Creating and Configuring Entities using amadmin
The previous sections detailed how to create and configure entities using the Access Manager console. But entities can also be created and configured in one step using the amadmin command-line interface and prepared XML files. Rather than filling in provider attribute values manually, you would create an XML file containing the provider attributes and corresponding values and import it using amadmin. Alternatively, you can modify the sample provider metadata XML files included with Access Manager. See sample1 Directory for information.
Caution – The format of the XML file used as input is based on the sms.dtd, located in /AccessManager-base/SUNWam/dtd. Alterations to the DTD files may hinder the operation of Access Manager.
There are two types of provider metadata (formatted in XML files) that can be used as input to amadmin:
-
Standard metadata properties are defined in the Liberty ID-FF specification.
-
Extended metadata properties are proprietary and used by features specific to Access Manager.
Note –
amadmin uses different options to load the different types of metadata XML files. Information on how to use amadmin can be found in Using amadmin for Federation Management in Sun Java System Access Manager 7.1 Administration Reference. Information regarding the attributes and possible values can be found in the online help of the Access Manager console or in the following sections:
Following are instructions to load the provider metadata:
Loading Standard Metadata Using amadmin
To load metadata compliant with the Liberty ID-FF use the following command:
amadmin --runasdn userdn --password password --import metadata_filename |
This option is usually used to load provider metadata sent from a trusted partner in an XML file compliant with the Liberty ID-FF. Here is an example of a service provider metadata XML file compliant with the Liberty ID-FF.
Example 3–1 Service Provider Standard Metadata XML File for amadmin
<!--
Copyright (c) 2005 Sun Microsystems, Inc. All rights reserved
Use is subject to license terms.
-->
<EntityDescriptor meta:providerID="http://sp10.com" meta:cacheDuration="360"
xmlns:meta="urn:liberty:metadata:2003-08" xmlns="urn:liberty:metadata:2003-08">
<SPDescriptor cacheDuration="180" xmlns:meta="urn:liberty:metadata:2003-08"
aaa="aaa" protocolSupportEnumeration="urn:liberty:iff:2003-08">
<KeyDescriptor use="signing">
<EncryptionMethod>http://something/encrypt</EncryptionMethod>
<KeySize>4567</KeySize>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Certificate xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
MIIC1DCCApICBD8poYwwCwYHKoZIzjgEAwUAMFAxCzAJBgNVBAYTAlVTMQwwCgYDVQQKEwNTdW4x
IDAeBgNVBAsTF1NVTiBPTkUgSWRlbnRpdHkgU2VydmVyMREwDwYDVQQDEwhzdW4tdW5peDAeFw0w
MzA3MzEyMzA5MDBaFw0wNDAxMjcyMzA5MDBaMFAxCzAJBgNVBAYTAlVTMQwwCgYDVQQKEwNTdW4x
IDAeBgNVBAsTF1NVTiBPTkUgSWRlbnRpdHkgU2VydmVyMREwDwYDVQQDEwhzdW4tdW5peDCCAbcw
ggEsBgcqhkjOOAQBMIIBHwKBgQD9f1OBHXUSKVLfSpwu7OTn9hG3UjzvRADDHj+AtlEmaUVdQCJR
+1k9jVj6v8X1ujD2y5tVbNeBO4AdNG/yZmC3a5lQpaSfn+gEexAiwk+7qdf+t8Yb+DtX58aophUP
BPuD9tPFHsMCNVQTWhaRMvZ1864rYdcq7/IiAxmd0UgBxwIVAJdgUI8VIwvMspK5gqLrhAvwWBz1
AoGBAPfhoIXWmz3ey7yrXDa4V7l5lK+7+jrqgvlXTAs9B4JnUVlXjrrUWU/mcQcQgYC0SRZxI+hM
KBYTt88JMozIpuE8FnqLVHyNKOCjrh4rs6Z1kW6jfwv6ITVi8ftiegEkO8yk8b6oUZCJqIPf4Vrl
nwaSi2ZegHtVJWQBTDv+z0kqA4GEAAKBgCNS1il+RQAQGcQ87GBFde8kf8R6ZVuaDDajFYE4/LNT
Kr1dhEcPCtvL+iUFi44LzJf8Wxh+eA5K1mjIdxOo/UdwTpNQSqiRrm4Pq0wFG+hPnUTYLTtENkVX
IIvfeoVDkXnF/2/i1Iu6ttZckimOPHfLzQUL4ldL4QiaYuCQF6NfMAsGByqGSM44BAMFAAMvADAs
AhQ6yueX7YlD7IlJhJ8D4l6xYqwopwIUHzX82qCzF+VzIUhi0JG7slSpyis=
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<SingleLogoutServiceURL>http://www.sun.com/slo"</SingleLogoutServiceURL>
<SingleLogoutServiceReturnURL>http://www.sun.com/sloservice
</SingleLogoutServiceReturnURL>
<FederationTerminationServiceURL>http://www.sun.com/fts
</FederationTerminationServiceURL>
<FederationTerminationServiceReturnURL>http://www.sun.com/ftsr
</FederationTerminationServiceReturnURL>
