae.sp-example.com, 
    OU=OpenSSO, O=Sun Microsystems, L=Santa Clara, ST=California, C=US" 
    -storepass changeit
    
  3. Verify that the key pair was successfully created and stored in the certificate store using the following command.


    # keytool -list -v -keystore keystore.jks -storepass changeit
    

    The output of this command lists a key entry with the alias sae-sp.


    Note –

    The output of this command may list more than one certificate based on the entries in the keystore.


  4. Generate a server certificate request.


    # keytool -certreq -alias sae-sp -keypass changeit 
    -keystore keystore.jks -storepass changeit file sae-sp.csr
    

    sae-sp.csr is the server certificate request.

  5. (Optional) Verify that sae-sp.csr was created.


    # ls -la sae-sp.csr
    
     -rw-r--r--   1 osso80adm staff        715 Apr  4 15:04 sae-sp.csr
  6. Send sae-sp.csr to the CA of your choice.

    The CA issues and returns a certified server certificate named sae-sp.cer.

  7. Import ca.cer, the CA root certificate, into the certificate store.

    The root certificate must be imported into two keystores (keystore.jks and cacerts.jks) with Application Server.


    # keytool -import -trustcacerts -alias OpenSSLTestCA 
    -file ca.cer -keystore keystore.jks -storepass changeit
    
    Owner: EMAILADDRESS=nobody@nowhere.com, CN=openssltestca, OU=am, 
      O=sun, L=santa clara, ST=california, C=us
    Issuer: EMAILADDRESS=nobody@nowhere.com, CN=openssltestca, OU=am, 
      O=sun, L=santa clara, ST=california, C=us
    Serial number: f59cd13935f5f498
    Valid from: Thu Sep 20 11:41:51 PDT 2007 until: Thu Jun 17 11:41:51 PDT 2010
    Certificate fingerprints:
      MD5:  78:7D:F0:04:8A:5B:5D:63:F5:EC:5B:21:14:9C:8A:B9
      SHA1: A4:27:8A:B0:45:7A:EE:16:31:DC:E5:32:46:61:9E:B8:A3:20:8C:BA
    
    Trust this certificate? [no]: Yes
    
    Certificate was added to keystore

    # keytool -import -trustcacerts -alias OpenSSLTestCA 
    -file ca.cer -keystore cacerts.jks -storepass changeit
    
    Owner: EMAILADDRESS=nobody@nowhere.com, CN=openssltestca, OU=am, 
      O=sun, L=santa clara, ST=california, C=us
    Issuer: EMAILADDRESS=nobody@nowhere.com, CN=openssltestca, OU=am, 
      O=sun, L=santa clara, ST=california, C=us
    Serial number: f59cd13935f5f498
    Valid from: Thu Sep 20 11:41:51 PDT 2007 until: Thu Jun 17 11:41:51 PDT 2010
    Certificate fingerprints:
      MD5:  78:7D:F0:04:8A:5B:5D:63:F5:EC:5B:21:14:9C:8A:B9
      SHA1: A4:27:8A:B0:45:7A:EE:16:31:DC:E5:32:46:61:9E:B8:A3:20:8C:BA
    
    Trust this certificate? [no]: Yes
    
    Certificate was added to keystore
  8. Replace the self-signed public key certificate (associated with the s1as alias) with the server certificate received from the CA.


    # keytool -import -file sae-sp.cer -alias sae-sp 
    -keystore keystore.jks -storepass changeit
    
    Certificate reply was installed in keystore
  9. (Optional) Verify that the self-signed public key certificate has been overwritten by the server certificate received from the CA.


    # keytool -list -alias sae-sp -v -keystore keystore.jks 
    -storepass changeit
    
    The certificate indicated by the alias "sae-sp" is signed by CA.
  10. Change the certificate alias from the default s1as to the new sae-sp in the domain.xml file for the domain1 domain.

    The Application Server configuration file is domain.xml.

