Sun Java logo     Previous      Contents      Index      Next     

Sun logo
Sun Java Systems Access Manager 6 2005Q1 Federation Management Guide 

Chapter 3
Federation Management

Sun Java™ System Access Manager provides an interface for creating, modifying, and deleting authentication domains and, service and identity providers (both remote and hosted types). This chapter is an overview of how to use this module to create a Liberty-based federation. It contains the following sections:

Overview

The Federation Management module is the Access Manager implementation of the Liberty Alliance Project (LAP) Liberty Identity Federation Framework (ID-FF) specification. The ID-FF defines a set of protocols, bindings and profiles that provides a solution for identity profile federation, cross-domain authentication and session management. The Federation Management module is the Access Manager Web interface to the ID-FF implementation. It is accessible through the Federation Management tab in the Header frame of the Access Manager console.

Note

More detailed information on the Liberty Identity Federation Framework can be found in the Liberty ID-FF Protocols and Schema Specifications (http://www.projectliberty.org/specs/draft-liberty-idff-protocols-schema-1.2-errata-v1.0.pdf).

The Federation Management Interface

The Federation Management module uses JavaServer Pages™ (JSP) to define its look and feel. JSP are HTML files that contain additional code to generate dynamic content. More specifically, JSP contain HTML code to display static text and graphics, as well as application code to generate information. When the page is displayed in a Web browser, it will contain both the static HTML content and, in the case of the Federation Management module, dynamic content retrieved via calls to the Federation Management API. An administrator can customize the look and feel of the interface by changing the HTML tags in the JSP, but the APIs invoked must not be changed. The JSP are located in /AccessManager_base/SUNWam/web-src/services/config/federation/default. The files in this directory provide a default interface to the Federation Management module. To customize it for a specific organization, this default directory can be copied and renamed to reflect the name of the organization (or any value). It would then be placed at the same level as the default directory and the files within this directory would be modified as needed. Table 3-1 is a list of the JSP with details on what each page is used for and the invoked APIs that cannot be modified. More information on modifying these pages to customize the console can be found in the Sun Java System Access Manager 6 2005Q1 Developer’s Guide (http://docs.sun.com/doc/817-7649).

Table 3-1  Federation Management Module JSP 

File Name and its Purpose

Invoked APIs

CommonLogin.jsp displays the links to the login pages of the trusted identity providers as well as the local login page. It is displayed when the user is not logged in locally or at an identity provider site. The list of identity providers is obtained by the getIDPList(hostedProviderID) method.

  • LibertyManager.getLoginURL(request)
  • LibertyManager.getInterSiteURL(request)
  • LibertyManager.getIDPList(providerID)
  • LibertyManager.getNewRequest(request)
  • LibertyManager.getSuccintID(idpID)
  • LibertyManager.cleanQueryString(request)

Error.jsp displays an error page when an error has occurred.

No APIs are invoked.

Federate.jsp is displayed when the user clicks a Federate link. It displays a drop-down list of all providers with which the user is not yet federated. This list is constructed from the getProvidersToFederate(userName, providerID) method.

  • LibertyManager.isLECPProfile(request)
  • LibertyManager.getAuthnRequestEnvelope(request)
  • LibertyManager.getUser(request)
  • LibertyManager.getProvidersToFederate(providerID,userDN)

FederationDone.jsp displays the status of federation (success or cancelled). It checks this status using the isFederationCancelled(request) method.

  • LibertyManager.isFederationCancelled(request)

Footer.jsp displays a branded footer included on all the pages.

No APIs are invoked.

Header.jsp displays a branded header included on all the pages.

No APIs are invoked.

ListOfCOTs.jsp displays a list of Circles Of Trust. When a user is authenticated by an identity provider and the service provider belongs to more than one Circle Of Trust, they will be shown this JSP to select an authentication domain as their preferred domain. In the case that the provider belongs to only one domain, this page will not be displayed. The list is obtained by using the getListOfCOTs(providerID) method.

  • LibertyManager.getListOfCOTs(providerID)

LogoutDone.jsp displays the status of the local logout operation.

  • LibertyManager.isLogoutSuccess(request)

NameRegistration.jsp is displayed when a federated user chooses to register a new Name Identifier from a service provider to an identity provider. When the Name Registration link is clicked, this JSP is displayed.

  • LibertyManager.getUser(request)
  • LibertyManager.getRegisteredProviders(userDN)

NameRegistrationDone.jsp displays the status of NameRegistration.jsp. When finished, this page is displayed.

  • LibertyManager.isNameRegistrationSuccess(request)
  • LibertyManager.isNameRegistrationCanceled(request

Termination.jsp is displayed when the user clicks the defederate link. It shows a drop-down menu of all providers to which the user has federated; from this list, the user can choose to defederate. The list is constructed using the getFederatedProviders(userName) method which returns all active providers to which the user is already federated.

  • LibertyManager.getUser(request)
  • LibertyManager.getFederatedProviders(userDN)

TerminationDone.jsp displays the status of federation termination (success or cancelled). It checks status using the isTerminationCancelled(request) method.

  • LibertyManager.isTerminationSuccess(request)
  • LibertyManager.isTerminationCanceled(request)

The Process of Federation

The process of federation begins with authentication. By default, Access Manager comes with two options for user authentication. The first is the proprietary Authentication Service; the second is the Liberty-enabled Federation process. With the proprietary option, users attempting to access a resource protected by Access Manager are redirected to the Authentication Service via an Access Manager login page. After they provide credentials, the Authentication Service allows or denies access to the resource based on the outcome.

Note

For more information on the proprietary Authentication Service, see Chapter 4, Authentication Service in the Sun Java System Access Manager 6 2005Q1 Developer’s Guide (http://docs.sun.com/doc/817-7649).

With Liberty-enabled federation, when a principal attempts to access a Web site belonging to a member provider from an authentication domain, the process begins with a search for a valid Access Manager session token from the Authentication Service. If a session token is found, the principal is granted (or denied) access. Assuming access is granted, the page then displayed would contain a link that provides the principal an opportunity to federate the authenticated identity provider identity with the accessed service provider identity. When the principal clicks this link, the Single Sign-on Process process begins.

If no session token is found, the principal is directed through the Pre-login Process. Figure 1-1 illustrates these different paths.

Figure 3-1  Liberty-based Access Manager Authentication Process Flow

An image illustrating the Liberty-based authentication process and the divergent paths authentication might take.

