test

Sun OpenSSO Enterprise 8.0 Deployment Planning Guide

Configuring the SAMLv2 Identity Provider Proxy with the Introduction Cookie

You can use the OpenSSO Enterprise administration console or the ssoadmin command-line interface to generate and import metadata (steps 5 through 8).

  1. Deploy the Identity Provider Discovery Service.

    Follow the steps 1 through 5 in Chapter 10, Deploying the Identity Provider (IDP) Discovery Service, in Sun OpenSSO Enterprise 8.0 Installation and Configuration Guide. Do not complete steps 6 through 11 in the section “Configuring the IDP Discovery Service.”

  2. Once the Identity Provider Discovery Service WAR file is generated and deployed, make the following changes on its Configurator page.

    When http(s)://idpdiscoveryhost.example.com:8080/idpdiscovery is loaded, where idpdiscoveryhost usually refers to the Identity Provider Proxy host name, specify the following:

    Debug Directory:

    Name of the debug directory.

    Debug Level:

    Options are error (default), warning, message, or off.

    Cookie Type:

    PERSISTENT (default) or SESSION. Use PERSISTENT for the purpose of SAMLv2 Identity Proxying using the Introduction Cookie.

    Cookie Domain:

    Name of the cookie domain.

    Secure Cookie:

    True or False (default)

    Encode Cookie:

    True (default) or False

    Click Configure.

  3. Create your own keystore using keytool.

    You can also use the keystore.jks file created during deployment of OpenSSO Enterprise instance. The keystore.jks file is located in the opensso/opensso directory. The keystore.jks file contains a private key named test and an associated public certificate.

  4. Encrypt the keystore password for each host machine.

    If you use the keystore.jks file mentioned in step 1 and created during OpenSSO Enterprise deployment, the cert alias test is already encoded. You can use test for both security and encoding purposes. For example, for spscertalias, specertalias, idpscertalias, and idpecertalias.

  5. Generate Service Provider and Identity Provider metadata.

    In each of the following substeps, save the standard and extended metadata in their respective files.

    1. Generate the Service Provider metadata, and upload these local metadata into its console.

    2. Generate the Identity Provider metadata, and upload these local metadata into its console.

    3. Generate the Identity Provider Proxy metadata, and upload these local metadata into its console.

  6. Import the Service Provider and Identity Provider metadata.

    1. In each of the extended meta XML files, in the EntityConfig element to be imported, change hosted=1 to hosted=0. The value 0 means “remote.”

    2. Import the Service Provider metadata to the Identity Provider Proxy.

    3. Import the Identity Provider metadata to the Identity Provider Proxy.

    4. Import the Service Provider portion of the Identity Provider proxy metadata to the Identity Provider.

    5. Import the Identity Provider portion of the Identity Provider Proxy metadata to the Service Provider.

  7. Create a circle of trust on each of the systems.

  8. Import the metadata and create the provider entity.

    Specify the name of the circle of trust into where you would like to import the metadata.

  9. On both the Identity Provider Proxy console and the actual Identity Provider console, add the Identity Provider Discovery Service URL for the SAML2 Reader and Writer Service URLs for the Circle of Trust.

    1. On the Identity Provider Proxy console and on each actual Identity Provider host console, click the Circle of Trust.

    2. Enter the values for the SAML2 Reader and Writer URLs as the Identity Provider Proxy host name, and idpdiscovery as the URI, with the SAML2 Reader and Writer appended. Examples:

      http(s)://idp-proxy-server-host-name:port/idpdiscovery/saml2writer

      http(s)://idp-proxy-server-host-name:port/idpdiscovery/saml2reader

  10. On the Identity Provider Proxy console and on the actual Identity Provider console, under Entity Providers, click the Identity Provider Proxy URL link. Then click the Advanced tab for the Service Provider.

    IDP Proxy

    Mark the Enabled box.

    Introduction

    Mark the Enabled box.

    Proxy Count.

    Enter 1 or more.

    IDP Proxy List

    Leave this blank.

  11. After all the configuration steps are done, restart the web containers of all the servers on the Service Provider, Identity Provider Proxy, and the actual Identity Provider.

  12. As a verification step, on the Service Provider host, log in to the OpenSSO Enterprise administration console and click the Federation tab.

    You should see the profiles for both Service Provider and Identity Provider Proxy.

    Perform the SAMLv2 test cases for single sign-on and single logout through a proxy.