    <http-listener acceptor-threads="1" address="0.0.0.0" 
    blocking-enabled="false" default-virtual-server="server" enabled="true" 
    family="inet" id="http-listener-2" port="1081" security-enabled="true" 
    server-name="" xpowered-by="true">
    <ssl cert-nickname="sae-sp" client-auth-enabled="false" ssl2-enabled="false"
    ssl3-enabled="true" tls-enabled="true" tls-rollback-enabled="true"/>

ProcedureTo Modify the Service Provider Web Container domain.xml Configuration File

Modify the following Java Virtual Machine (JVM) options in the Application Server configuration file, domain.xml to prepare for the installation of the Client SDK.

Before You Begin
  1. Change to the config directory.


    # cd /opt/SUNWappserver91/domains/domain1/config
    
  2. Open domain.xml in a text editor and make the following changes:

    • Replace <jvm-options>-client</jvm-options> with <jvm-options>-server</jvm-options>.

    • Replace <jvm-options>-Xmx512m</jvm-options> with <jvm-options>-Xmx1024m</jvm-options>.

  3. Save the file and close it.

  4. Restart the domain1 domain.


    # cd /opt/SUNWappserver91/bin
    # ./asadmin stop-domain
    
    Server was successfully stopped.
    
    ./asadmin start-domain
    
    Redirecting output to /opt/SUNWappserver91/domains/domain1/logs/server.log
  5. Verify that the certificate used for SSL communication is the root CA certificate.

    1. Access https://sae.sp-example.com/index.html from a web browser.

    2. View the details of the certificate in the security warning to ensure that it is Issued by “OpenSSLTestCA”.

      After inspecting and accepting the certificate, you should see the default index.html page.

    3. Close the browser.

ProcedureTo Deploy the Client SDK on the Service Provider Host Machine

When you deploy the Client SDK, you also deploy the saeSPApp.jsp.

Before You Begin

This procedure assumes you are still logged in as the root user to the sae-sp host machine.

  1. Get the Client SDK WAR using the following sub procedure.

    1. Log in to the osso1.sp-example.com host machine.

    2. Change to the /export/OSSO_BITS/opensso/samples/war directory.

    3. Copy opensso-client-jdk15.war to the /export/OSSO_BITS/opensso/samples/war directory on the sae.sp-example.com host machine.

    4. Log out of the osso1.sp-example.com host machine.

  2. Access http://sae.sp-example.com:4848/login.jsf from a web browser.

    User Name:

    admin

    Password:

    domain1pwd

  3. Click Web Applications in the left frame of Application Server.

  4. Click Deploy.

    The Deploy Enterprise Applications/Modules page is displayed.

  5. Click the radio button next to Packaged file to be uploaded to the server and browse for the opensso-client-jdk15.war WAR in the /export/OSSO_BITS/opensso/samples/war directory.

  6. Enter opensso-client as the Application Name.

  7. Click OK to deploy the Client SDK.

  8. (Optional) List the contents of the j2ee-modules directory to verify that the WAR was successfully deployed.

    1. Change to the /opt/SUNWappserver91/domains/domain1/applications/j2ee-modules directory.

    2. List the contents of the directory.


      # ls -al
      
      total 6
      drwxr-xr-x 3 root staff 512 Aug 15 14:01 .
      drwxr-xr-x 6 root staff 512 Aug 15 14:55 ..
      drwxr-xr-x 21 root staff 1024 Aug 15 14:01 opensso-client
  9. Log out of the sae.sp-example.com host machine.

Next Steps

Add the IP address and host machine names to the /etc/hosts file on both the sae.idp-example.com and the sae.sp-example.com host machines as well as the host machine on which the browser is located.

13.4 Establishing Trust Between Communicating Entities

The following procedures will establish trust relationships between the communicating entities (in this case, the included JSP).

ProcedureTo Establish Trust Between OpenSSO Enterprise and the Application on the Identity Provider Side

Set up a trust relationship between saeIDPApp.jsp, the identity provider application, and OpenSSO Enterprise on the identity provider side.

Before You Begin

Choose a shared secret for use between the identity provider application and the instance of OpenSSO Enterprise on the identity provider side; in this procedure, secret12.

  1. Make the following modifications to saeIDPApp.jsp and save the file.

    saeIDPApp.jsp is found in the OpenSSO-Deploy-Base/samples/saml2/sae directory.