Pre-login Process

The pre-login process establishes a valid session. When a principal attempts to access a service provider site and no Access Manager session token is found, the pre-login process then begins with the search for a federation cookie.

Note

A federation cookie is a cookie implemented by Access Manager with the name fedCookie. It can have a value of either yes or no based on the principal’s federation status. It is NOT detailed in the Liberty Alliance Project specifications.

The pre-login process can take one of the following paths:

Single Sign-on Process

When a principal logs in for access to a protected resource or service, Access Manager sends a request to the appropriate identity provider for authentication confirmation. If the identity provider sends a positive response, the principal gains access to all provider sites membered within the authentication domain. If the identity provider sends a negative response, the principal is directed to authenticate again using the Liberty-enabled single sign-on process.

In Liberty-enabled single sign-on, principals select an identity provider and send their credentials for authentication. (This is accomplished through the Common Domain Services.) Once authentication is complete and access is granted, the principal is automatically issued a session token from the Access Manager Authentication Service, and redirected to the requested page. As long as the session token remains valid, the principal can access other service providers in the authentication domain without having to sign on again.

Common Domain Services

The Common Domain Services allow a service provider to discover the specific identity provider used by a principal in an authentication domain with multiple identity providers. The Services rely on a cookie that is written in a domain that is common to all identity providers and service providers in the authentication domain. The domain (predetermined by all members of the authentication domain) is known as the common domain. The Common Domain Services use a common domain cookie (which contains a list of Base64-encoded identity provider identifiers) to determine the preferred identity provider.

Note

The Common Domain Services are based on the Identity Provider Introduction Profiles detailed in the Liberty ID-FF Bindings and Profiles Specifications located at http://www.projectliberty.org/specs/draft-liberty-idff-bindings-profiles-1.2-errata-v2.0.pdf.

Let’s assume an authentication domain contains more than one identity provider. Because of this, a service provider in the authentication domain trusts more than one identity provider. But, a principal can only issue a federation request to one identity provider so, the service provider to which the principal is requesting access must discover the correct one. When the request contains no common domain cookie, the service provider presents a list of trusted identity providers from which the principal may choose. When the request contains a common domain cookie, the service provider reads the cookie to discover the correct identity provider.

Installing the Common Domain Services

The Common Domain Services for Federation Management are installed as one Web application within the Access Manager product using the Sun Java Enterprise System installer. However, they can also be installed as one Web application (separate from the Access Manager product) on a J2EE™ web container using the same installer.

Note

For more information on installing the service, see the Sun Java Enterprise System Installation Guide on docs.sun.com. As of this writing, the latest version is available at http://docs.sun.com/doc/817-5760.

Common Domain Service URLs

In Access Manager, the Common Domain Services are exposed through two URLs that point to services developed for writing and reading the common domain cookie. The URLs are defined as attributes when an authentication domain is created.

Note

The Reader and Writer service URLs are Access Manager specific. The concepts are not defined in the Liberty ID-FF Bindings and Profiles Specifications.

The format for the Writer Service URL is:

protocol://common_domain_hostname:port/deloy_uri/writer

The format for the Reader Service URL is:

protocol://common_domain_hostname:port/deloy_uri/transfer

See To Create An Authentication Domain for information on configuring these attributes.

Federation Management

The Federation Management module in the Access Manager console provides an interface for creating, modifying, and deleting providers, authentication domains, and affiliations. The subsequent sections define these concepts and detail procedures for using the Federation Management interface.

Note

In a federation setup, all service providers and identity providers must share a synchronized clock. You can implement the synchronization by pointing to an external clock source or by ensuring that, in case of delays in receiving responses, the responses are captured without fail through adjustments of the timeouts.

Authentication Domains

An authentication domain (also referred to as a circle of trust) is a federation of any number of service providers and, at least, one identity provider with whom principals can transact business in a secure and apparently seamless environment. The members of the domain have established business relationships based on the LAP architecture and operational agreements.

Note

An authentication domain is not a domain in the domain name system (DNS) sense of the word.

Creating and Maintaining Authentication Domains

The following sections describe how to create, modify, and delete authentication domains using the Access Manager console.

To Create An Authentication Domain

  1. Choose Authentication Domain from the View menu in the Navigation pane of the Federation Management module.
  2. Click New in the Navigation pane.

    3. The New Authentication Domain attributes are displayed in the Data pane.

  3. Enter a name for the authentication domain.

    4. This is a required field.

  4. Enter a description of the authentication domain in the Description field.
  5. Enter a value for the Writer Service URL.

    6. The Writer Service URL specifies the location of the service that writes the common domain cookie. The URL is in the format:

    http://common_domain_host:port/common/writer

  6. Enter a value for the Reader Service URL.

    7. The Reader Service URL specifies the location of the service that reads the common domain cookie. The URL is in the format:

    http://common_domain_host:port/common/transfer

  7. Select Active or Inactive.

    8. The default status is Active. Selecting Inactive disables communication within the authentication domain.

  8. Click OK.

    9. The new authentication domain is now displayed in the Navigation pane.

To Modify An Authentication Domain

  1. Click on the Properties arrow next to the authentication domain you wish to modify in the Navigation pane of the Federation Management module.

    2. The authentication domain’s properties are displayed in the Data pane.

  2. Modify the properties of the authentication domain.
  3. Click Save.

To Delete An Authentication Domain

  1. Choose Authentication Domains from the View menu in the Navigation pane of the Federation Management module.

    2. All created Authentication Domains display in the Navigation pane.

  2. Check the box next to the name of the Authentication Domain to be deleted.
  3. Click Delete.

    4. Caution

    Deleting an authentication domain does not delete the providers that belong to it.

Entity Descriptors

An entity descriptor contains one or more descriptions of individual providers, or affiliations. In the Access Manager Liberty implementation, there are two types:

Provider Entity Descriptor

The provider entity descriptor holds information configured for providers (both service and identity) associated with an authentication domain. Within this descriptor, the provider combinations detailed in Table 3-2 can be represented.

Table 3-2  Possible Provider Combinations for Provider Entity Descriptor

Entity

Description

Single Provider

This document defines one service or identity provider entity that can be referenced using a configured providerID.

Multiple Providers

This document combines multiple provider entities by referencing their configured providerID.

