test

Sun Java System Access Manager 7.1 Federation and SAML Administration Guide

The Pre-login URL

The pre-login process is the entry point for applications participating in Liberty-based single sign-on. As described in Process of Federation, the principal would be redirected to the location defined by the pre-login URL if no Access Manager session token is found. This default process, though, can be modified based on the values of query parameters passed to Access Manager by the service provider via a URL.

A query parameter is a name/value pair appended to the end of a URL. The parameter starts with a question mark (?) and takes the form name=value. A number of parameters can be combined in one URL; when more than one parameter exists, they are separated by an ampersand (&). Use the format http://hostname:port/deploy-uri/preLogin?metaAlias=metaAlias. Additional parameters are appended to the URL as &param1=value1&param2=value2 and so on. These parameters and their usage and values are described in the following table.

Table 3–1 Pre-login URL Parameters for Federation

Parameter 

Description 

actionOnNoFedCookie

The actionOnNoFedCookie parameter provides the flexibility to redirect a user when the fedCookie is not present in the browser, and when there is only one identity provider. It takes the following values:

  • commonlogin will redirect to a common login page.

  • locallogin will redirect to the local Access Manager login page.

  • passive will issue a request to the identity provider by setting the isPassive parameter of the AuthnRequest element to true.

  • active will issue a normal single sign-on request to the identity provider.

anonymousOnetime

The anonymousOnetime parameter can be used by service providers that authenticate users with anonymous, one time federation sessions. A value of true enables the service provider to issue a one time federation request and generate an anonymous session after successful verification of the authentication assertion from the identity provider. This feature is useful when the service provider doesn't have a user repository (for example, http://www.weather.com) but would like to depend on an identity provider for authentication. When the service provider receives a successful authentication assertion from an identity provider, they would generate an anonymous, temporary session.

authlevel

The authlevel parameter takes as a value a positive number that maps to an authentication level defined in the Access Manager Authentication Framework. The authentication level indicates how much to trust a method of authentication.

Note –

More information on the authentication framework can be found in Sun Java System Access Manager 7.1 Administration Guide.

In this framework, each service provider is configured with a default authentication context (preferred method of authentication). However, the provider might like to change the assigned authentication context to one that is based on the defined authentication level. For example, provider B would like to generate a local session with an authentication level of 3 so it requests the identity provider to authenticate the user with an authentication context assigned that level. The value of this query parameter determines the authentication context to be used by the identity provider. 

goto

The goto parameter takes as a value a URL to which the principal will be redirected after a successful SSO. If the value is not specified, default redirection will occur based on the value of the Provider Home Page URL attribute defined in the service provider configuration. The value of this URL can be configured by changing the iplanet-am-provider-homepage-url attribute in the amProviderConfig.xml file.

gotoOnFedCookieNo

The gotoOnFedCookieNo parameter takes as a value a URL to which the principal is redirected if a fedCookie with a value of no is found. The default behavior is to redirect the user to the Access Manager login page.

In order to modify the pre-login URL, edit the relevant properties in either the AMConfig.properties file or the AMAgent.properties file, dependant on your deployment. See the following procedures for more information:

ProcedureTo Configure for Pre-login

In a federation setup, Access Manager acts as a service provider and manages an application that runs on a separate instance of Sun Java System Web Server. You must configure the agent that is protecting this application as follows:

  1. Point the com.sun.am.policy.loginURL property in the AMAgent.properties file to the pre-login service URL running on Access Manager.

    For example: com.sun.am.policy.loginURL = http://www.sp1.com:58080/amserver/preLogin?metaAlias=www.sp1.com

  2. Point the com.sun.am.policy.am.library.loginURL in the AMAgent.properties file to the login URL of the instance of Access Manager acting as the service provider.

    For example: com.sun.am.policy.am.library.loginURL = http://www.sp1.com:58080/amserver/UI/Login

ProcedureTo Configure for Global Logout

To implement the logout process for all service providers using the Liberty Logout method, do the following:

  1. Copy the AMClient.properties file to the service provider's web container.

  2. Revise the Logout method, as follows:

    ResourceBundle rsbu =ResourceBundle.getBundle("AMClient"); String logouturl = rsbu.getString ("com.sun.identity.federation.client.samples.logoutURL"); response.sendRedirect(logouturl);

    This revision is equivalent to a redirection to http://www.sp1.com:58080/amserver/liberty-logout?metaAlias=www.sp1.com.