Setting Up Liberty ID-WSF 1.1 Profiles
Access Manager automatically detects which version of the Liberty ID-WSF profiles is being used. If Access Manager is the web services provider (WSP), it detects the version from the incoming SOAP message. If Access Manager is the WSC, it uses the version the WSP has registered with the Discovery Service. If the WSP can not detect the version from the incoming SOAP message or the WSC can not communicate with the Discovery Service, the version defined in the com.sun.identity.liberty.wsf.version property in AMConfig.properties will be used. Following are the steps to configure Access Manager to use Liberty ID-WSF 1.1 profiles.
To Configure Access Manager to Use Liberty ID-WSF 1.1 Profiles
-
Install Access Manager on two different machines.
Test the installation by logging in to the console at http://server:port/amserver/UI/Login.
-
Setup the two instances of Access Manager for communication using the Liberty ID-FF protocols.
This entails setting up one instance as the service provider (SP) and the other as the identity provider (IDP). Instructions for doing this can be found in Entities and Authentication Domains or in the README file located in the /AccessManager-base/samples/liberty/sample1 directory.
Note –This step also entails creating a keystore for each provider. Instructions for this procedure are located in /AccessManager-base/samples/saml/xmlsig/keytool.html or in Appendix B, Key Management in this guide. For testing purposes, you can copy the same keystore to each machine; if not, import the public keys from one machine to the other. Be sure to update the Key Alias attribute for each provider in AMConfig.properties and change the cookie name on one of the machines (in the same file) if both machines are in the same domain.
-
Using the Access Manager console on the SP side, change the value of the Protocol Support Enumeration attribute to urn:liberty:iff:2003-08 in both provider configurations.
The value of this attribute defines the supported release of the Liberty ID-FF; in this case, version 1.2.
-
Setup the two instances of Access Manager for communication with the Liberty ID-WSF web services.
This entails copying the files located in the /AccessManager-base/samples/phase2/wsc directory to your web container's doc root directory and making the changes specified in the sample README file. The relevant files and corresponding function are:
-
index.jsp: Retrieves boot strapping resource offering for Discovery Service.
-
discovery-modify.jsp: Adds resource offering for a user.
-
discovery-query.jsp: Sends query to Discovery Service for a resource offering.
-
id-sis-pp-modify.jsp: Sends Data Service Modify request to modify user attributes.
-
id-sis-pp-query.jsp: Sends Data Service Query request to retrieve user attributes.
-
-
Copy the discovery-modify.jsp reproduced below into the web container's doc root directory.
This JSP is configured to use the Liberty ID-WSF 1.1 Bearer token profile (<SecurityMechID>urn:liberty:security:2005-02:null:Bearer</SecurityMechID>) with appropriate directives and should replace the file already in the directory. You can modify this file to use other profiles if you know the defined URI of the particular Liberty ID-WSF 1.1 profile. (X509 or SAML token, for example.)
<%-- Copyright (c) 2005 Sun Microsystems, Inc. All rights reserved Use is subject to license terms. --%> <%@page import="java.io.*,java.util.*,com.sun.identity.saml.common.*, com.sun.identity.liberty.ws.disco.*,com.sun.identity.liberty.ws.disco.common.*, javax.xml.transform.stream.*, com.sun.identity.liberty.ws.idpp.plugin.IDPPResourceIDMapper, com.iplanet.sso.*,com.sun.liberty.LibertyManager" %> <html xmlns="http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <head><title>Discovery Service Modification</title></head> <body bgcolor="white"> <h1>Discovery Service Modification</h1> <% if (request.getMethod().equals("GET")) { String resourceOfferingFile = request.getParameter("discoveryResourceOffering"); if (resourceOfferingFile == null) { resourceOfferingFile= ""; } String entryID = request.getParameter("entryID"); if (entryID == null) { entryID= ""; } // The following three values need to be changed to register a personal // profile resource offering for a user. String ppProviderID = "http://shivalik.red.iplanet.com:58080/amserver/Liberty/idpp"; String userDN = "uid=amAdmin,ou=People,dc=iplanet,dc=com"; String ppEndPoint = "http://shivalik.red.iplanet.com:58080/amserver/Liberty/idpp"; String providerID = request.getParameter("providerID"); String ppResourceID = (new IDPPResourceIDMapper()).getResourceID( ppProviderID, userDN); String newPPRO = "<ResourceOffering xmlns=\"urn:liberty:disco:2003-08\">" + " <ResourceID>" + ppResourceID + "</ResourceID>\n" + " <ServiceInstance>\n" + " <ServiceType>urn:liberty:id-sis-pp:2003-08</ServiceType>\n" + " <ProviderID>" + ppProviderID + "</ProviderID>\n" + " <Description>" + " <SecurityMechID>urn:liberty:security:2005-02:null:Bearer" + "</SecurityMechID>\n" + " <Endpoint>" + ppEndPoint + "</Endpoint>\n" + " </Description>\n" + " </ServiceInstance>\n" + " <Abstract>This is xyz </Abstract>\n" + "</ResourceOffering>"; %> <form method="POST"> <table> <tr> <td>ResourceOffering (for discovery service itself)</td> <td> <textarea rows="2" cols="30" name="discoResourceOffering"> <%= resourceOfferingFile %> </textarea> </td> </tr> <tr> <td>PP ResourceOffering to add</td> <td> <textarea rows="20" cols="60" name="insertStr"><%= newPPRO %></textarea> </td> </tr> <tr> <td>AND/OR PP ResourceOffering to remove</td> <td> <textarea rows="2" cols="30" name="entryID"></textarea> </td> </tr> </table> <input type="hidden" name="providerID" value="<%= providerID %>" /> <input type="submit" value="Send Discovery Update Request" /> </form> <% } else { try { String resourceXMLFile = request.getParameter("discoResourceOffering"); String resourceXML = null; try { BufferedReader bir = new BufferedReader( new FileReader(resourceXMLFile)); StringBuffer buffer = new StringBuffer(2000); int b1; while ((b1=bir.read ())!= -1) { buffer.append((char) b1); } resourceXML = buffer.toString(); } catch (Exception e) { %>Warning: cannot read disco resource offering.<% } String insertString = request.getParameter("insertStr"); String entryID = request.getParameter("entryID"); String providerID = request.getParameter("providerID"); if (resourceXML == null || resourceXML.equals("")) { %>ERROR: resource offering missing<% } else { ResourceOffering offering; try { offering = new ResourceOffering(DiscoUtils.parseXML( resourceXML)); DiscoveryClient client = new DiscoveryClient( offering, SSOTokenManager.getInstance().createSSOToken(request), providerID); Modify mod = new Modify(); mod.setResourceID(offering.getResourceID()); mod.setEncryptedResourceID(offering.getEncryptedResourceID()); if ((insertString != null) && !(insertString.equals(""))) { InsertEntry insert = new InsertEntry( new ResourceOffering( DiscoUtils.parseXML(insertString)), null); // Uncommnent the following when it's required. List directives = new ArrayList(); Directive dir1 = new Directive( Directive.AUTHENTICATE_REQUESTER); directives.add(dir1); // Directive dir2 = new Directive( // Directive.AUTHORIZE_REQUESTER); // directives.add(dir2); Directive dir3 = new Directive( Directive.GENERATE_BEARER_TOKEN); directives.add(dir3); insert.setAny(directives); List inserts = new ArrayList(); inserts.add(insert); mod.setInsertEntry(inserts); } if ((entryID != null) && !(entryID.equals(""))) { RemoveEntry remove = new RemoveEntry( com.iplanet.am.util.XMLUtils.escapeSpecialCharacters( entryID)); List removes = new ArrayList(); removes.add(remove); mod.setRemoveEntry(removes); } if ((mod.getInsertEntry() == null) && (mod.getRemoveEntry() == null)) { %>ERROR: empty Modify<% } else { %> <h2>Formed Modify :</h2> <pre><%= SAMLUtils.displayXML(mod.toString()) %></pre> <% ModifyResponse resp2 = client.modify(mod); %> <h2>Got result:</h2> <pre><%= SAMLUtils.displayXML(resp2.toString()) %></pre> <% } } catch (Throwable t) { t.printStackTrace(); StringWriter buf = new StringWriter(); t.printStackTrace(new PrintWriter(buf)); %> ERROR: caught exception: <pre> <% out.println(buf.toString()); %> </pre> <% } } %> <p><a href="index.jsp">Return to index.jsp</a></p> <% } catch (Throwable e) { e.printStackTrace(); StringWriter buf = new StringWriter(); e.printStackTrace(new PrintWriter(buf)); %> ERROR: oocaught exception: <pre> <% out.println(buf.toString()); %> </pre> <% } } %> <hr/> </body> </html> -
Modify the values of the following properties in AMConfig.properties on the IDP side to reflect the key alias.
AMConfig.properties is located in /etc/opt/SUNWam/config. The following properties should be changed.
-
com.sun.identity.liberty.ws.wsc.certalias=wsc_certificate_alias
-
com.sun.identity.liberty.ws.ta.certalias=signing_trusted_authority_certificate_alias
-
com.sun.identity.liberty.ws.trustedca.certaliases=list_of_trusted_authority_certification_alias
-
-
Register the Liberty Personal Profile Service to the user defined by the userDN in discovery-modify.jsp.
Under the default top-level realm on the instance of Access Manager acting as an IDP, go to Subjects and click User. Select the user and click Services. Click Add and register the Liberty Personal Profile Service.
Note –In the discovery-modify.jsp reproduced above, the user is defined as the default administrator, amAdmin. See the line:
String userDN = "uid=amAdmin,ou=People,dc=iplanet,dc=com";
-
Restart both instances of Access Manager.
-
Test that the Liberty ID-WSF 1.1 profiles are working by following the Run the Sample section of the README located in /AccessManager-base/samples/phase2/wsc.
- © 2010, Oracle Corporation and/or its affiliates