Affiliate Entity Descriptor

The affiliate entity descriptor holds information configured for a group of providers, but this group is formed outside of the boundaries of an authentication domain. This affiliation is formed and maintained by an affiliation owner that chooses trusted providers without regard to their particular authentication domain. This descriptor does not contain single or multiple providers unless they are specifically configured as an affiliation. An affiliation document describes a group of providers collectively identified by one providerID and maintained by an affiliation owner (referenced by its affiliationOwnerID). The document lists each member using their configured providerID.

Note

More information on entity descriptors can be found in the Liberty Metadata Description and Discovery Specification (http://www.projectliberty.org/specs/draft-liberty-metadata-1.0-errata-v2.0.pdf).

Creating and Maintaining Entity Descriptors

Creating an entity descriptor using the Access Manager console is a two-step process. First, you create the entity descriptor itself. Then, you populate the descriptor with provider information (either service or identity) or an affiliation, depending on the descriptor created. The following sections describe how to create, modify, and delete entity descriptors using the Access Manager console.

To Create an Entity Descriptor of Either Type

  1. Choose Entity Descriptors from the View menu in the Navigation pane of the Federation Management module.
  2. Click New in the Navigation pane.

    3. The New Entity Descriptor attributes are displayed in the Data pane.

  3. Enter a value for the Entity ID.

    4. This required field should specify the URL identifier of the entity. It must be unique across all entities.

  4. Enter a description of the entity descriptor in the Description field.
  5. Select Provider or Affiliate to define the Type.
    1. If you select Provider, click OK.
    2. If you select Affiliate, enter a value for both the Affiliate ID and Affiliate Owner ID attributes and click OK.

      3. The Affiliate ID should specify the URL identifier of the affiliate. It must be unique across all entities. The Affiliate Owner ID is the Provider ID of the owner or parent operator of the affiliation, from which additional metadata can be received. These fields are required.

      The new entity descriptor is now displayed in the Navigation pane.

To Configure a Provider Entity Descriptor

  1. Choose Entity Descriptors from the View menu in the Navigation pane of the Federation Management module.
  2. Select the desired provider entity descriptor.

    3. The entity descriptor’s attributes are displayed in the Data pane.

To Configure General Attributes for a Provider Entity Descriptor

After selecting the desired provider entity descriptor from the Navigation pane:

  1. Select General from the View menu in the Data pane and provide information for the following attributes (separated into three groups):

    2. Entity Common Attributes

    1. Entity Type. The static value of this attribute is Provider.
    2. Description. Enter a description of the provider.
    3. Valid Until. Enter the expiration date for the metadata pertaining to the provider. The value is defined in the format:

      4. yyyy-mm-ddThh:mm:ss.SZ

      For example, 2004-12-31T12:30:00.0-0800

    4. Cache Duration. Enter the maximum amount of time the entity descriptor can be cached. The value is defined in the format:

      5. PnYnMnDTnHnMnS, where n is an integer variable.

      For example, P1Y2M4DT9H8M20S defines the cache duration as 1 year, 2 months, 4 days, 9 hours, 8 minutes, and 20 seconds.

      Entity Contact Person

    5. First Name. Enter the first name of the entity’s contact person.
    6. Last Name. Enter the last name of the entity’s contact person.
    7. Type. Select the type of entity from the drop down menu. The choices are Billing, Technical, Administrative, and Other.
    8. Company. Enter the name of the company to which the contact person is employed.
    9. Liberty Principal Identifier. Enter the name identifier that points to an online instance of the contact person’s personal information profile.
    10. Email. Enter the email address of the contact person.
    11. Telephone. Enter the telephone number of the contact person.

      12. Entity Organization

    12. Name. Enter the name of the entity’s organization. The value is defined in the format:

      13. locale|organization_name

      For example, en|organization_name.com

    13. Display Name. Enter the display name of the entity’s organization. The value is defined in the format:

      14. locale|organization_display_name

      For example, en|organization_display_name.com

    14. URL. Enter the URL of the organization. The value is defined in the format:

      15. locale|organization_URL

      For example, en|http://www.organization_name.com

  2. Click Save.
To Configure Identity Provider Attributes for a Provider Entity Descriptor

After selecting the desired provider entity descriptor from the Navigation pane:

  1. Select Identity Provider from the View menu in the Data pane to add an identity provider to the entity descriptor.
  2. Click the New Provider button to display the New Provider Wizard.
    1. Provide information for the following Common Provider attributes displayed in Step 1.
      1. Provider ID. Enter a unique identifier for the provider.
      2. Description. Enter a description of the provider.
      3. Provider is Hosted or Remote. Select Local if the provider is hosted on the same server as Access Manager or Remote, if not. By default, Remote is selected.

        4. Caution

        Attributes displayed and configured in subsequent steps depend on the type defined for the Provider is Hosted or Remote attribute.

      4. Valid Until. Enter the expiration date for the metadata pertaining to the provider. The value is defined in the format:

        5. yyyy-mm-ddThh:mm:ss.SZ

        For example, 2004-12-31T12:30:00.0-0800

      5. Cache Duration. Enter the maximum amount of time an entity descriptor can be cached. The value is defined in the format:

        6. PnYnMnDTnHnMnS, where n is an integer.

        For example, P1Y2M4DT9H8M20S defines the cache duration as 1 year, 2 months, 4 days, 9 hours, 8 minutes, and 20 seconds.

      6. Protocol Support Enumeration. Select the protocol release supported by this entity.

        7. urn:liberty:iff:2003-08 refers to the Liberty Identity Federation Framework version 1.2 and urn:liberty:iff:2002-12 refers to the Liberty Identity Federation Framework version 1.1.

      7. Server Name Identifier Mapping Binding. Enter a URI describing the SAML authority binding used by the identity provider. Identifier mapping queries are able to locate and communicate with the SAML authority using this URI.
      8. Additional Meta Locations. Enter the location of other relevant metadata concerning the provider.

        9. Signing Key

      9. Key Alias. Enter the signing certificate key alias used to sign requests and responses for a hosted (local) provider. For a remote provider, this is a public key that the provider uses to verify the signatures.

        10. Encryption Key

      10. Key Alias. Enter the security certificate alias. Certificates are stored in a JKS keystore file. Each specific certificate is mapped to an alias which is used to fetch the certificate.
      11. Key Size. Enter the length for keys used by the Web service consumer when interacting with another entity.
      12. Encryption Method. Choose the method of encryption. The choices are None, 3DES, AES, and DES.
    2. Click Next to provide information for the following Communications and Service Provider attributes displayed in Step 2.

