In this use case, an unauthenticated user first accesses a resource under the agent #2 in the Access Manager DNS domain (the primary domain). After the authentication, the Access Manager sets an SSO token in domain .iplanet.com. Then the user accesses another resource under agent #1 in a different domain .central.sun.com. The CDSSO sequence will be invoked and access will be allowed without re-authentication.
An unauthenticated user attempts to access http://am-v210-01.red.iplanet.com:7001/app1/test1.html. The agent intercepts the request and receives no SSO token. The agent responds with a redirection to the Access Manager login page.
REQUEST:
GET /app1/test1.html HTTP/1.0 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Accept-Language: en-us If-Modified-Since: Tue, 20 Jun 2006 11:03:04 GMT User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Host: am-v210-01.red.iplanet.com:7001 |
RESPONSE:
HTTP/1.1 302 Moved Temporarily Date: Wed, 02 Aug 2006 12:26:47 GMT Location: https://am-pool0.red.iplanet.com:8443/amserver/UI/Login?goto= http%3A%2F%2Fam-v210-01.red.iplanet.com%3A7001%2Fapp1%2Ftest1.html Content-Type: text/html Connection: Close |
The browser follows the redirection to access the Access Manager login page.
REQUEST:
GET /amserver/UI/Login?goto= http%3A%2F%2Fam-v210-01.red.iplanet.com%3A7001%2Fapp1%2Ftest1.html HTTP/1.0 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash,application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Accept-Language: en-us If-Modified-Since: Tue, 20 Jun 2006 11:03:04 GMT User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Host: am-pool0.red.iplanet.com:8443 Connection: Keep-Alive |
RESPONSE:
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 Date: Wed, 02 Aug 2006 12:26:52 GMT Content-type: text/html;charset=UTF-8 Cache-control: private Pragma: no-cache Expires: 0 X-dsameversion: 7 2005Q4 Am_client_type: genericHTML Set-cookie: JSESSIONID=54C2BEA3AB9BEE7AC172AD396F6C012A;Path=/;Secure Set-cookie: AMAuthCookie=AQIC5wM2LY4Sfcw%2F71xSeh8udj3%2FKcoBDs4FiDT7O zpFDjQ%3D%40AAJTSQACMTEAAlMxAAIwMQ%3D%3D%23; ;Domain=.iplanet.com;Path=/ Set-cookie: amservercookie=0C;Domain=.iplanet.com;Path=/ <.... login in page content omitted by the author > |
The user types in his credential on the login page and clicks Submit. A login form is posted to Access Manager. If the user authenticates successfully, the Access Manager responds by setting an SSO token (iPlanetDirectoryPro) in the domain .iplanet.com. The response also redirects the browser to the original requested resource http://am-v210-01.red.iplanet.com:7001/app1/test1.html.
REQUEST:
POST /amserver/UI/Login HTTP/1.0 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Referer: https://am-pool0.red.iplanet.com:8443/amserver/UI/ Login?goto=http%3A%2F%2Fam-v210-01.red.iplanet.com%3A7001%2Fapp1%2Ftest1.html Accept-Language: en-us Content-Type: application/x-www-form-urlencoded Connection: Keep-Alive User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Host: am-pool0.red.iplanet.com:8443 Content-Length: 144 Cache-Control: no-cache Cookie: JSESSIONID=54C2BEA3AB9BEE7AC172AD396F6C012A; AMAuthCookie=AQIC5wM2LY4Sfcw%2F71xSeh8udj3%2FKcoBDs4FiDT7OzpF DjQ%3D%40AAJTSQACMTEAAlMxAAIwMQ%3D%3D%23; amservercookie=0C |
RESPONSE:
HTTP/1.1 302 Moved Temporarily Server: Sun-ONE-Web-Server/6.1 Date: Wed, 02 Aug 2006 12:27:01 GMT Content-length: 0 Content-type: text/html Cache-control: private Pragma: no-cache X-dsameversion: 7 2005Q4 Am_client_type: genericHTML X-autherrorcode: 0 Location: http://am-v210-01.red.iplanet.com:7001/app1/test1.html Set-cookie: iPlanetDirectoryPro=AQIC5wM2LY4Sfcw%2F71xSeh8udj3%2 FKcoBDs4FiDT7OzpFDjQ%3D%40AAJTSQACMTEAAlMxAAIwMQ%3D%3D%23; Domain=.iplanet.com;Path=/ Set-cookie: AMAuthCookie=LOGOUT;Domain=.iplanet.com;Expires=Thu, 01-Jan-1970 00:00:10 GMT;Path=/ Connection: close |
The browser follows the redirection to access http://am-v210-01.red.iplanet.com:7001/app1/test.html. Note the SSO token cookie iPlanetDirectoryPro is sent in the HTTP request to the server. The agent validates the SSO token and evaluates policies by interacting with the Access Manager in the background. If the access is allowed, the server responds with the content of the protected resource.