    • Change the value of saeServiceURL to https://lb2.idp-example.com:1081/opensso/idpsaehandler/metaAlias/idp.

    • Change the value of secret to secret12.


      Note –

      In a real deployment the application would store this shared secret in an encrypted file.


    • Change the value of spapp to https://sae.sp-example.com:8181/opensso/saml2/sae/saeSPApp.jsp.

  2. Log in to the OpenSSO Enterprise console at https://lb2.idp-example.com:1081/opensso as the administrator.

    User Name:

    amadmin

    Password:

    ossoadmin

  3. Access https://lb2.idp-example.com:1081/opensso/encode.jsp in a different browser window.

    This JSP encodes the shared secret.

  4. Enter secret12 in the test field and click Encode.

    A string representing the identity provider's encoded password is displayed.

  5. Save the string for later use and close the browser window.

    In this case, AQICrLO+CuXkZFna8uAS0/GiUUtwyQltVdw2.

  6. From the OpenSSO Enterprise console, click the Federation tab.

  7. Under Entity Providers, click https://lb2.idp-example.com:1081/opensso, the hosted identity provider.

  8. Click the Advanced tab.

  9. Under SAE Configuration, type the following in the New Value text box of the Per Application Security Configuration property and click Add.

    url=https://sae.idp-example.com:8181/opensso/saml2/sae/
    saeIDPApp.jsp|type=symmetric|secret=AQICrLO+CuXkZFna8uAS0/GiUUtwyQltVdw2
  10. Click Save to save the profile.

  11. Click the Assertion Processing tab.

  12. Click the Attribute Mapper link.

  13. Under the Attribute Map property, type the following New Values and click Add.

    • mail=mail

    • branch=branch

    These attributes will be sent as part of the SAML v2 assertion.

  14. Click Save to save the profile.

  15. Click Back to return to the Federation tab.

  16. Under Entity Providers, click https://lb4.sp-example.com:1081/opensso, the remote service provider.

  17. Click the Advanced tab.

  18. Under SAE Configuration, enter https://lb4.sp-example.com:1081/opensso/spsaehandler/metaAlias/sp in the SP URL field.

  19. Under SAE Configuration again, enter https://sae.sp-example.com:8181/opensso/saml2/sae/saeSPApp.jsp in the SP Logout URL field.

  20. Click Save to save the profile.

  21. Click Back to return to the Federation tab.

  22. Click the Access Control tab.

  23. Under the Access Control tab, click / (Top Level Realm).

  24. Click the Authentication tab.

  25. Under General, click Advanced Properties.

    The Core profile page is displayed.

  26. Under User Profile, select the Ignored radio button and click Save.


    Note –

    This modification is specific to this deployment example only.


  27. Click Save to save the profile.

  28. Click Back to Authentication.

  29. Log out of the OpenSSO Enterprise console.

ProcedureTo Establish Trust Between OpenSSO Enterprise and the Application on the Service Provider Side

Set up a trust relationship between OpenSSO Enterprise on the service provider side and saeSPApp.jsp, the service provider application.

Before You Begin

Choose a shared secret for use between the service provider application and the instance of OpenSSO Enterprise on the service provider side; in this procedure, secret12.

  1. Log in to the OpenSSO Enterprise console at https://lb4.sp-example.com:1081/opensso as the administrator.

    User Name:

    amadmin

    Password:

    ossoadmin

  2. Access https://lb4.sp-example.com:1081/opensso/encode.jsp in a different browser window.

    This JSP encodes the shared secret.

  3. Enter secret12 and click Encode.

    A string representing the identity provider's encoded password is displayed.

  4. Save the string for later use and close the browser window.

    In this case, AQICIbz4afzilWzbmo6QD9lQ9U4kEBrMlvZy.

  5. From the OpenSSO Enterprise console, click the Federation tab.

  6. Under Entity Providers, click https://lb4.sp-example.com:1081/opensso, the hosted service provider.

  7. Click the Assertion Processing tab.

  8. Under Attribute Mapper, add the following new values to the Attribute Map property.

    • mail=mail

    • branch=branch

  9. Under Auto-Federation, check the Enabled box.

  10. Also under Auto-Federation, enter mail in the Attribute field.

    The value of the Attribute property is the attribute previously mapped between the identity provider and the service provider allowing Auto-Federation to work.

