Sun OpenSSO Enterprise 8.0 Installation and Configuration Guide

Chapter 10 Deploying the Identity Provider (IDP) Discovery Service

Sun OpenSSO Enterprise 8.0 implements the Identity Provider Discovery profile (part of the SAMLv2 binding profiles) for its Identity Provider Discovery Service to keep track of the identity providers for each user. Deploying the IPP Discovery Service includes these steps:

Generating an IDP Discovery Service WAR File

To generate an IDP Discovery Service WAR file, use the jar command to extract the files from the opensso.war file and then to generate the specialized WAR file.

ProcedureTo Generate an IDP Discovery Service WAR File

Before You Begin

Download and unzip the file. You will then need the following files:

where zip-root is where you unzipped the file.

For more information about the opensso.war file, see Downloading OpenSSO Enterprise.

  1. Make sure that your JAVA_HOME environment variable points to JDK 1.5 or later.

  2. Create a new staging directory and extract the files from opensso.war in this staging directory. For example:

    # mkdir idpdiscovery
    # cd idpdiscovery
    # jar xvf zip-root/opensso/deployable-war/opensso.war
  3. Create the IDP Discovery Service WAR using the files in fam-idpdiscovery.list:

    # cd idpdiscovery
    # jar cvf zip-root/opensso/deployable-war/idpdiscovery.war \

    where idpdiscovery.war is the name of the new IDP Discovery Service WAR file.

  4. Update the idpdiscovery.war file created in previous step with the additional files required for the IDP Discovery Service. For example:

    # cd zip-root/opensso/deployable-war/idpdiscovery
    # jar uvf zip-root/opensso/deployable-war/idpdiscovery.war *

    You are now ready to configure the new idpdiscovery.war, as described in the next section.

Configuring the IDP Discovery Service

OpenSSO Enterprise includes the IDP Discovery Service Configurator (Configurator.jsp) to configure the service.

ProcedureTo Configure the IDP Discovery Service

  1. Login as a user who has the following privileges:

    • Access to the web container administration console, if you plan to deploy idpdiscovery.war using this console.


    • The capability to execute the web container's deploy command-line utility, if you plan to deploy idpdiscovery.war using the CLI.

  2. Deploy the idpdiscovery.war to the web container using either the web container administration console or CLI command.

  3. Launch the Configurator using the following URL:


    For example:

    If the IDP Discovery Service is not already configured, you will be directed to the Configurator page.

  4. On the Configurator page, specify the following information:

    • Debug Directory:

    • Debug Level: error (default), warning, message, or off.

    • Cookie Type: PERSISTENT (default) or SESSION

    • Cookie Domain:

    • Secure Cookie: True or False (default)

    • Encode Cookie: True (default) or False

  5. Click Configure.

  6. On the SP host machine, use the console to create a Circle of Trust with the IDP Discovery Service URL used as the prefix for the value of the Reader and Writer URL attributes. For example:

    SAML2 Writer Service URL: http://idp-discovery-server-machine:port/idpdiscovery/saml2writer

    SAML2 Reader Service URL: http://idp-discovery-server-machine:port/idpdiscovery/saml2reader

  7. On the IDP host machine, use the console to create a Circle of Trust with the value of the prefix attribute also set to the identity provider discovery service URL. For example:


  8. Generate metadata for both the IDP and the SP using the ssoadm command-line utility with the create-metadata-templ option.

  9. Load the SP metadata into the IDP machine.

  10. Change the value of the host in the IDP metadata from 0 or remote.

  11. Load the IDP metadata into the SP machine.

    After this configuration, the values of the Writer URL and Reader URL in each Circle of Trust are the URL of the IDP Discovery Service.

Next Steps

Perform the SAMLv2 test cases for SP-initiated and IDP-initiated single sign-on and single logout. Each time you perform these operations from the SP side, the Discovery Service logs will show the redirection to the IDP.