Sun Java System SAML v2 Plug-in for Federation Services User's Guide

Access Control

The following procedure will allow user access on the service provider side based on the user's configured roles on the identity provider side. This information is passed to the service provider in an assertion. No matching user entry is necessary on the service provider side.

ProcedureTo Enable Access Control Using Agents and Roles

  1. Install the SAML v2 Plug-in for Federation Services on the identity provider.

  2. Install the SAML v2 Plug-in for Federation Services on the service provider.

    Note –

    The service provider must be an instance of Access Manager because Federation Manager does not currently support policy.

  3. Install the Sun Java System Policy Agents 2.2 to protect the service provider configured on the instance of Access Manager.

    For more information, see the Sun Java System Access Manager Policy Agent 2.2 User’s Guide.

  4. Modify in so that its value is a URL (appended with the NameIDFormat=transient query parameter) that points to a single sign-on JSP on the service provider side.

    For example:
  5. (Required only if using Web Agent 2.1) Set the value of the property to the service provider's login URL so the agent can authenticate itself.

    If the login URL is a URL that initiates a SAML v2 single sign-on interaction, the value of this property will be used to authenticate the agent itself to your instances of Access Manager or Federation Manager. An example value might be http://host:port/amserver/UI/Login.

  6. Modify spSSOInit.jsp on the service provider side to use goto parameter as the value for RelayState.

    The differences are as follows:

    *** 143,148 ****
    --- 143,154 ----
    idpEntityID = request.getParameter("idpEntityID");
    paramsMap = SAML2Utils.getParamsMap(request);
    + String gotoURL = (String) request.getParameter("goto");
    + if (gotoURL != null) {
    + List list = new ArrayList();
    + list.add(gotoURL);
    + paramsMap.put(SAML2Constants.RELAY_STATE, list);
    + }
    if ((idpEntityID == null) || (idpEntityID.length() == 0)) {
    // get reader url
  7. Set up single sign-on without requiring writes to the data store by following the procedure described in To Configure Single Sign-on Without Data Store Writes.

    To test, we assume the employeenumber attribute stores the user's role. In addition, the identity provider should have the following configured users:

    • User 1 has employeenumber set to manager (the manager's role).

    • User 2 has employeenumber set to employee (the employee's role).

  8. Create a policy with the SessionProperty condition on the service provider instance of Access Manager.

    1. Log in to the Access Manager console as the top-level administrator, by default, amadmin.

    2. Under the Access Control tab, select the appropriate realm.

    3. Select the Policies tab.

    4. Click New Policy.

    5. Enter a name for the policy.

    6. Click New under Rules.

    7. Select URL Policy Agent (with resource name) and click Next.

    8. Enter a name for the rule.

    9. Enter the application's URL as the value for Resource Name.

    10. Select Allow under both GET and POST and click Finish.

    11. Click New under Conditions.

    12. Select SessionProperty and click Next.

    13. Enter a name for the condition.

    14. Click Add under Values.

    15. Enter the single sign-on token property name as the value for Property Name.

      To test, we will use employeenumber.

    16. Add the match value to the Values field and click Add.

      To test, we will use manager.

    17. Click Add to return to the New Condition page.

    18. Click Finish to save the condition.

    19. Click Create to create the policy.

    For more information on creating policy, see the Sun Java System Access Manager 7 2005Q4 Administration Guide.

  9. Access the application using a web browser.

    You will be redirected to the service provider single sign-on JSP defined in the previous step. From there, you will be redirected to the identity provider to login. Single sign-on with the service provider will be accomplished using SAML v2 and, finally, you will be redirected back to the application for policy enforcement. If you logged in as User 1, you will be allowed to access the application as a manager which is allowed by the policy. If you logged in as User 2, an employee, you will be denied access to the application.