      3. Caution

      Some of the following attribute subsections are displayed based upon whether the identity provider is defined as Remote or Hosted (Local) in Step III. This is called out in parentheses next to the heading.

      Communication URLs

      1. SOAP Endpoint URL. Enter a location for the identity provider’s SOAP messages receiver.

        2. This value communicates the location of the SOAP receiver in non-browser communications.

      2. Single Sign-On Service URL. Enter a location to which service providers can send single sign-on and federation requests.
      3. Single Logout Service URL. Enter a location to which service providers can send logout requests.

        4. Single logout synchronizes the logout functionality across all sessions authenticated by the identity provider.

      4. Single Logout Return URL. Enter a location to which the identity provider will redirect the principal after completing a logout.
      5. Federation Termination Service URL. Enter a location to which a service provider will send federation termination requests.
      6. Federation Termination Return URL. Enter a location to which the identity provider will redirect the principal after completing federation termination.
      7. Name Registration Service URL. Enter a location to which a service provider will send requests to specify the name identifier that will be used when communicating with the identity provider about a principal.

        8. Registration can occur only after a federation session is established.

      8. Name Registration Return URL. Enter a location to which the identity provider will redirect the principal after HTTP name registration has been completed.
      9. Authentication Service URL. Enter a location for the identity provider’s ID-FF-based Authentication Service.

        10. Communication Profiles

      10. Federation Termination Profile. Select a profile to notify other providers of a principal’s federation termination. The choices are SOAP and HTTP/Redirect.
      11. Single Logout Profile. Select a profile to notify other providers of a principal’s logout. The choices are SOAP and HTTP/Redirect.
      12. Name Registration Profile. Select a profile to notify other providers of a principal’s name registration. The choices are SOAP and HTTP/Redirect.
      13. Single Sign-on/Federation Profile. Select a profile used by a hosted provider for sending authentication requests. The choices are:

        � LECP (Liberty-enabled Client Proxy)

        � Browser Post (specifies a browser-based HTTP POST protocol)

        � Browser Artifact (specifies a non-browser SOAP-based protocol)

      1. Enable Name Identifier Encryption. Select the check box to enable encryption of the name identifier.

        2. Proxy Authentication Configuration (only displayed when identity provider is defined as Remote)

      2. Enable Proxy Authentication. If selected, this attribute enables proxy authentication for a service provider.
      3. Proxy Identity Providers List. This attribute displays the list of identity providers that can be proxied for authentication.
      4. Maximum Number Proxies. This attribute specifies the maximum number of identity provider proxies.
      5. Use Introduction Cookie For Proxying. If enabled, introductions will be used to find the proxying identity provider.

        6. Access Manager Configuration (only displayed when identity provider is defined as Hosted (Local))

      6. Provider URL. Enter the URL of the local identity provider.
      7. Alias. Enter an alias name for the local identity provider.
      8. Authentication Type. Select the provider that should be used for authentication requests from a provider hosted locally. Remote specifies that the provider hosted locally would contact a remote identity provider upon receiving an authentication request. Local specifies that the provider hosted locally should contact a local identity provider upon receiving an authentication request (essentially, itself).
      9. Default Authentication Context. Select the authentication context to be used if the identity provider does not receive it as part of a service provider request. It also specifies the authentication context used by the service provider when an unknown user tries to access a protected resource. The choices are Previous-Session, Time-Sync-Token, Smartcard, MobileUnregistered, Smartcard-PKI, MobileContract, Password, Password-ProtectedTransport, MobileDigitalID, and Software-PKI.
      10. Forced Authentication at Identity Provider. Select the check box to indicate if the identity provider must reauthenticate (even during a live session) when an authentication request is received.
      11. Request Identity Provider to be Passive. Select the check box to specify that the identity provider must not interact with the principal and must interact with the user
      12. Organization DN. Enter the location of the DN of the organization if each hosted provider chooses to manage users across different organizations leading to a hosted model.
      13. Liberty Version URI. Enter the URI of the version of the Liberty specification.
      14. Name Identifier Implementation. This field allows the option for a service provider to participate in name registration. Name registration is a profile by which service providers specify a principal’s name identifier that an identity provider will use when communicating to the service provider.
      15. Provider Home Page URL. Enter the URL of the home page of the identity provider.
      16. Single Sign-on Failure Redirect URL. Enter the URL to which a principal will be redirected if single sign-on has failed.

        17. SAML Configuration (only displayed when identity provider is defined as Hosted (Local))

      17. Assertion Interval. Enter the interval of time for which an assertion issued by the identity provider will remain valid. A principal will remain authenticated until the assertion interval expires.
      18. Cleanup Interval. Enter the interval of time before assertions stored in the identity provider will be cleared.
      19. Artifact Timeout. Enter an interval to specify the timeout of a identity provider for assertion artifacts.
      20. Assertion Limit. Enter a number to define the amount of assertions an identity provider can issue, or the number of assertions that can be stored.
    3. Click Next to provide information for the following Organization Attributes and Contact Persons attributes displayed in Step 3.

      4. Organization

      1. Name. Enter the name of the entity’s organization. The value is defined in the format:

        2. locale|organization_name

        For example, en|organization_name.com

      2. Display Name. Enter the display name of the entity’s organization. The value is defined in the format:

        3. locale|organization_display_name

        For example, en|organization_display_name.com

      3. URL. Enter the URL of the organization. The value is defined in the format:

        4. locale|organization_URL

        For example, en|http://www.organization_name.com

    4. Click New to access the attributes for Contact Persons.

      5. Contact Persons

      1. First Name. Enter the first name of the entity’s contact person.
      2. Last Name. Enter the last name of the entity’s contact person.
      3. Type. Select the type of entity from the drop down menu. The choices are Billing, Technical, Administrative, and Other.
      4. Company. Enter the name of the company to which the contact person is employed.
      5. Liberty Principal Identifier. Enter the name identifier that points to an online instance of the contact person’s personal information profile.
      6. Email. Enter the email address of the contact person.
      7. Telephone. Enter the telephone number of the contact person.
    5. Click OK to save the values assigned to the Contact Person attributes.
    6. Click Next to configure the Authentication Domains to which the provider belongs in Step 4.
      1. Use the direction arrows to move a Selected authentication domain into the Available list.
      2. Click Save.

        3. This will assign the provider to an authentication domain. A provider can belong to one or more authentication domains, however a provider without a specified authentication domain can not participate in Liberty-based communications.