  11. Click Save.

  12. Click the Advanced tab.

  13. Under SAE Configuration, type https://lb4.sp-example.com:1081/opensso/spsaehandler/metaAlias/sp as the value for the SP URL.

  14. Type https://sae.sp-example.com:8181/opensso/saml2/sae/saeSPApp.jsp as the value for the SP Logout URL.

  15. Type the following in the New Value field of the Per Application Security Configuration property and click Add.

    url=https://sae.sp-example.com:8181/opensso/saml2/sae/
    saeSPApp.jsp|type=symmetric|secret=AQICIbz4afzilWzbmo6QD9lQ9U4kEBrMlvZy
  16. Click Save to save the profile.

  17. Click Back to return to the Federation tab.

  18. Click the Access Control tab.

  19. Under the Access Control tab, click / (Top Level Realm).

  20. Click the Authentication tab.

  21. Under General, click Advanced Properties.

    The Core profile page is displayed.

  22. Under User Profile, select the Ignored radio button and click Save.


    Note –

    This modification is specific to this deployment example only.


  23. Click Save to save the profile.

  24. Click Back to Authentication.

  25. Log out of the OpenSSO Enterprise console.

13.5 Testing the Secure Attribute Exchange

In this test, saeIDPApp.jsp securely sends user authentication credentials to OpenSSO Enterprise on the identity provider side. The identity provider then uses basic SAML v2 to communicate these attributes to OpenSSO Enterprise on the service provider side. Finally, the service provider securely passes these same attributes to saeSPApp.jsp, the consumer.


Note –

This test for Secure Attribute Exchange does not use the test users created in building the SP and IDP Environment. The values of Userid on local IDP, Authenticated auth level, mail attribute, and branch attribute are hard-coded in saeIDPApp.jsp as the default values for the test. Because we have not created the hard-coded test user on the service provider side, we previously set the User Profile to ignore on the service provider side.


ProcedureTo Test the Secure Attribute Exchange Configurations

  1. Access https://sae.idp-example.com:8181/opensso/saml2/sae/saeIDPApp.jsp from a web browser.

    The Secure Attributes Exchange IDP APP SAMPLE page is displayed.

  2. Type the following values in the appropriate text field.

    Userid on local IDP

    testuser

    Authenticated auth level

    0

    mail attribute

    testuser@foo.com

    branch attribute

    mainbranch

    SP App URL

    https://sae.sp-example.com:8181/opensso/saml2/sae/saeSPApp.jsp

    SAE URL on IDP end

    https://lb2.idp-example.com:1081/opensso/idpsaehandler/metaAlias/idp

    This application's identity (should match Secret below)

    https://sae.idp-example.com:8181/opensso/saml2/sae/saeIDPApp.jsp

    Crypto Type (symmetric | asymmetric)

    Select symmetric from the drop down menu.

    Shared Secret / Private Key alias

    secret12

    Key store path (asymmetric only)

    No value

    Key store password (asymmetric only)

    No value

    Private Key password (asymmetric only)

    No value

  3. Click Generate URL

    The Secure Attributes Exchange IDP APP SAMPLE is generated and the following links are displayed.


    Click here to invoke the remote SP App via 
    http GET to local IDP : https://sae.sp-example.com:8181/
    opensso/samples/saml2/sae/saeSPApp.jsp : ssourl  
    
    Click here to invoke the remote SP App via 
    http POST to IDP : https://sae.sp-example.com:8181/
    opensso/samples/saml2/sae/saeSPApp.jsp : POST
    
    This URL will invoke global Logout : slourl

    ssourl, POST, and slourl are clickable.

  4. Click ssourl.

    The SAE SP APP SAMPLE page is displayed proving that Secure Attribute Exchange single sign-on has succeeded.