REQUEST:
GET /app1/test1.html HTTP/1.0 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Pragma: no-cache Accept-Language: en-us Cookie: amservercookie=0C; iPlanetDirectoryPro=AQIC5wM2LY4Sfcw% 2F71xSeh8udj3%2FKcoBDs4FiDT7OzpFDjQ%3D%40 AAJTSQACMTEAAlMxAAIwMQ%3D%3D%23 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Host: am-v210-01.red.iplanet.com:7001 Cache-Control: no-cache |
RESPONSE:
HTTP/1.1 200 OK Date: Wed, 02 Aug 2006 12:27:02 GMT Content-Length: 88 Content-Type: text/html Last-Modified: Tue, 20 Jun 2006 11:03:04 GMT Set-Cookie: JSESSIONID=GQhWKgrXz1R8jCSpgnc1jXtzMd0M jwn1y9NXPjpZGCQn7jhX5wKd!384704559; path=/ Accept-Ranges: bytes Connection: Close <html> <head> <title>Test1 HTMOL</title> </head> TEST1 HTML </body> </html> |
The user now attempts to access another resource http://comal-b.central.sun.com:80/app1/test1.html. Note the SSO token iPlanetDirectoryPro is not sent in the HTTP request because the server comal-b.central.sun.com does not match the cookie domain .iplanet.com. The agent, receiving no SSO token, responds by redirecting the browser to the CDC servlet URL https://am-pool0.red.iplanet.com:8443/amserver/cdcservlet.
REQUEST:
GET /app1/test1.html HTTP/1.0 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Accept-Language: en-us Cookie: SUN_ID=69.196.39.237:227251153914164 If-Modified-Since: Wed, 19 Jul 2006 14:43:46 GMT If-None-Match: W/"88-1153320226000" User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Host: comal-b.central.sun.com |
RESPONSE:
HTTP/1.1 302 Moved Temporarily Server: Sun-Java-System/Application-Server Date: Wed, 02 Aug 2006 12:27:09 GMT Content-type: text/html X-powered-by: Servlet/2.4 Location: https://am-pool0.red.iplanet.com:8443/amserver/cdcservlet?goto= http%3A%2F%2Fcomal-b.central.sun.com %3A80%2Fagentapp%2FsunwCDSSORedirectURI&refererservlet= http%3A%2F%2Fcomal-b.central.sun.com%3A80%2Fagentapp% 2FsunwCDSSORedirectURI&MajorVersion=1&MinorVersion=0&RequestID; =s8c70ff292d4b9f9fbb211003528b7ab90de41229&ProviderID;= http%3A%2F%2Fcomal-b.central.sun.com%3A80%2F%3FRealm%3D%252F&IssueInstant; =2006-08-02T12%3A27%3A09Z&ForceAuthn;=false&IsPassive;=false&Federate;=false Set-cookie: amFilterCDSSORequest=AQICAtwmVLBfMe/ PgTWWJqWPSfO2eZo6rYLpQLiSI2Uk+Es+I25/ 7Pb5lDpLfNbM1S64amLqY9RLg1gib2HzbGqM+GKp/aF/ PslJYgcOwjKzAjZCBX+fDUtjQazNCAD+XwOdOnVsdKuGHNs=; Path=/ Connection: close |
A cookie amFilterCDSSORequest is set by the agent to save the user requested URL, its access type (GET/POST), etc. and AuthnRequestID (value of RequestID query parameter). This cookie is set before redirecting to the Access Manager's CDC Servlet. After getting the AuthnResponse later from the CDC Servlet, the Agent then retrieves the information from the amFilterCDSSORequest cookie to continue with the User's Original requested URL.