<FederationTerminationNotificationProtocolProfile>http://projectliberty.org/profiles/
fedterm-sp-http</FederationTerminationNotificationProtocolProfile>
<SingleLogoutProtocolProfile>http://projectliberty.org/profiles/slo-sp-http
</SingleLogoutProtocolProfile>
<RegisterNameIdentifierProtocolProfile>http://projectliberty.org/profiles/
rni-sp-http</RegisterNameIdentifierProtocolProfile>
<RegisterNameIdentifierServiceURL>http://www.sun2.com/risu
</RegisterNameIdentifierServiceURL>
<RegisterNameIdentifierServiceReturnURL>http://www.sun2.com/rstu
</RegisterNameIdentifierServiceReturnURL>
<RelationshipTerminationNotificationProtocolProfile>http://projectliberty.org/
profiles/rel-term-soap</RelationshipTerminationNotificationProtocolProfile>
<NameIdentifierMappingBinding AuthorityKind="ppp:AuthorizationDecisionQuery"
Location="http://eng.sun.com" Binding="http://www.sun.com"
xmlns:ppp="urn:oasis:names:tc:SAML:1.0:protocol"></NameIdentifierMappingBinding>
<AdditionalMetaLocation namespace="abc">http://www.aol.com</AdditionalMetaLocation>
<AdditionalMetaLocation namespace="efd">http://www.netscape.com</AdditionalMetaLocation>
<AssertionConsumerServiceURL id="jh899" isDefault="true">
http://www.iplanet.com/assertionurl</AssertionConsumerServiceURL>
<AuthnRequestsSigned>true</AuthnRequestsSigned>
</SPDescriptor>
<ContactPerson xmlns:meta="urn:liberty:metadata:2003-08" contactType="technical"
meta:libertyPrincipalIdentifier="myid">
<Company>SUn Microsystems</Company>
<GivenName>Joe</GivenName>
<SurName>Smith</SurName>
<EmailAddress>joe@sun.com</EmailAddress>
<EmailAddress>smith@sun.com</EmailAddress>
<TelephoneNumber>45859995</TelephoneNumber>
</ContactPerson>
<Organization xmlns:xml="http://www.w3.org/XML/1998/namespace">
<OrganizationName xml:lang="en">sun com</OrganizationName>
<OrganizationName xml:lang="en">sun micro com</OrganizationName>
<OrganizationDisplayName xml:lang="en">sun.com</OrganizationDisplayName>
<OrganizationURL xml:lang="en">http://www.sun.com/liberty</OrganizationURL>
</Organization>
</EntityDescriptor>
|
Loading Proprietary Metadata Using amadmin
Access Manager provides proprietary attributes that are not a specific part of the Liberty ID-FF. To load Access Manager proprietary metadata use the following command:
amadmin --runasdn userdn --password password --data proprietary_metadata_filename |
After loading the metadata, the --export option can be used to export metadata compliant with the Liberty ID-FF. This file can then be exchanged with trusted partners. Here is an example of an identity provider metadata XML file for proprietary attributes.
Example 3–2 Identity Provider Proprietary Metadata XML File for amadmin
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE Requests PUBLIC "-//iPlanet//Sun Java System Access Manager 2005Q4 Admin CLI
DTD//EN" "jar://com/iplanet/am/admin/cli/amAdmin.dtd">
<Requests>
<OrganizationRequests DN="dc=companyA,dc=com">
<CreateHostedProvider id="http://sp.companyA.com" role="SP"
defaultUrlPrefix="http://sp.companyA.com:80">
<AttributeValuePair>
<Attribute name="iplanet-am-provider-name"/>
<Value>sp</Value>
</AttributeValuePair>
<AttributeValuePair>
<Attribute name="iplanet-am-provider-alias"/>
<Value>sp.companyA.com</Value>
</AttributeValuePair>
<AttributeValuePair>
<Attribute name="iplanet-am-list-of-authenticationdomains"/>
<Value>samplecot</Value>
</AttributeValuePair>
<AttributeValuePair>
<Attribute name="iplanet-am-certificate-alias"/>
<Value>cert_alias</Value>
</AttributeValuePair>
<AttributeValuePair>
<Attribute name="iplanet-am-trusted-providers"/>
<Value>http://idp.companyB.com</Value>
<Value>http://idp.companyC.com</Value>
</AttributeValuePair>
<SPAuthContextInfo AuthContext="Password" AuthLevel="1"/>
<AttributeValuePair>
<Attribute name="iplanet-am-provider-homepage-url"/>
<Value>http://sp.companyA.com:80/idff/index.jsp</Value>
</AttributeValuePair>
</CreateHostedProvider>
</OrganizationRequests>
</Requests>
|
- © 2010, Oracle Corporation and/or its affiliates