    7. Click Finish.
To Configure Service Provider Attributes for a Provider Entity Descriptor

After selecting the desired provider entity descriptor from the Navigation pane:

  1. Select Service Provider from the View menu to add a service provider to the entity descriptor.
  2. Click the New Provider button to display the New Provider Wizard.
    1. Provide information for the following Common Provider attributes displayed in Step 1.
      1. Provider ID. Enter a unique identifier for the provider.
      2. Description. Enter a description of the provider.
      3. Provider is Hosted or Remote. Select Local if the provider is hosted on the same server as Access Manager or Remote, if not. By default, Remote is selected.

        4. Caution

        Attributes displayed and configured in subsequent steps depend on the type defined for the Provider is Hosted or Remote attribute.

      4. Valid Until. Enter the expiration date for the metadata pertaining to the provider. The value is defined in the format:

        5. yyyy-mm-ddThh:mm:ss.SZ

        For example, 2004-12-31T12:30:00.0-0800

      5. Cache Duration. Enter the maximum amount of time an entity descriptor can be cached. The value is defined in the format:

        6. PnYnMnDTnHnMnS, where n is an integer.

        For example, P1Y2M4DT9H8M20S defines the cache duration as 1 year, 2 months, 4 days, 9 hours, 8 minutes, and 20 seconds.

      6. Protocol Support Enumeration. Select the protocol release supported by this entity.

        7. urn:liberty:iff:2003-08 refers to the Liberty Identity Federation Framework version 1.2 and urn:liberty:iff:2002-12 refers to the Liberty Identity Federation Framework version 1.1.

      7. Server Name Identifier Mapping Binding. Enter a URI describing the SAML authority binding used by the identity provider. Identifier mapping queries are able to locate and communicate with the SAML authority using this URI.
      8. Additional Meta Locations. Enter the location of other relevant metadata concerning the provider.

        9. Signing Key

      9. Key Alias. Enter the signing certificate key alias used to sign requests and responses for a hosted (local) provider. For a remote provider, this is a public key that the provider uses to verify the signatures.

        10. Encryption Key

      10. Key Alias. Enter the security certificate alias. Certificates are stored in a JKS keystore file. Each specific certificate is mapped to an alias which is used to fetch the certificate.
      11. Key Size. Enter the length for keys used by the Web service consumer when interacting with another entity.
      12. Encryption Method. This field defines the encryption method. The choices are None, 3DES, AES, and DES.
    2. Click Next to provide information for the following Communications and Service Provider attributes in Step 2.

      3. Caution

      Some of the following attribute subsections are displayed based upon whether the service provider is defined as Remote or Hosted (Local) in Step III. This is called out in parentheses next to the heading.

      Communication URLs

      1. SOAP Endpoint URL. Enter a location for the service provider’s SOAP messages receiver.

        2. This value communicates the location of the SOAP receiver in non-browser communications.

      2. Single Logout Service URL. Enter a location to which service providers can send logout requests.

        3. Single logout synchronizes the logout functionality across all sessions authenticated by the identity provider.

      3. Single Logout Return URL. Enter a location to which the service provider will redirect the principal after completing a logout.
      4. Federation Termination Service URL. Enter a location to which a service provider will send federation termination requests.
      5. Federation Termination Return URL. Enter a location to which the service provider will redirect the principal after completing federation termination.
      6. Name Registration Service URL. Enter a location to which a service provider will send requests to specify the name identifier that will be used when communicating with the identity provider about a principal.

        7. Registration can occur only after a federation session is established.

      7. Name Registration Return URL. Enter a location to which the identity provider will redirect the principal after HTTP name registration has been completed.
      8. Authentication Service URL. Enter a location for the identity provider’s ID-FF-based Authentication Service.

        9. Communication Profiles

      9. Federation Termination Profile. Select a profile to notify other providers of a principal’s federation termination. The choices are SOAP and HTTP/Redirect.
      10. Single Logout Profile. Select a profile to notify other providers of a principal’s logout. The choices are SOAP and HTTP/Redirect.
      11. Name Registration Profile. Select a profile to notify other providers of a principal’s name registration. The choices are SOAP and HTTP/Redirect.
      12. Single Sign-on/Federation Profile. Select a profile used by a hosted provider for sending authentication requests. The choices are:

        � LECP (Liberty-enabled Client Proxy)

        � Browser Post (specifies a browser-based HTTP POST protocol)

        � Browser Artifact (specifies a non-browser SOAP-based protocol)

      1. Enable Name Identifier Encryption. Select the check box to enable encryption of the name identifier.

        2. Service Provider

      2. Assertion Consumer URL. Enter the SAML endpoint to which a provider will send SAML assertions.
      3. Assertion Consumer Service URL ID. Enter the identifier of the Assertion Consumer Service URL to be used as a reference in authentication requests.

        4. This identifier is required if Protocol Support Enum (Step VI) is urn:liberty:iff:2002-12.

      4. Set Assertion Consumer Service URL as Default. Select this check box to use the Assertion Consumer URL as the default.
      5. Sign Authentication Request. Select this check box to specify that the service provider send signed authentication and federation requests. The identity provider will not process unsigned requests.
      6. Name Registration After Federation. Select this check box to allow for a service provider to participate in name registration after it has been federated. For more information, see Name Registration Protocol of Chapter 1, "Introduction to the Liberty Alliance Project."
      7. Name ID Policy. Choose an option to determine the name identifier format generated by the identity provider. The choices are None, One-time, and Federated. This attribute value is part of the authentication request. If the Name ID Policy value is federated, the name identifier format is urn:liberty:iff:2003:federated.
      8. Enable Affiliation Federation. If enabled, federation based on affiliation IDs is allowed.

