Contents

List of Examples

List of Figures

List of Tables

Title and Copyright Information

Preface

• Audience
• Documentation Accessibility
• Related Documents
• Conventions

Part I Installation

1 Installing OpenSSO Security Token Service

• 1.1 Meeting the System Requirements
• 1.2 Installing a Web Container
  • 1.2.1 Using Oracle WebLogic Server
  • 1.2.2 Using GlassFish Application Server
• 1.3 Installing the OpenSSO STS Server
  • 1.3.1 Downloading the OpenSSO STS WAR
  • 1.3.2 Unpacking openssosts.war
  • 1.3.3 Deploying the OpenSSO STS WAR File
  • 1.3.4 To Deploy the OpenSSO STS WAR
    • 1.3.4.1 Deploying openssosts.war on Oracle WebLogic Application Server
    • 1.3.4.2 Deploying openssosts.war GlassFish Version 3
• 1.4 Configuring OpenSSO STS Using the Command-Line Configurator
  • 1.4.1 Before You Begin
  • 1.4.2 Installing the Command-Line Configurator
    • 1.4.2.1 To Install the Command-Line Configurator
  • 1.4.3 To Configure the OpenSSO STS Server
    • 1.4.3.1 OpenSSO STS Configuration Parameters For the Command-Line Configurator
    • 1.4.3.2 User Data Store Parameters
  • 1.4.4 To Configure Multiple OpenSSO STS Servers with Identical Configuration Settings
• 1.5 Configuring the OpenSSO STS Administrator Password
• 1.6 Installing the OpenSSO STS Command-Line Utility
  • 1.6.1 To Install the ssoadm Command-Line Utility
• 1.7 Uninstalling the OpenSSO STS Server
  • 1.7.1 To Uninstall the OpenSSO STS Server
  • 1.7.2 To Uninstall the OpenSSO STS Utilities and Scripts

Part II Basic Server Administration

2 Overview of OpenSSO Security Token Service

• 2.1 About OpenSSO STS
  • 2.1.1 The OpenSSO Security Token Service
  • 2.1.2 OpenSSO STS as a Web Service Security Provider
  • 2.1.3 OpenSSO STS Agent Profiles
• 2.2 Common Uses for OpenSSO STS
  • 2.2.1 Stand-Alone Security Token Service
  • 2.2.2 Web Services Security Provider
• 2.3 Single-Realm Administration Console

3 Getting Started Using the OpenSSO STS Console

• 3.1 Logging In to the OpenSSO STS Console
• 3.2 First-Time Login Configuration
  • 3.2.1 To Configure the OpenSSO STS Application
• 3.3 About the Single-Realm OpenSSO STS Console

4 Managing the Security Token Service

• 4.1 About the OpenSSO Security Token Service
  • 4.1.1 Security Token Generation Process Flow
  • 4.1.2 Supported Security Tokens and Security Mechanisms
  • 4.1.3 Supported Standards
  • 4.1.4 Leveraging Dynamic Policy For OpenSSO STS WSDL
• 4.2 To Configure the Security Token Service
• 4.3 Generating Security Tokens
  • 4.3.1 Using the Security Token Generation Matrix
    • 4.3.1.1 Token Generation Matrix Legend
  • 4.3.2 To Read the Security Token Generation Matrix
    • 4.3.2.1 Example: Using the Token Generation Matrix
• 4.4 To Register a Web Service Provider to OpenSSO STS
• 4.5 To Configure a Web Service Provider
• 4.6 To Register a WS-Trust Client

5 Configuring OpenSSO STS System Properties

• 5.1 Managing OpenSSO STS Servers
  • 5.1.1 To Edit the Default OpenSSO STS Server Settings
  • 5.1.2 To Add a New OpenSTS Server
  • 5.1.3 To Configure an OpenSSO STS Server
    • 5.1.3.1 To Configure OpenSSO STS Server General Properties
    • 5.1.3.2 To Configure OpenSSO STS Server Security Properties
    • 5.1.3.3 To Configure OpenSSO STS Server Session Properties
    • 5.1.3.4 To Configure OpenSSO STS Server SDK Properties
    • 5.1.3.5 To Configure OpenSSO STS Server Directory Configuration Properties
    • 5.1.3.6 To Configure OpenSSO STS Server Advanced Properties
  • 5.1.4 To Clone an OpenSSO STS Server
• 5.2 Managing OpenSSO STS Sites
  • 5.2.1 To Add a New OpenSSO STS Site
  • 5.2.2 To Configure an OpenSSO STS Site
  • 5.2.3 To Delete an OpenSSO STS Site
• 5.3 Managing User Data Stores
  • 5.3.1 To Add a New User Data Store
  • 5.3.2 To Delete a User Data Store
• 5.4 Configuring Global Platform Attributes