The redirection URL contains some parameters to be carried to the CDC servlet. Some of these parameters are:
The URL to which CDC servlet will forward AuthNResponse.
Major version is set 1. It is Liberty Federation Protocol major version.
The minor version is set to 1. It is Liberty Federation Protocol minor version.
Is an Authn Request ID. It is a uniquely generated id. It is of the form sfollowed-by-20-digit-hexadecimal-string. This is sent to CDC Servlet so that the its AuthnResponse later can contain this unique identifier. The RequestID is used to tie the response coming back. It is verified when the response comes back from the CDC servlet.
It is Service Provider ID, which is the agent. The value will be of the form: http://agent-host:port/?Realm=RealmName. Where RealmName is what is configured for property com.sun.identity.agents.config.organization.name in AMAgent.properties.
It is the time at which the AuthnRequest was created (being sent), in UTC format.
The browser follows the redirection to access the CDC servlet. Note the SSO token iPlanetDirectoryPro is sent in the HTTP request because the server DNS domain matches the cookie domain. The CDC servlet validates the SSO token and responds with an HTML page. The page contains an HTML FORM which will be automatically posted to CDSSO Redirect URL on the agent (http://comal-b.central.sun.com:80/agentapp/sunwCDSSORedirectURI, based on the "goto" parameter earlier). The form's hidden field LARES is an encoded Liberty-like AuthnResponse that contains the existing SSO Token in the domain .iplanet.com.
REQUEST:
GET /amserver/cdcservlet?goto= http%3A%2F%2Fcomal-b.central.sun.com%3A80%2F agentapp%2FsunwCDSSORedirectURI&refererservlet;=http%3A%2F%2 Fcomal-b.central.sun.com%3A80%2Fagentapp%2FsunwCDSSORedirectURI& MajorVersion=1&MinorVersion=0&RequestID; =s8c70ff292d4b9f9fbb211003528b7ab90de41229&ProviderID; =http%3A%2F%2Fcomal-b.central.sun.com%3A80%2F%3FRealm%3D%252F&IssueInstant; =2006-08-02T12%3A27%3A09Z&ForceAuthn;=false&IsPassive; =false&Federate;=false HTTP/1.0 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash,application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Accept-Language: en-us Cookie: JSESSIONID=54C2BEA3AB9BEE7AC172AD396F6C012A; amservercookie=0C; iPlanetDirectoryPro=AQIC5wM2LY4Sfcw%2F71xSeh8udj3%2FKcoBDs4FiDT7OzpF DjQ%3D%40AAJTSQACMTEAAlMxAAIwMQ%3D%3D%23 If-Modified-Since: Wed, 19 Jul 2006 14:43:46 GMT If-None-Match: W/"88-1153320226000" User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Host: am-pool0.red.iplanet.com:8443 Connection: Keep-Alive |
RESPONSE:
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 Date: Wed, 02 Aug 2006 12:27:10 GMT Content-type: text/html Pragma: no-cache Content-length: 3788 Connection: keep-alive <HTML> <BODY Onload="document.Response.submit()"> <FORM NAME="Response" METHOD="POST" ACTION= "http://comal-b.central.sun.com:80/agentapp/sunwCDSSORedirectURI"> <INPUT TYPE="HIDDEN" NAME="LARES" VALUE="PGxpYjpBdXRoblJlc3BvbnNlIHhtbG 5zOmxpYj0iaHR0cDovL3Byb2plY3RsaWJlcnR5Lm9yZy9zY2hlbWFzL2NvcmUvMjAwMi8xM IgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4wOmFzc2VydGlvbiIge G1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMDpwcm90b2NvbCIgeG1s ... bnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiIHhtbG5zOnhzaT0 iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIFJlc3BvbnNlSU 0ZmIxODg2Nzc4ZTBkMzMyMmEzMzFhYTg4MzMzOTMxNjZmMmYwIiAgSW5SZXNwb25zZVRvPS JzOGM3MGZmMjkyZDRiOWY5ZmJiMjExMDAzNTI4YjdhYjkwZGU0MTIyOSIgIE1ham9yVmVyc 2lvbj0iMSIgIE1pbm9yVmVyc2lvbj0iMCIgIElzc3VlSW5zdGFudD0iMjAwNi0wOC0wMlQx g=="/> </FORM> </BODY></HTML> |
