Sun Java System SAML v2 Plug-in for Federation Services User's Guide

SAML v2 Plug-in for Federation Services Architecture

The SAML v2 Plug-in for Federation Services consists of web-based services [using SOAP, XML over HTTP(S) or HTML over HTTP(S)], and Java™-based application provider interfaces (API) and service provider interfaces (SPI). The figure below illustrates this architecture. Additionally, the figure shows an agent embedded into a web container in which a service provider application is deployed. This agent enables the service provider to participate in the SAML or Liberty-based protocols.

Figure 1–2 SAML v2 Plug-in for Federation Services Architecture

This figure illustrates the architecture of the SAML v2 Plug-in for Federation Services.

Installation

A single Solaris package will be supplied along with installation and configuration scripts to setup the SAML v2 protocol endpoints as well as the SAML v2 metadata for the identity provider and the service provider. The SAML v2 Plug-in for Federation Services will leverage the core infrastructure of the underlying server product (Access Manager or Federation Manager) for authentication, authorization, service management, logging/auditing, delegation, and access to user data stores. The SAML v2 Plug-in for Federation Services is implemented as a Solaris or Linux package. Scripts to uninstall the plug-in are also supplied. More information can be found in Chapter 2, Installing the SAML v2 Plug-in for Federation Services.

Administration

In order to communicate using the SAML v2 profiles you need, at least, two instances of the installed SAML v2 Plug-in for Federation Services. One instance will act for the identity provider and the other will act for the service provider. To prepare your instances of the SAML v2 Plug-in for Federation Services for interactions, you need to exchange configuration information or metadata with all participating identity and service providers, import each provider's metadata using an XML-based metadata configuration file, and assemble the providers into a circle of trust. The SAML v2 Plug-in for Federation Services accomplishes all this administration and configuration using the command-line interface, saml2meta. Utility APIs can then be used to communicate with the data store, reading, writing, and managing the relevant properties and property values. More information can be found in Chapter 3, Administration.

Note –

Membership in a circle of trust is transient and might change over the life cycle of the circle as relationships among the partners themselves change.

Java Developer Tools

The SAML v2 Plug-in for Federation Services includes Java programming tools for developer access to the SAML v2 features. They include:

Interfaces

The following sections contain general information about the interfaces provided with the SAML v2 Plug-in for Federation Services.

More information can be found in Chapter 5, Developer Tools and the Sun Java System SAMLv2 Plug-in for Federation Services Java API Reference.

Application Programming Interfaces

The SAML v2 Plug-in for Federation Services provides a software development kit (SDK) containing API that can be used to construct and process assertions, requests, and responses. The SDK is designed to be plugged in although it can also be installed and run as a standalone application (without an instance of Access Manager or Federation Manager). Here is a list of the included Java API packages:

com.sun.identity.saml2.assertion
com.sun.identity.saml2.common
com.sun.identity.saml2.protocol

More information about the SAML v2 Plug-in for Federation Services SDK can be found in The SAML v2 Plug-in for Federation Services SDK and the Sun Java System SAMLv2 Plug-in for Federation Services Java API Reference.

Service Provider Interfaces

The SAML v2 Plug-in for Federation Services provides SPI that can be implemented for application development. They are collected in the package com.sun.identity.saml2.plugins. Default implementations are provided out-of-the-box although customized implementations can be developed by modifying the appropriate attribute in the extended metadata configuration file. More information about the SPI can be found in Service Provider Interfaces and the Sun Java System SAMLv2 Plug-in for Federation Services Java API Reference.

JavaServer Pages

The SAML v2 Plug-in for Federation Services provides JSP that can be used to initiate single sign-on, single logout and termination requests from either the identity provider or the service provider using a web browser. The JSP accept query parameters to allow flexibility in constructing the requests and can be modified for your deployment. More information about the JSP can be found in JavaServer Pages.