Deployment Example: SAML v2 Using Sun OpenSSO Enterprise 8.0

13.5 Testing the Secure Attribute Exchange

In this test, saeIDPApp.jsp securely sends user authentication credentials to OpenSSO Enterprise on the identity provider side. The identity provider then uses basic SAML v2 to communicate these attributes to OpenSSO Enterprise on the service provider side. Finally, the service provider securely passes these same attributes to saeSPApp.jsp, the consumer.

Note –

This test for Secure Attribute Exchange does not use the test users created in building the SP and IDP Environment. The values of Userid on local IDP, Authenticated auth level, mail attribute, and branch attribute are hard-coded in saeIDPApp.jsp as the default values for the test. Because we have not created the hard-coded test user on the service provider side, we previously set the User Profile to ignore on the service provider side.

To Test the Secure Attribute Exchange Configurations

Access https://sae.idp-example.com:8181/opensso/saml2/sae/saeIDPApp.jsp from a web browser.

The Secure Attributes Exchange IDP APP SAMPLE page is displayed.

Type the following values in the appropriate text field.

Userid on local IDP

testuser

Authenticated auth level

0

mail attribute

testuser@foo.com

branch attribute

mainbranch

SP App URL

https://sae.sp-example.com:8181/opensso/saml2/sae/saeSPApp.jsp

SAE URL on IDP end

https://lb2.idp-example.com:1081/opensso/idpsaehandler/metaAlias/idp

This application's identity (should match Secret below)

https://sae.idp-example.com:8181/opensso/saml2/sae/saeIDPApp.jsp

Crypto Type (symmetric | asymmetric)

Select symmetric from the drop down menu.

Shared Secret / Private Key alias

secret12

Key store path (asymmetric only)

No value

Key store password (asymmetric only)

No value

Private Key password (asymmetric only)

No value

Click Generate URL

The Secure Attributes Exchange IDP APP SAMPLE is generated and the following links are displayed.

Click here to invoke the remote SP App via 
http GET to local IDP : https://sae.sp-example.com:8181/
opensso/samples/saml2/sae/saeSPApp.jsp : ssourl  

Click here to invoke the remote SP App via 
http POST to IDP : https://sae.sp-example.com:8181/
opensso/samples/saml2/sae/saeSPApp.jsp : POST

This URL will invoke global Logout : slourl

ssourl, POST, and slourl are clickable.

Click ssourl.

The SAE SP APP SAMPLE page is displayed proving that Secure Attribute Exchange single sign-on has succeeded.

SAE SP APP SAMPLE


Secure Attrs :
sun.authlevel    0
sun.spentityid    https://lb4.sp-example.com:1081/opensso
branch    mainbranch
sun.idpentityid    https://lb2.idp-example.com:1081/opensso
mail    testuser@foo.com

Enter https://lb2.idp-example.com:1081/opensso/samples/saml2/sae/saeIDPApp.jsp in the browser to regenerate the Secure Attributes Exchange IDP APP SAMPLE page.

The Secure Attributes Exchange IDP APP SAMPLE is regenerated and the following links are displayed.

Click here to invoke the remote SP App via 
http GET to local IDP : https://sae.sp-example.com:8181/
opensso/samples/saml2/sae/saeSPApp.jsp : ssourl  

Click here to invoke the remote SP App via 
http POST to IDP : https://sae.sp-example.com:8181/
opensso/samples/saml2/sae/saeSPApp.jsp : POST

This URL will invoke global Logout : slourl

ssourl, POST, and slourl are clickable.

Click slourl.

The Secure Attributes Exchange IDP APP SAMPLE is displayed.

Type the following values in the appropriate text field.

Userid on local IDP

testuser

Authenticated auth level

0

mail attribute

testuser@foo.com

branch attribute

mainbranch

SP App URL

https://sae.sp-example.com:8181/opensso/saml2/sae/saeSPApp.jsp

SAE URL on IDP end

https://lb2.idp-example.com:1081/opensso/idpsaehandler/metaAlias/idp

This application's identity (should match Secret below)

https://sae.idp-example.com:8181/opensso/saml2/sae/saeIDPApp.jsp

Crypto Type (symmetric | asymmetric)

symmetric

Shared Secret / Private Key alias

secret12

Key store path (asymmetric only)

No value

Key store password (asymmetric only)

No value

Private Key password (asymmetric only)

No value

Click Generate URL.

The Secure Attributes Exchange IDP APP SAMPLE page is displayed.

Secure Attributes Exchange IDP APP SAMPLE

Setting up the following params:
branch=mainbranch
mail=testuser@foo.com
sun.userid=testuser
sun.authlevel=0
sun.spappurl=https://sae.sp-example.com:8181/opensso/
  saml2/sae/saeSPApp.jsp
sun.idpappurl=https://sae.idp-example.com:8181/opensso/
  saml2/sae/saeIDPApp.jsp


Click here to invoke the remote SP App via http GET to local IDP : 
  https://sae.sp-example.com:8181/opensso/saml2/sae/saeSPApp.jsp : ssourl

Click here to invoke the remote SP App via http POST to IDP : 
  https://sae.sp-example.com:8181/opensso/saml2/sae/saeSPApp.jsp

This URL will invoke global Logout : slourl

Click slourl.

The SAE SP APP SAMPLE page is displayed proving successful logout.

SAE SP APP SAMPLE


Secure Attrs :
sun.cmd    logout
sun.returnurl    https://lb4.sp-example.com:1081/opensso/SPSloRedirect/
metaAlias/sp?SAMLRequest=nZNva9swEMa%2FitHbkliS438iMQTCWErXpvUWxt5
d7HMqsCVPJ0P27WcnLaSDdlDQq5Oe%2Bz33cFoSdG2v7uzRDv4Jfw9IPghOXWtIna9
WbHBGWSBNykCHpHylyvW3OyXnXPXOelvZlgXbzYqRrKPDouKQQpOmnIsMRSMhgSgRIuU
gU55jLEQlWbBHR9qaFRvbjGqiAbeGPBg%2FljjPZjyfyfy7jFSUjOcXCzajNW3An1XP3
vekwrA9zJI5aWdxXtlOCZ6J0PZoiGxY7srWPmGtHVY%2B7NDDutVAIfUsuLf%2BwTy4d
ePR%2FQtcXIDFcgpAna25q0g%2BTgSI0E0eWXHlUc7xBF3fXrlsoFuGV4QX3P3Ycbv5B
C6YlI8DtLrR00z%2FpbOg3L2veS9VFnyxrgP%2Fsa2poutZc36qvANDGo1nhfwqbv78u
O334tGI26MRxzAWu%2F3NDp5%2FvsRxSeASR69KpGlPtqbG0yf2siC5iMe9SzMeJynK
KhVCZsAhr6s6y2OIDg1WUSq4uODfEovX4psPUvwF&RelayState=s212b785d4bda31
faa635552f1233bbbb3a2c5badb&sun.appreturn=true

Logout URL

Click Logout URL on the page displayed in the previous step.

At the bottom of the displayed page, you will see This proves SLO success.

Troubleshooting

If there are issues running this test, see the OpenSSO Enterprise debug files located in the /export/ossoadm/config/opensso/debug/Federation directory on both the identity provider and the service provider sides.