Sun OpenSSO Enterprise 8.0 Update 1 Release Notes

Chapter 10 Using the ASP.NET Fedlet with OpenSSO Enterprise 8.0 Update 1

The OpenSSO Fedlet is a small archive that can be embedded into a service provider's web application to allow for SAMLv2 single sign-on between an identity provider instance of OpenSSO and the service provider application - WITHOUT installing OpenSSO on the service provider side. With the release of OpenSSO Enterprise 8.0 Update 1, the Fedlet technology has been extended to the ASP.NET platform.

OpenSSO Enterprise 8.0 Update 1 includes the Fedlet.dll, template metadata files, and a sample ASP.NET application for testing the communications. The Fedlet.dll initiates single sign-on with an identity provider and enables the receipt of an authentication response by the service provider using an HTTP-POST binding.

To configure for communications with the ASP.NET Fedlet, you need to configure the identity provider, the service provider, the Fedlet, and the service provider application.

To Configure the Identity Provider

  1. Create the hosted identity provider using the Common Tasks work flow in the OpenSSO Enterprise console.

    You will need the name of the circle of trust in the next procedure, To Configure the Service Provider and the ASP.NET Fedlet.

  2. Export the identity provider's standard metadata file.

    idp.xml can be exported by accessing the export metadata page at http://idp-machine.domain:8080/opensso/saml2/jsp/exportmetadata.jsp.

  3. Register the remote service provider using the modified standard metadata file sp.xml and the Register Remote Service Provider work flow in the OpenSSO Enterprise console.

    This step is done after you have finished To Configure the Service Provider and the ASP.NET Fedlet.

To Configure the Service Provider and the ASP.NET Fedlet

  1. Download the OpenSSO Enterprise ZIP archive to the service provider machine and unzip it.

  2. Unzip the Fedlet-unconfigured.zip in the /opensso/fedlet/ folder.

  3. Move the /opensso/fedlet/asp.net/ folder to a temporary directory.

  4. Change to the /tmp/asp.net/conf directory.

  5. Make copies of the template files.

    • Copy sp.xml-template to sp.xml.

    • Copy sp-extended.xml-template to sp-extended.xml.

    • Copy idp-extended.xml-template to idp-extended.xml.

    • Copy fedlet.cot-template to fedlet.cot.

  6. Swap out the following tags in the copied metadata files.

    • Replace FEDLET_COT with the name of the circle of trust of which the remote identity provider and the local service provider are members.

    • Replace FEDLET_ENTITY_ID with a unique identifier used to locate the Fedlet. This value is analogous to the service provider EntityID. The EntityID attribute is under the EntityDescriptor element that is passed to the service provider as part of the XML exchange. The Name attribute of a configured entity provider when looking in the OpenSSO console is the value of the EntityID.

    • Replace FEDLET_URL with the URL of the Fedlet; for example, http://sp-machine.domain/SampleApp/fedletapplication.aspx.

    • Replace IDP_ENTITY_ID with the entity ID of the remote identity provider. The EntityID attribute is under the EntityDescriptor element that is passed to the service provider as part of the XML exchange. The Name attribute of a configured entity provider in the OpenSSO console is the value of the EntityID.

At this point, return to the identity provider machine to register the service provider using the modified sp.xml file and making sure to associate the service provider and the identity provider with the same circle of trust.

To Configure the Sample Application and Test the ASP.NET Fedlet

The Sample Application should be deployed using ASP.NET version 3.5 and Microsoft Internet Information Server versions 6 or 7.

  1. Navigate to the /tmp/asp.net/conf folder on the service provider machine.

  2. Copy the modified metadata files idp-extended.xml, sp.xml, sp-extended.xml, and fedlet.cot to /tmp/asp.net/SampleApp/App_Data/.

  3. Copy the remote identity provider's standard metadata file to the service provider machine.

    Be sure the file is named idp.xml.

  4. Place idp.xml in /tmp/asp.net/SampleApp/App_Data/.

  5. Confirm that the Fedlet.dll is in the Sample Application's /tmp/asp.net/SampleApp/bin/ folder.

  6. Within Internet Information Server (IIS), create a virtual directory using the /tmp/asp.net/SampleApp/ directory.

    • IIS 6 (Windows 2003) has Add Virtual Directory. Be sure to have Read and Script permissions set for the application.

    • IIS 7 (Windows 2008 and Vista) has Add Application with no additional options required to be set.

  7. Open the Sample Application in your browser using the URL, http://sp.example.com/SampleApp

  8. Click the IDP Initiated SSO link to perform identity provider-initiated single sign-on.

  9. Enter the appropriate user credentials.

    The OpenSSO user demo with a password of changeit will work. After a successful authentication, the fedletapplication.aspx page is displayed with access to the AuthnResponse information. Click on the thumbnail to see a screenshot.

Figure 10–1 Sample Application with OpenSSO and ASP.NET

Sample Application with OpenSSO and ASP.NET

To Integrate the ASP.NET Fedlet with an Existing Application

The Sample Application demonstrates how to retrieve attributes and subject information from the SAMLv2 assertion in an AuthnResponse object. The following code can be integrated in custom applications to do the same. It is expected to be placed in an aspx page or ASP.NET URI to receive the authentication response in an HTTP-POST binding.


       AuthnResponse authnResponse = null; 
       try 
       { 
           ServiceProviderUtility spu = new ServiceProviderUtility(Context); 
           authnResponse = spu.GetAuthnResponse(Request); 
       } 
       catch (Saml2Exception se) 
       { 
           // invalid AuthnResponse received 
       } 
       catch (ServiceProviderUtilityException spue) 
       { 
           // issues with deployment (reading metadata) 
       }

For more information about the Fedlet, see the Sun OpenSSO Enterprise 8.0 Technical Overview and the Sun OpenSSO Enterprise 8.0 Deployment Planning Guide.