        9. Access Manager Configuration (only displayed when service provider is defined as Hosted (Local))

      9. Provider URL. Enter the URL of the local identity provider.
      10. Alias. Enter an alias name for the local identity provider.
      11. Authentication Type. Select the provider that should be used for authentication requests from a provider hosted locally. Remote specifies that the provider hosted locally would contact a remote identity provider upon receiving an authentication request. Local specifies that the provider hosted locally should contact a local identity provider upon receiving an authentication request (essentially, itself).
      12. Default Authentication Context. Select the authentication context to be used if the identity provider does not receive it as part of a service provider request. It also specifies the authentication context used by the service provider when an unknown user tries to access a protected resource. The choices are Previous-Session, Time-Sync-Token, Smartcard, MobileUnregistered, Smartcard-PKI, MobileContract, Password, Password-ProtectedTransport, MobileDigitalID, and Software-PKI.
      13. Forced Authentication at Identity Provider. Select the check box to indicate if the identity provider must reauthenticate (even during a live session) when an authentication request is received.
      14. Request Identity Provider to be Passive. Select the check box to specify that the identity provider must not interact with the principal and must interact with the user
      15. Organization DN. Enter the location of the DN of the organization if each hosted provider chooses to manage users across different organizations leading to a hosted model.
      16. Liberty Version URI. Enter the URI of the version of the Liberty specification.
      17. Name Identifier Implementation. This field allows the option for a service provider to participate in name registration. Name registration is a profile by which service providers specify a principal’s name identifier that an identity provider will use when communicating to the service provider.
      18. Provider Home Page URL. Enter the URL of the home page of the identity provider.
      19. Single Sign-on Failure Redirect URL. Enter the URL to which a principal will be redirected if single sign-on has failed.

        20. SAML Configuration (only displayed when service provider is defined as Hosted (Local))

      20. Assertion Interval. Enter the interval of time for which an assertion issued by the identity provider will remain valid. A principal will remain authenticated until the assertion interval expires.
      21. Cleanup Interval. Enter the interval of time before assertions stored in the identity provider will be cleared.
      22. Artifact Timeout. Enter an interval to specify the timeout of a identity provider for assertion artifacts.
      23. Assertion Limit. Enter a number to define the amount of assertions an identity provider can issue, or the number of assertions that can be stored.

        24. Proxy Authentication Configuration

      24. Enable Proxy Authentication. If selected, this attribute enables proxy authentication for a service provider.
      25. Proxy Identity Providers List. This attribute displays the list of identity providers that can be proxied for authentication.
      26. Maximum Number Proxies. This attribute specifies the maximum number of identity provider to be proxied.
      27. Use Introduction Cookie For Proxying. If enabled, introductions will be used to find the proxying identity provider.
    3. Click Next to provide information for the following Organization Attributes and Contact Persons attributes displayed in Step 3.

      4. Organization

      1. Name. Enter the name of the entity’s organization. The value is defined in the format:

        2. locale|organization_name

        For example, en|organization_name.com

      2. Display Name. Enter the display name of the entity’s organization. The value is defined in the format:

        3. locale|organization_display_name

        For example, en|organization_display_name.com

      3. URL. Enter the URL of the organization. The value is defined in the format:

        4. locale|organization_URL

        For example, en|http://www.organization_name.com

    4. Click New to access the attributes for Contact Persons detailed below.

      5. Contact Persons

      1. First Name. Enter the first name of the entity’s contact person.
      2. Last Name. Enter the last name of the entity’s contact person.
      3. Type. Select the type of entity from the drop down menu. The choices are Billing, Technical, Administrative, and Other.
      4. Company. Enter the name of the company to which the contact person is employed.
      5. Liberty Principal Identifier. Enter the name identifier that points to an online instance of the contact person’s personal information profile.
      6. Email. Enter the email address of the contact person.
      7. Telephone. Enter the telephone number of the contact person.
    5. Click OK to save the values assigned to the Contact Person attributes.
    6. Click Next to configure the Authentication Domains to which the provider belongs in Step 4.
      1. Use the direction arrows to move a Selected authentication domain into the Available list.
      2. Click Save.

        3. This will assign the provider to an authentication domain. A provider can belong to one or more authentication domains, however a provider without a specified authentication domain can not participate in Liberty-based communications.

    7. Click Finish.

To Configure an Affiliate Entity Descriptor

  1. Choose Entity Descriptors from the View menu in the Navigation pane of the Federation Management module.
  2. Select the desired affiliate entity descriptor.

    3. The entity descriptor’s attributes are displayed in the Data pane.

To Configure General Attributes for an Affiliate Entity Descriptor

After selecting the desired affiliate entity descriptor from the Navigation pane:

  1. Select General from the View menu in the Data pane and provide information for the following attributes (separated into three groups):

    2. Entity Common Attributes

    1. Entity Type. The static value of this attribute is Affiliate.
    2. Description. Enter a description of the affiliation.
    3. Valid Until. Enter the expiration date for the metadata pertaining to the affiliation. The value is defined in the format:

      4. yyyy-mm-ddThh:mm:ss.SZ

      For example, 2004-12-31T12:30:00.0-0800

    4. Cache Duration. Enter the maximum amount of time the entity descriptor can be cached. The value is defined in the format:

      5. PnYnMnDTnHnMnS, where n is an integer variable.

      For example, P1Y2M4DT9H8M20S defines the cache duration as 1 year, 2 months, 4 days, 9 hours, 8 minutes, and 20 seconds.

      Entity Contact Person

    5. First Name. Enter the first name of the entity’s contact person.
    6. Last Name. Enter the last name of the entity’s contact person.
    7. Type. Select the type of entity from the drop down menu. The choices are Billing, Technical, Administrative, and Other.
    8. Company. Enter the name of the company to which the contact person is employed.
    9. Liberty Principal Identifier. Enter the name identifier that points to an online instance of the contact person’s personal information profile.
    10. Email. Enter the email address of the contact person.
    11. Telephone. Enter the telephone number of the contact person.

      12. Entity Organization

    12. Name. Enter the name of the entity’s organization. The value is defined in the format:

      13. locale|organization_name

      For example, en|organization_name.com

    13. Display Name. Enter the display name of the entity’s organization. The value is defined in the format:

      14. locale|organization_display_name

      For example, en|organization_display_name.com

    14. URL. Enter the URL of the organization. The value is defined in the format:

      15. locale|organization_URL

      For example, en|http://www.organization_name.com

  2. Click Save.
To Configure Affiliates Attributes for an Affiliate Entity Descriptor

After selecting the desired affiliate entity descriptor from the Navigation pane:

  1. Select Affiliates from the View menu in the Navigation pane.
  2. Provide information for the following Affiliate Common attributes (separated into three groups):

    3. Affiliate Common Attributes

    1. Affiliate ID. The value of this attribute should be defined during the creation of the Affiliate Entity Descriptor. For more information, see To Create an Entity Descriptor of Either Type.
    2. Affiliate Owner ID. The value of this attribute should be defined during the creation of the Affiliate Entity Descriptor. For more information, see To Create an Entity Descriptor of Either Type.
    3. Valid Until. Enter the expiration date for the metadata pertaining to the provider. The value is defined in the format:

      4. yyyy-mm-ddThh:mm:ss.SZ

      For example, 2004-12-31T12:30:00.0-0800

    4. Cache Duration. Enter the maximum amount of time an entity descriptor can be cached. The value is defined in the format:

      5. PnYnMnDTnHnMnS, where n is an integer.

      For example, P1Y2M4DT9H8M20S defines the cache duration as 1 year, 2 months, 4 days, 9 hours, 8 minutes, and 20 seconds.

