test

Sun OpenSSO Enterprise 8.0 Administration Guide

Managing SAMLv2 Name Identifiers

With this release, OpenSSO Enterprise enhances its implementation of the Name Identifier Management Profile to include the termination of the association of a name identifier between a service provider and an identity provider (including the accompanying federation) and the issuance of a new name identifier. When metadata is created using OpenSSO Enterprise, XML is defined to support HTTP-Redirect, SOAP and HTTP-POST bindings. Following is the code for an identity provider.

<IDPSSODescriptor
  <ManageNameIDService
   Binding="urn:oasis:names:tc:SAML:2.0:bindings:
   HTTP-Redirect" Location="http://isdev-3.red.iplanet.com:
   58080/fam/IDPMniRedirect/metaAlias/idp" ResponseLocation=
   "http://isdev-3.red.iplanet.com:58080/fam/IDPMniRedirect/
   metaAlias/idp"/>
  <ManageNameIDService
   Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
   Location="http://isdev-3.red.iplanet.com:58080/fam/
   IDPMniPOST/metaAlias/idp" ResponseLocation=
   "http://isdev-3.red.iplanet.com:58080/fam/IDPMniPOST/
   metaAlias/idp"/>
  <ManageNameIDService
   Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
   Location="http://isdev-3.red.iplanet.com:58080/fam/
   IDPMniSoap/metaAlias/idp"/>
</IDPSSODescriptor>

The ManageNameID (MNI) JSP provide a way to initiate name identifier changes or terminations. For example, after establishing a name identifier for use when referring to a principal, the identity provider may want to change its value and/or format. Additionally, an identity provider might want to indicate that a name identifier will no longer be used to refer to the principal. The identity provider will notify service providers of the change by sending them a ManageNameIDRequest. A service provider also uses this message type to register or change the SPProvidedID value (included when the underlying name identifier is used to communicate with it) or to terminate the use of a name identifier between itself and the identity provider. To initiate termination of a name identifier or creation of a new identifier, access the appropriate JSP using the URL and URL parameter information in the following sections.

The JSP are located in /OpenSSO-Deploy-base/opensso/saml2/jsp/. idpMNIRedirect.jsp, spMNIRedirect.jsp, idpMNIPOST.jsp, and spMNIPOST.jsp, also in that directory, are process pages served as endpoints.

idpMNIRequestInit.jsp

idpMNIRequestInit.jsp initiates name identifier modifications or termination from the identity provider. The URL for this JSP is protocol://host:port/service-deploy-uri/saml2/jsp/idpMNIRequestInit.jsp. The following URL parameters are appended to it.

An example URL for using HTTP-POST communication might be:

http://dev-3.sun.com:58080/opensso/saml2/
  jsp/idpMNIRequestInit.jsp?metaAlias=/idp&spEntityID=
  mach1.sun.com&requestType=Terminate&binding=
  urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

spMNIRequestInit.jsp

spMNIRequestInit.jsp initiates name identifier modifications or termination from the service provider. The URL for this JSP is protocol://host:port/service-deploy-uri/saml2/jsp/spMNIRequestInit.jsp. The following URL parameters are appended to it.

An example URL for using SOAP communication might be:

http://dev-3.sun.com:58080/opensso/saml2/
  jsp/idpMNIRequestInit.jsp?metaAlias=/sp&idpEntityID=
  mach1.sun.com&requestType=NewID&binding=
  urn:oasis:names:tc:SAML:2.0:bindings:SOAP