The decoded AuthnResponse (line-wrapped) looks like this:
<lib:AuthnResponse xmlns:lib= "http://projectliberty.org/schemas/core/2002/12" xmlns :saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp= "urn:oasis:names:tc:SAML:1.0:protocol" xmlns:ds= "http://www.w3.org/2000/09/xmldsig<" xmlns:xsi= "http://www.w3.org/2001/XMLSchema-instance" ResponseID="sb3f4fb1886778e0d3322a331aa8833393166f2f0" InResponseTo="s8c70ff292d4b9f9fbb211003528b7ab90de41229" MajorVersion="1" MinorVersion="0" IssueInstant="2006-08-02T12:27:10Z"> <samlp:Status> <samlp:StatusCode Value="samlp:Success"> </samlp:StatusCode> </samlp:Status> <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:xsi= "http://www.w3.org/2001/XMLSchema-instance" xmlns:lib="http://projectliberty.org/schemas/core/2002/12" id="s16703a57e86c8163160b2a2ab3ce76111cc9ed5a01" MajorVersion="1" MinorVersion="0" AssertionID="s16703a57e86c8163160b2a2ab3ce76111cc9ed5a01" Issuer="https://ide-14.red.iplanet.com:443/amserver/cdcservlet" IssueInstant="2006-08-02T12:27:10Z" InResponseTo="s8c70ff292d4b9f9fbb211003528b7ab90de41229" xsi:type="lib:AssertionType"> <saml:Conditions NotBefore="2006-08-02T12:27:10Z" NotOnOrAfter="2006-08-02T12:28:10Z" > <saml:AudienceRestrictionCondition> <saml:Audience>http://comal-b.central.sun.com:80/?Realm=%2F</saml:Audience> </saml:AudienceRestrictionCondition> </saml:Conditions> <saml:AuthenticationStatement AuthenticationMethod="LDAP" AuthenticationInstant="2 006-08-02T12:27:01Z" ReauthenticateOnOrAfter="2006-08-02T12:28:10Z" xsi:type="lib:AuthenticationStatementType"> <saml:Subject xsi:type="lib:SubjectType"><saml:NameIdentifier NameQualifier="https://ide-14.red.iplanet.com:443/amserver/cdcservlet"> AQIC5wM2LY4Sfcw%2F71xSeh8udj3%2FKcoBDs4FiDT7OzpFDjQ%3D%40AAJTSQACMTEAAl MxAAIwMQ%3D%3D%23</saml:NameIdentifier> <saml:SubjectConfirmation> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer </saml:ConfirmationMe> </saml:SubjectConfirmation> <lib:IDPProvidedNameIdentifier NameQualifier="https://ide-14.red.iplanet.com:443/amserver/cdcservlet" > AQIC5wM2LY4Sfcw%2F71xSeh8udj3%2FKcoBDs4FiDT7OzpFDjQ%3D%40AAJTS QACMTEAAlMxAAIwMQ%3D%3D%23</lib:IDPProvidedNameIdentifier> </saml:Subject><saml:SubjectLocality IPAddress="192.18.72.87" DNSAddress="ide-14.red.iplanet.com" /> <lib:AuthnContext><lib:AuthnContextClassRef>http://www.projectliberty.org/ schemas/authctx/classes/Password</lib:AuthnContextClassRef> <lib:AuthnContextStatementRef>http://www.projectliberty.org/schemas/ authctx/classes/Password</lib:></lib:AuthnContext> </saml:AuthenticationStatement></saml:A> <lib:ProviderID>https://ide-14.red.iplanet.com:443/amserver/cdcservlet </lib:Provide></lib:AuthnResponse> |
The browser automatically posts the form with LARES to http://comal-b.central.sun.com:80/agentapp/sunwCDSSORedirectURI without the user interaction. The agent responds by setting a new SSO token iPlanetDirectoryPro with an empty cookie domain. A cookie without a domain will be restricted to be sent to the originating server only in the future. Also note the cookie value is exactly the same as the one set in Step 3 response by Access Manager. The HTTP response also redirects the browser to the original requested resource http://comal-b.central.sun.com:80/app1/test1.html.