      Signing Key

    5. Key Alias. Enter the signing certificate key alias used to sign requests and responses for a hosted (local) provider. For a remote provider, this is a public key that the provider uses to verify the signatures.

      6. Encryption Key

    6. Key Alias. Enter the security certificate alias. Certificates are stored in a JKS keystore file. Each specific certificate is mapped to an alias which is used to fetch the certificate.
    7. Key Size. Enter the length for keys used by the Web service consumer when interacting with another entity.
    8. Encryption Method. Choose the method of encryption. The choices are None, 3DES, AES, and DES.

      9. Affiliate Members

    9. Affiliate Members. Use the direction arrows to move a Selected provider into the Available list.

      10. This field allows you to define one or more providers as members of the affiliation. The providers displayed in the Selected list are pre-defined in existing container entity descriptors.

  3. Click Save.

To Delete an Entity Descriptor of Either Type

  1. Choose Entity Descriptors from the View menu in the Navigation pane of the Federation Management module.
  2. Check the box next to the entity descriptor you want to delete.
  3. Click Delete.

    4. There is no warning message when performing a delete.

    Note

    If a remote entity descriptor is to be deleted from the console, it first needs to be manually removed from the Trusted Providers list (if the provider is hosted) and the Available Providers list (if part of an affiliation).

Federation Management API

The com.sun.liberty package provides the interface that forms the basis of the Federation Management API. The LibertyManager class must be instantiated by web applications that want to access the Federation Management module. It contains the methods needed by the module JSPs for account federation, session termination, log in, log out and other actions. Some of these methods are:

Table 3-3  Federation Management API 

Method

Description

getSPList()

Returns a list of all trusted service providers.

getSPList(String hostedProviderID)

Returns a list of all trusted service providers for the specified hosted provider.

getIDPList()

Returns a list of all trusted identity providers.

getIDPList(String hostedProviderID)

Returns a list of all trusted identity providers for the specified hosted provider.

getSPFederationStatus(String user, String provider)

Retrieves a user’s federation status with a specified service provider. This method assumes the user is already federated with the provider.

getIDPFederationStatus(String user, String provider)

Retrieves a user’s federation status with a specified identity provider. This method assumes the user is already federated with the provider.

getFederatedProviders(String userName)

Returns a specific user’s federated providers.

getProvidersToFederate(String providerID, String userName)

Returns the list of all trusted identity providers to which the specified user is not already federated.

ListOfCOTs(String providerID)

Returns a list of authentication domains for the given provider.

For more detailed API reference information, see the Javadocs in /AccessManager_base/SUNWam/docs.

Federation Management Samples

Access Manager provides a collection of sample files, located in the /AccessManager_base/SUNWam/samples/liberty/Sample1 directory, to configure a basic environment for creating and managing a federation. The example demonstrates the basic use of various Liberty-based federation protocols including account federation, SSO, single logout, and federation termination. The sample should be completed in the following sequence:

  1. Install Access Manager
  2. Update and load the metadata
  3. Deploy the service provider
  4. Deploy the identity provider
  5. Create and manage the federation

The following sections include more information on these steps.

Note

The Readme file located with the sample in /AM_Install_Dir/SUNWam/samples/liberty/sample1 also contains instructions for configuring a common domain. For information on common domains, see Common Domain of Chapter 1, "Introduction to the Liberty Alliance Project" and Common Domain Services of this chapter.

Installing Access Manager

The first step in creating a federated environment is installing Access Manager on two separate machines. One installation will act as a service provider, and one will act as an identity provider.

Note

Instructions on installing Access Manager can be found in the Sun Java Enterprise System Installation Guide (http://docs.sun.com/coll/entsys_05q1).

The default installation directory for the Solaris™ operating system is /opt/SUNWam.

Updating and Loading the Metadata

Update and load the sp1Metadata.xml file with values appropriate to your Access Manager installation. The file is located in /AccessManager_base/SUNWam/samples/liberty/sample1. Table 3-4 summarizes the default values which should be modified based on your installation configuration.

Table 3-4  Default Values in sp1metadata.xml for Sample1

Installation Parameter

Service Provider Value

Identity Provider Value

Provider Name

SP1

IDP1

Host Name

www.sp1.com

www.idp1.com

Port

SERVER_PORT_#

SERVER_PORT_#

Access Manager Deployment URI

amserver

amserver

Access Manager root suffix

dc=sp1,dc=com
(attribute DN for element OrganizationRequests)

dc=idp1,dc=com
(attribute DN for element OrganizationRequests)

Certificate Alias

SP1_SECURITY_KEY

IDP1_SECURITY_KEY

metaAlias

www.sp1.com

www.idp1.com

Load the updated sp1Metadata.xml file using the following command:

/AccessManager_base/SUNWam/bin/amadmin -u amadmin -w password -t sp1Metadata.xml

Deploying the Service Provider

The following sequence should be followed in order to deploy the service provider:

  1. Configure the AMClient.properties file.
  2. Create a WAR file.
  3. Deploy the WAR file.

To Configure AMClient.properties

Replace the following tags in the AMClient.properties file with values appropriate to your configuration. AMClient.properties is located in /AccessManager_base/SUNWam/samples/liberty/sample1/sp1/WEB-INF/classes/.

To Create a WAR File for SP1

  1. Change to the sp1 directory.

    2. cd /AccessManager_base/SUNWam/samples/liberty/sample1/sp1

  2. Run the jar command.

    3. jar -cvf sp1.war

To Deploy the Service Provider WAR File

Choose the option appropriate to your environment.

If Access Manager is Installed on Sun Java System Web Server

Caution

Before manually deploying a web application, be sure that the:

  • server_root/bin/https/httpsadmin/bin directory is in your path.
  • IWS_SERVER_HOME environment variable is set to your server_root directory.

  1. Enter the command
    wdeploy deploy -u uri_path -i instance -v vs_id [-d directory] war_file

    2. where:

    • uri_path is the URI prefix for the web application.
    • instance is the server instance name.
    • vs_id is the virtual server ID.
    • directory is the directory to which the application is deployed. If not specified, the application is deployed to the document root directory.
    • war_file is the WAR file name.