6 Managing the OpenSSO STS Authentication Service

• 6.1 Configuring Global Authentication Service Properties
  • 6.1.1 To Configure Active Directory Authentication Service Attributes
  • 6.1.2 To Configure Certificate Authentication Service Realm Attributes
  • 6.1.3 To Configure Core Authentication Service Attributes
  • 6.1.4 To Configure Data Store Authentication Service Attributes
  • 6.1.5 To Configure Federation Authentication Service Attributes
  • 6.1.6 To Configure JDBC Authentication Service Realm Attributes
  • 6.1.7 To Configure LDAP Authentication Service Realm Attributes
  • 6.1.8 To Configure OAMAuth Authentication Service Realm Attributes
  • 6.1.9 To Configure WSSAuth Authentication Service Attributes
• 6.2 Configuring the Authentication Service Realm
  • 6.2.1 To Configure the Authentication Realm
• 6.3 Managing Authentication Module Instances
  • 6.3.1 To Add a New Active Directory Module Instance
  • 6.3.2 To Configure an Active Directory Authentication Module Instance
  • 6.3.3 To Add a New Certificate Authentication Module Instance
  • 6.3.4 To Configure a Certificate Authentication Module Instance
  • 6.3.5 To Add a New Data Store Authentication Module Instance
  • 6.3.6 To Configure a Data Store Authentication Module Instance
  • 6.3.7 To Add and Configure a New Federation Authentication Module Instance
  • 6.3.8 To Add a New JDBC Authentication Module Instance
  • 6.3.9 To Configure a JDBC Authentication Module Instance
  • 6.3.10 To Add an New LDAP Authentication Module Instance
  • 6.3.11 To Configure an LDAP Authentication Module Instance
  • 6.3.12 To Add a New Oracle Authentication Module Instance
  • 6.3.13 To Configure an Oracle Authentication Module Instance
  • 6.3.14 To Add a New Web Service Security Authentication Module Instance
  • 6.3.15 To Configure a WSSAuth Authentication Module Instance
  • 6.3.16 To Delete an Authentication Module Instance
• 6.4 Managing Authentication Chains
  • 6.4.1 To Create a New Authentication Chain
  • 6.4.2 To Delete an Authentication Chain

7 Using the Logging Service

• 7.1 About the Logging Service
  • 7.1.1 Log Records
  • 7.1.2 Error Logs and Access Logs
  • 7.1.3 Log File Formats
    • 7.1.3.1 Flat File Format
    • 7.1.3.2 Relational Database Format
• 7.2 Configuring Global Logging Attributes
  • 7.2.1 To Configure Global Logging Attributes
• 7.3 Using OpenSSO STS Component Logs
• 7.4 Using Secure Logging
  • 7.4.1 To Enable Secure Logging through a JSS Provider
  • 7.4.2 To Change from a JCE Provider to a JSS Provider
• 7.5 Using Database Logging
  • 7.5.1 To Enable Database Logging

8 Deploying OpenSSO STS with Other Oracle Products

• 8.1 Configuring Administrator Single Sign-On with Oracle Access Manager
  • 8.1.1 To Configure Administrator Single Sign-On with Oracle Access Manager
• 8.2 Configuring OpenSSO STS to Work with Oracle Internet Directory and Oracle Virtual Directory
  • 8.2.1 To Configure Oracle Internet Directory or Oracle Virtual Directory for User Authentication
  • 8.2.2 To Configure SAML Attribute Generation and Retrieval

Part III Appendixes

A Using the ssoadm Command-Line Interface

• A.1 About ssoadm
• A.2 Basic ssoadm Usage
  • A.2.1 ssoadm Syntax
  • A.2.2 Password File
  • A.2.3 ssoadm Usage Example
  • A.2.4 Displaying Options for an ssoadm Subcommand
  • A.2.5 ssoadm Subcommand Usage
• A.3 Command-Line Reference
• ssoadm Commands

B Debugging and Troubleshooting OpenSSO STS

• B.1 Debugging OpenSSO STS
• B.2 Troubleshooting OpenSSO STS Issues