    SAE SP APP SAMPLE
    
    
    Secure Attrs :
    sun.authlevel    0
    sun.spentityid    https://lb4.sp-example.com:1081/opensso
    branch    mainbranch
    sun.idpentityid    https://lb2.idp-example.com:1081/opensso
    mail    testuser@foo.com
  5. Enter https://lb2.idp-example.com:1081/opensso/samples/saml2/sae/saeIDPApp.jsp in the browser to regenerate the Secure Attributes Exchange IDP APP SAMPLE page.

    The Secure Attributes Exchange IDP APP SAMPLE is regenerated and the following links are displayed.


    Click here to invoke the remote SP App via 
    http GET to local IDP : https://sae.sp-example.com:8181/
    opensso/samples/saml2/sae/saeSPApp.jsp : ssourl  
    
    Click here to invoke the remote SP App via 
    http POST to IDP : https://sae.sp-example.com:8181/
    opensso/samples/saml2/sae/saeSPApp.jsp : POST
    
    This URL will invoke global Logout : slourl

    ssourl, POST, and slourl are clickable.

  6. Click slourl.

    The Secure Attributes Exchange IDP APP SAMPLE is displayed.

  7. Type the following values in the appropriate text field.

    Userid on local IDP

    testuser

    Authenticated auth level

    0

    mail attribute

    testuser@foo.com

    branch attribute

    mainbranch

    SP App URL

    https://sae.sp-example.com:8181/opensso/saml2/sae/saeSPApp.jsp

    SAE URL on IDP end

    https://lb2.idp-example.com:1081/opensso/idpsaehandler/metaAlias/idp

    This application's identity (should match Secret below)

    https://sae.idp-example.com:8181/opensso/saml2/sae/saeIDPApp.jsp

    Crypto Type (symmetric | asymmetric)

    symmetric

    Shared Secret / Private Key alias

    secret12

    Key store path (asymmetric only)

    No value

    Key store password (asymmetric only)

    No value

    Private Key password (asymmetric only)

    No value

  8. Click Generate URL.

    The Secure Attributes Exchange IDP APP SAMPLE page is displayed.


    Secure Attributes Exchange IDP APP SAMPLE
    
    Setting up the following params:
    branch=mainbranch
    mail=testuser@foo.com
    sun.userid=testuser
    sun.authlevel=0
    sun.spappurl=https://sae.sp-example.com:8181/opensso/
      saml2/sae/saeSPApp.jsp
    sun.idpappurl=https://sae.idp-example.com:8181/opensso/
      saml2/sae/saeIDPApp.jsp
    
    
    Click here to invoke the remote SP App via http GET to local IDP : 
      https://sae.sp-example.com:8181/opensso/saml2/sae/saeSPApp.jsp : ssourl
    
    Click here to invoke the remote SP App via http POST to IDP : 
      https://sae.sp-example.com:8181/opensso/saml2/sae/saeSPApp.jsp
    
    This URL will invoke global Logout : slourl
  9. Click slourl.

    The SAE SP APP SAMPLE page is displayed proving successful logout.


    SAE SP APP SAMPLE
    
    
    Secure Attrs :
    sun.cmd    logout
    sun.returnurl    https://lb4.sp-example.com:1081/opensso/SPSloRedirect/
    metaAlias/sp?SAMLRequest=nZNva9swEMa%2FitHbkliS438iMQTCWErXpvUWxt5
    d7HMqsCVPJ0P27WcnLaSDdlDQq5Oe%2Bz33cFoSdG2v7uzRDv4Jfw9IPghOXWtIna9
    WbHBGWSBNykCHpHylyvW3OyXnXPXOelvZlgXbzYqRrKPDouKQQpOmnIsMRSMhgSgRIuU
    gU55jLEQlWbBHR9qaFRvbjGqiAbeGPBg%2FljjPZjyfyfy7jFSUjOcXCzajNW3An1XP3
    vekwrA9zJI5aWdxXtlOCZ6J0PZoiGxY7srWPmGtHVY%2B7NDDutVAIfUsuLf%2BwTy4d
    ePR%2FQtcXIDFcgpAna25q0g%2BTgSI0E0eWXHlUc7xBF3fXrlsoFuGV4QX3P3Ycbv5B
    C6YlI8DtLrR00z%2FpbOg3L2veS9VFnyxrgP%2Fsa2poutZc36qvANDGo1nhfwqbv78u
    O334tGI26MRxzAWu%2F3NDp5%2FvsRxSeASR69KpGlPtqbG0yf2siC5iMe9SzMeJynK
    KhVCZsAhr6s6y2OIDg1WUSq4uODfEovX4psPUvwF&RelayState=s212b785d4bda31
    faa635552f1233bbbb3a2c5badb&sun.appreturn=true
    