REQUEST:
POST /agentapp/sunwCDSSORedirectURI HTTP/1.0 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Accept-Language: en-us Content-Type: application/x-www-form-urlencoded Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Host: comal-b.central.sun.com Content-Length: 3592 Cookie: amFilterCDSSORequest=AQICAtwmVLBfMe/PgTWWJqWPSfO2eZo6rYLpQLiSI2Uk+Es+I25/ 7Pb5lDpLfNbM1S64amLqY9RLg1gib 2HzbGqM+GKp/aF/PslJYgcOwjKzAjZCBX+fDUtjQazNCAD+XwOdOnVsdKuGHNs=; SUN_ID=69.196.39.237:227251153914164 |
RESPONSE:
HTTP/1.1 302 Moved Temporarily Server: Sun-Java-System/Application-Server Date: Wed, 02 Aug 2006 12:27:12 GMT Content-type: text/html X-powered-by: Servlet/2.4 Location: http://comal-b.central.sun.com:80/app1/test1.html Set-cookie: iPlanetDirectoryPro=AQIC5wM2LY4Sfcw%2F71xSeh8udj3% 2FKcoBDs4FiDT7OzpFDjQ%3D%40AAJTSQACMTEAAlMxAAIwMQ%3D%3D%23; Path=/ Set-cookie: amFilterCDSSORequest=reset; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/ Connection: close |
In responding to this request, the agent goes through the following steps to validate the received AuthnResponse:
First the requestID (saved in the amFilterCDSSORequest cookie) is verified against the responseID of the AuthnResponse.
The status code of the AuthnResponse is verified to see if it is successful.
The assertions are extracted from the AuthnResponse. There should be only 1.
From the Assertion, the issuer is extracted and is verified against the policy agent list of trusted ID providers. If the issuer is not in the policy agent trusted list, then user request is blocked. These trusted ID providers are governed by property, as we discussed in the configuration section, com.sun.identity.agents.config.cdsso.trusted.id.providerx. These IDs should contain URLs of the actual Access Manager instances (not the load-balancer URL).
The conditions that are in the assertion are also validated. The main one is the date validity condition. The date validity attributes, not before and notOnorAfter, are verified to verify the assertion has not expired. Hence time synchronization between Access Manager and Agent is essential. Also the skew factor provided in AMAgent com.sun.identity.agents.config.cdsso.clock.skew helps to overcome any network latencies.
In the response, cookie amFilterCDSSORequest is removed by setting the expiration date in the past.
The browser follows the redirection to access the protected resoruce again at http://comal-b.central.sun.com:80/app1/test.html. Note the new SSO token is sent to the server. The agent validates the SSO token, evaluates the policies and allows the access. The server responds with the content of the protected resource.
REQUEST:
GET /app1/test1.html HTTP/1.0 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Accept-Language: en-us Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Host: comal-b.central.sun.com Cookie: iPlanetDirectoryPro=AQIC5wM2LY4Sfcw%2F71xSeh8udj3%2FKcoB Ds4FiDT7OzpFDjQ%3D%40AAJTSQACMTEAAlMxAAIwMQ%3D%3D%23; SUN_ID=69.196.39.237:227251153914164 |
RESPONSE:
HTTP/1.1 200 OK Server: Sun-Java-System/Application-Server Date: Wed, 02 Aug 2006 12:27:13 GMT Content-length: 88 Content-type: text/html X-powered-by: Servlet/2.4 Etag: W/"88-1153320226000" Last-modified: Wed, 19 Jul 2006 14:43:46 GMT Connection: close <html> <head> <title>Test1 HTML</title> </head> body> Test1 HTML </body> </html> |