      • An example might be:

      wdeploy deploy -u /sp1 -i www.sp1.com -v https-www.sp1.com
          -d begin_dir/web-apps/sp1 sp1.war

  2. Restart the Web Server.
If Access Manager is Installed on Sun Java System Application Server
  1. Use the asadmin deploy command to deploy the WAR module.

    2. The complete syntax is:

    asadmin deploy --user admin_user [--password admin_password]   [--passwordfile password_file] --host hostname
        --port adminport [--secure | -s] [--virtualservers virtual_servers]       --type application|ejb|web|connector]
            [--contextroot     contextroot] [--force=true]           [--precompilejsp=false] [--verify=false]
                [--name     component_name] [--upload=true]
                  [--retrieve local_dirpath]
                    [--instance     instance_name] path_to_file

    For example:

    asadmin deploy --user amadmin --password pswd1234
      --host www.sp1.com --port 4848 --type web --contextroot SP1
        --instance server1 sp1.war

  2. Restart the Application Server.

Deploying the Identity Provider

The following sequence should be followed in order to deploy the identity provider:

  1. Configure the AMClient.properties file.
  2. Create a WAR file.
  3. Deploy the WAR file.

To Configure AMClient.properties

Replace the following tags in the AMClient.properties file with values appropriate to your configuration. AMClient.properties is located in /AccessManager_base/SUNWam/samples/liberty/sample1/idp1/WEB-INF/classes/.

To Create a WAR File for IDP1

  1. Change to the idp1 directory.

    2. cd /AccessManager_base/SUNWam/samples/liberty/sample1/idp1

  2. Run the jar command.

    3. jar -cvf idp1.war

To Deploy the Identity Provider WAR File

Choose the option appropriate to your environment.

If Access Manager is Installed on Sun Java System Web Server

Caution

Before manually deploying a web application, be sure that the:

  • server_root/bin/https/httpsadmin/bin directory is in your path.
  • IWS_SERVER_HOME environment variable is set to your server_root directory.

  1. Enter the command
    wdeploy deploy -u uri_path -i instance -v vs_id [-d directory] war_file

    2. where:

    • uri_path is the URI prefix for the web application.
    • instance is the server instance name.
    • vs_id is the virtual server ID.
    • directory is the directory to which the application is deployed. If not specified, the application is deployed to the document root directory.
    • war_file is the WAR file name.

      • An example might be:

      wdeploy deploy -u /idp1 -i www.idp1.com -v https-www.idp1.com
          -d /      AccessManager_base/SUNWam/web-apps/idp1 idp1.war

  2. Restart the Web Server.
If Access Manager is Installed on Sun Java System Application Server
  1. Use the asadmin deploy command to deploy the WAR module.

    2. The complete syntax is:

    asadmin deploy --user admin_user [--password admin_password]   [--passwordfile password_file] --host hostname
        --port adminport [--secure | -s] [--virtualservers virtual_servers]       --type application|ejb|web|connector]
            [--contextroot     contextroot] [--force=true]           [--precompilejsp=false] [--verify=false]
                [--name     component_name] [--upload=true]
                  [--retrieve local_dirpath]
                    [--instance     instance_name] path_to_file

    For example:

    asadmin deploy --user amadmin --password pswd1234
      --host www.idp1.com --port 4848 --type web --contextroot IDP1
        --instance server1 idp1.war

  2. Restart the Application Server.

Creating and Managing a Federation

The following sections provide procedures for creating, managing, and terminating a federation.

To Federate the Service Provider and Identity Provider Accounts

  1. Access the following URL in a web browser:

    2. SERVER_PROTO//SERVER_HOST:PORT/sp1/index.jsp

    For example, http://www.sp1.com:58080/sp1/index.jsp.

    Note

    index.jsp is a protected page that includes _head.jsp. _head.jsp checks the request for a valid user session. If invalid, it redirects the request to the Pre-Login service which attempts single sign-on. Since this is a first time access, single sign-on will fail and the request is then redirected to the common login page.

  2. Click the Local Login link on the common login page.

    3. You are redirected to the SP1’s login page.

  3. Log in to SP1.

    4. After successful authentication at SP1, the index.jsp is displayed. index.jsp has three links:

    • The Federate link initiates the federation process.
    • The Logout link initiates the single logout process.
    • The Terminate Federation link initiates the federation termination process.
  4. Click the Federate link.

    5. The Federate page is displayed.

  5. Select the identity provider with which you want to federate.

    6. In Sample1, you would select the deployed IDP1 as your identity provider, and IDP1’s login page is displayed.

  6. Provide authentication credentials for your IDP1 account.

    7. If the authentication is successful, the Federation Done page is displayed indicating that you have successfully federated these two accounts.

    Note

    If the account is already federated, you will be redirected to the IDP login page

To Accomplish Single Sign-On

After successfully federating the two providers, follow these instructions to accomplish single sign-on.

  1. Start a new browser session and access the SP1 protected page, SERVER_PROTO//SERVER_HOST:PORT/sp1/index.jsp.

    2. For example, http://www.sp1.com:58080/sp1/index.jsp.

  2. You will be redirected to the IDP1 Login page for authentication.
  3. Provide authentication credentials for your IDP1 account.

    4. If authentication is successful, the initially accessed SP1 protected page is displayed without asking for SP1 authentication credentials. If authentication is not successful, an error message is displayed, and you are directed to start over.

To Perform a Single Logout

From either the SP1 protected page or the IDP1 protected page, index.jsp, click the Logout link. You will be logged out from both providers, and the Logout Done page is displayed.

Note

Both the service provider and identity provider have different protected index.jsp pages. The URLs are:

  • SERVER_PROTO//SERVER_HOST:PORT/sp1/index.jsp
  • SERVER_PROTO//SERVER_HOST:PORT/idp1/index.jsp

To Terminate Account Federation

  1. From either the SP1 protected page or the IDP1 protected page, click the Terminate Federation link.

    2. The Federation Termination page is displayed.

  2. Select a provider to terminate your account federation.

    3. For Sample1, select IDP1. Upon successful federation termination, the Termination Done page is displayed.

    Note

    Appendix A, "Included Samples" includes information on two more samples that make use of the Federation Management module.



Previous      Contents      Index      Next     

Part No: 817-7648.   Copyright 2005 Sun Microsystems, Inc. All rights reserved.