    Logout URL
  10. Click Logout URL on the page displayed in the previous step.

    At the bottom of the displayed page, you will see This proves SLO success.

Troubleshooting

If there are issues running this test, see the OpenSSO Enterprise debug files located in the /export/ossoadm/config/opensso/debug/Federation directory on both the identity provider and the service provider sides.

Chapter 14 Testing Attribute Mapping

In this deployment there is no user data on the service provider side so, because of this, we map all identity provider users to an anonymous user which represents all users in the identity provider user data store when it presents itself to the service provider. This use case illustrates how you can pass user profile attributes from the identity provider to the service provider, and from the service provider site to its agent-protected applications. Communication from the identity provider to the service provider takes place using SAML v2 protocols. Communication from the service provider to its agent-protected applications uses agent-to-LDAP attribute mapping. This chapter contains the following sections.

14.1 Creating a Test User

Create a test user and modify the user profile for attribute mapping. Use the following as a checklist to complete this procedure.

  1. To Create a Test User for Attribute Mapping

  2. To Edit the Test User Profile

ProcedureTo Create a Test User for Attribute Mapping

  1. Access https://lb2.idp-example.com:1081/opensso/console from a web browser.

  2. Log in to the OpenSSO Enterprise console as the administrator.

    Username

    amadmin

    Password

    ossoadmin

    The Common Tasks tab is displayed.

  3. Click the Access Control tab.

  4. Click the / (Top Level Realm) realm.

  5. Under the Subjects tab, click User.

  6. Under User, click New.

    The New User page is displayed.

  7. Enter the following values and click OK.

    ID

    jsmith

    First Name

    John

    Last Name

    Smith

    Full Name

    John Smith

    Password

    jsmith

    Password (confirm)

    jsmith.

    User Status

    Click Active.

  8. Log out of the OpenSSO Enterprise console.

ProcedureTo Edit the Test User Profile

Before You Begin

This procedure assumes you have completed To Create a Test User for Attribute Mapping.

  1. Access https://lb2.idp-example.com:1081/opensso/console from a web browser.

  2. Log in to the OpenSSO Enterprise console as the administrator.

    Username

    amadmin

    Password

    ossoadmin

    The Common Tasks tab is displayed.

  3. Click the Access Control tab.

  4. Click the / (Top Level Realm) realm.

  5. Under the Subjects tab, click User.

  6. Under User, click John Smith.

    The Edit User — John Smith page is displayed.

  7. Enter the following values and click Save.

    Email Address

    jsmith@jsmith.com

    Telephone Number

    408-555-5454

    The profile is updated.

  8. Log out of the OpenSSO Enterprise console.

14.2 Configuring OpenSSO Enterprise for Attribute Mapping

This section contains the instructions to configure OpenSSO Enterprise for attribute mapping. Use the following as a checklist to complete the configurations.

  1. To Add SAML v2 Mappings to the Identity Provider Metadata

  2. To Enable Anonymous Authentication

  3. To Modify the Agent Profile to Use SAMLv2 Transient

  4. To Map Identity Provider User Attributes to Service Provider Anonymous User Attributes

ProcedureTo Add SAML v2 Mappings to the Identity Provider Metadata

Map the appropriate LDAP attributes in the user data store to the attributes passed using SAML v2 using the OpenSSO Enterprise console on the identity provider side. When attributes on one OpenSSO Enterprise instance on the identity provider side are mapped, the mapping is made available to the second OpenSSO Enterprise instance on the identity provider side through the previous configuration of the two instances as a site in 5.4 Configuring the OpenSSO Enterprise Platform Service

  1. Access https://lb2.idp-example.com:1081/opensso/console from a web browser.

  2. Log in to the OpenSSO Enterprise console as the administrator.

    Username

    amadmin

    Password

    ossoadmin

    The Common Tasks tab is displayed.

  3. Click the Federation tab.

  4. Under Entity Providers, click https://lb2.idp-example.com:1081/opensso.

    The IDP profile page is displayed.

  5. Click the Assertion Processing tab.

  6. Under Attribute Mapping, enter the following values and click Add.


    EmailAddress=EmailAddress
    Telephone=Telephone
  7. Click Save.

    The profile is updated.

  8. Log out of the OpenSSO Enterprise console.

ProcedureTo Enable Anonymous Authentication

Enable the Anonymous authentication module and confirm the creation of the anonymous user account on the service provider side.

Before You Begin

This procedure assumes you have completed To Create a Test User for Attribute Mapping.

  1. Access https://lb4.sp-example.com:1081/opensso/console from a web browser.

  2. Log in to the OpenSSO Enterprise console as the administrator.

    Username

    amadmin

    Password

    ossoadmin

    The Common Tasks tab is displayed.

  3. Click the Access Control tab.

  4. Click the / (Top Level Realm) realm.

  5. Click the Authentication tab.

  6. Click the Modules Instances link.

  7. Under Modules Instances, click New.

    The New Module Instance page is displayed.

  8. Enter the following values and click Save.

    Name

    Anonymous

    Type

    Select Anonymous

    The profile is updated.

  9. Under Modules Instances, click Anonymous.

    The Anonymous module instance profile is displayed.

  10. Confirm the default values for the following attributes.

    If the values in your instance are different, change them and save the profile.

    Default Anonymous User Name

    anonymous

    Authentication Level

    0

  11. Log out of the OpenSSO Enterprise console.

ProcedureTo Modify the Agent Profile to Use SAMLv2 Transient

A transient name identifier is a temporary user identifier. In this use case, there is no user account on the service provider side so single sign-on is accomplished using a transient name identifier. All users passed from the identity provider to the service provider will be mapped to the anonymous user created in To Enable Anonymous Authentication. In this procedure, we modify the agent profile to use the transient name identifier format.

  1. Access https://lb4.sp-example.com:1081/opensso/console from a web browser.

  2. Log in to the OpenSSO Enterprise console as the administrator.

    Username

    amadmin

    Password

    ossoadmin

    The Common Tasks tab is displayed.

  3. Click the Access Control tab.

  4. Click the / (Top Level Realm) realm.

  5. Click the Agents tab.

  6. Click the Web tab.

    The Web profile page is displayed.

  7. Click webagent-1 in the Agent table.

    The webagent-1 profile page is displayed.

  8. Click the OpenSSO Services tab.

  9. Select https://lb4.sp-example.com:1081/opensso/spssoinit?metaAlias=/sp&idpEntityID=https://lb2.idp-example.com:1081/opensso in the OpenSSO Login URL property box and click Delete.

  10. Enter https://lb4.sp-example.com:1081/opensso/spssoinit?metaAlias=/sp&idpEntityID=https://lb2.idp-example.com:1081/opensso&NameIDFormat=transient in the OpenSSO Login URL text box and click Add.

  11. Click Save.

    The profile is updated.

  12. Log out of the OpenSSO Enterprise console.

ProcedureTo Map Identity Provider User Attributes to Service Provider Anonymous User Attributes

Map the attributes being sent from the identity provider to the attributes configured for the anonymous user on the service provider side.

  1. Access https://lb4.sp-example.com:1081/opensso/console from a web browser.

  2. Log in to the OpenSSO Enterprise console as the administrator.

    Username

    amadmin

    Password

    ossoadmin

    The Common Tasks tab is displayed.

  3. Click the Access Control tab.

  4. Click the / (Top Level Realm) realm.

  5. Click the Agents tab.

  6. Click the Web tab.

    The Web profile page is displayed.

  7. Click webagent-1 in the Agent table.

    The webagent-1 profile page is displayed.

  8. Click the Application tab.

  9. Click the Session Attribute Processing link.

  10. Select HTTP_HEADER as the value for the Session Attribute Fetch Mode property.

  11. Enter the following new values in the Session Attribute Map property text box and click Add.

    Map Key

    Telephone

    Corresponding Map Value

    Telephone

  12. Enter the following new values in the Session Attribute Map property text box and click Add.

    Map Key

    EmailAddress

    Corresponding Map Value

    EmailAddress

  13. Click Save.

    The profile is updated.

  14. Log out of the OpenSSO Enterprise console.

14.3 Testing Attribute Mapping

This test uses snoop.jsp to display the HTTP headers being passed in a browser window. Within the headers you see the attributes being passed to the service provider protected by the agent.

ProcedureTo Verify That Attribute Mapping is Working Properly

  1. Log into the pr1.sp-example.com host machine as the root user.

  2. Copy snoop.jsp to the /opt/SUNWwbsvr/https-pr1.sp-example.com/docs directory.

    snoop.jsp is in Appendix F, The snoop.jsp File.

  3. Access http://pr1.sp-example.com:1080/snoop.jsp from a web browser.

    The Web Policy Agent redirects the request to the OpenSSO Enterprise console on the identity provider side.

  4. Log in to the OpenSSO Enterprise console as the test user.

    Username

    jsmith@jsmith.com

    Password

    jsmith

    JSP Snoop page is the header from the HTTP request in the browser. Note the following:

    • John Smith's telephone number and email address are included.

    • The Remote user is anonymous and serves as confirmation of the transient user previously configured.


    JSP Snoop page
    Request information
    Requested URL: http://pr1.sp-example.com:1080/snoop.jsp
    Request method: GET
    Request URI: /snoop.jsp
    Request protocol: HTTP/1.1
    Servlet path: /snoop.jsp
    Path info: null
    Path translated: null
    Query string: null
    Content length: -1
    Content type: null
    Server name: pr1.sp-example.com
    Server port: 1080
    Remote user: anonymous
    Remote address: 192.18.120.83
    Remote host: 192.18.120.83
    Authorization scheme: DSAME
    Request headers
    Header: Value:
    cookie  JSESSIONID=A7092AD436027D5B18DFCC8C65D7B580; 
      iPlanetDirectoryPro=AQIC5wM2LY4SfcxahJE41EKzHCTvKn
      lulj6F8sTjtxvBpA8=@AAJTSQACMDMAAlMxAAIwMQ==#; amlbcookie=01
    host 	pr1.sp-example.com:1080
    user-agent 	Mozilla/5.0 (X11; U; SunOS sun4u; en-US; 
    rv:1.8.1.15) Gecko/20080703 Firefox/2.0.0.15
    accept 	text/xml,application/xml,application/xhtml+xml,
    text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
    accept-language 	en-us,en;q=0.5
    accept-encoding 	gzip,deflate
    accept-charset 	ISO-8859-1,utf-8;q=0.7,*;q=0.7
    keep-alive 	300
    connection 	keep-alive
    emailaddress 	jsmith@jsmith.com
    telephone 	408-555-5454
    Init parameters
    Parameter: 	Value:
    fork 	false
    mappedfile 	false
    logVerbosityLevel 	warning
    com.sun.appserv.jsp.classpath 	/opt/SUNWwbsvr/lib/webserv-rt.jar:
      /opt/SUNWwbsvr/lib/pwc.jar:/opt/SUNWwbsvr/lib/ant.jar:
      /opt/SUNWwbsvr/jdk/lib/tools.jar:/opt/SUNWwbsvr/lib/ktsearch.jar:
      /opt/SUNWwbsvr/lib/webserv-jstl.jar:/opt/SUNWwbsvr/lib/jsf-impl.jar:
      /opt/SUNWwbsvr/lib/jsf-api.jar:/opt/SUNWwbsvr/lib/webserv-jwsdp.jar:
      /opt/SUNWwbsvr/lib/container-auth.jar:/opt/SUNWwbsvr/lib/mail.jar:
      /opt/SUNWwbsvr/lib/activation.jar:
    httpMethods 	GET,HEAD,POST