test

Sun OpenSSO Enterprise 8.0 Developer's Guide

Generating Security Tokens

In general, a discovery service and an identity provider are hosted on the same machine. Because the identity provider hosting the Discovery Service might be fulfilling other roles for an identity (such as a Policy Decision Point or an Authentication Authority), it can be configured to provide the requesting entity with security tokens. The Discovery Service can include a security token (inserted into a SOAP message header) in a DiscoveryLookup response. The token can then be used as a credential to invoke the service returned with it.

Note –

For information regarding the deployment of the Client SDK, see Chapter 14, Using the Client SDK.

ProcedureTo Configure the Discovery Service to Generate Security Tokens

  1. Generate the keystore and certificate aliases for the machines that are hosting the Discovery Service, the WSP and the WSC.

    OpenSSO Enterprise uses a Java keystore for storing the public and private keys so, if this is a new deployment, you might need to generate one using keytool, the key and certificate management utility supplied with the Java Platform, Standard Edition. In short, keytool generates key pairs as separate key entries (one for a public key and the other for its associated private key). It wraps the public key into an X.509 self-signed certificate (one for which the issuer/signer is the same as the subject), and stores it as a single-element certificate chain. Additionally, the private key is stored separately, protected by a password, and associated with the certificate chain for the corresponding public key. All public and private keystore entries are accessed via unique aliases.

  2. Update the values of the key-related properties for the appropriate deployed instances of OpenSSO Enterprise.

    Note –

    The same property might have already been edited depending on the deployment scenario.

    1. For the web services provider and web services client deployed on OpenSSO Enterprise:

      1. Login to the OpenSSO Enterprise console.

      2. Click the Configuration tab.

      3. Click the Global tab.

      4. Click the Liberty ID-WSF Security Service link.

        The Liberty ID-WSF Security Service page is displayed.

      5. Enter test as the value for the following attributes and click Save.

        • Default WSC Certificate alias

        • Trusted Authority signing certificate alias

        • Trusted CA signing certificate aliases

        Note –

        test is the default self-signed certificate shipped with OpenSSO Enterprise. Use your own key and CA name for your customized deployment. If you want to use a different keystore location, under the Configuration tab click Servers and Sites. Click the link of the appropriate server instance. Under the Security tab click Inheritance Settings and do the following:

        • Uncheck the Keystore File box.

        • Optionally, uncheck the Private Key Password File box and the Keystore Password File box.

        Click Save and Back to Server Profile. Click the Keystore link and enter the location of the Keystore File. (If you change the password for the Private Key or Keystore, you need to encode the new password using the ampassword command or encode.jsp before putting it into the corresponding password file.)

      6. Log out of the console and restart the instance to allow the changes to take effect.

    2. For the web services provider and web services client deployed on the same machine as the OpenSSO Enterprise Client SDK update the values of the following key-related properties in the AMConfig.properties:

      • com.sun.identity.saml.xmlsig.keystore defines the location of the keystore file.

      • com.sun.identity.saml.xmlsig.storepass defines the location of the file that contains the password used to access the keystore file.

      • com.sun.identity.saml.xmlsig.keypass defines the location of the file that contains the password used to protect the private key of a generated key pair.

      • com.sun.identity.liberty.ws.wsc.certalias defines the certificate alias used for signing the WSP protocol responses.

      • com.sun.identity.liberty.ws.trustedca.certaliases defines the certificate alias and the Provider ID list on which the WSP is trusting.

  3. Configure each identity provider and service provider as an entity using the Federation module.

    This entails configuring each provider as an entity in a circle of trust.

  4. Establish provider trust between the entities by creating an authentication domain using the Federation module.

    See Part II, Federation, Web Services, and SAML Administration, in Sun OpenSSO Enterprise 8.0 Administration Guide.

  5. Change the default value of the Provider ID for the Discovery Service on the machine where the Discovery Service is hosted to the value that reflects the previously loaded metadata.

    1. Click the Web Services tab from the OpenSSO Enterprise Console.

    2. Click the Discovery Service tab under Web Services.

    3. Change the default value of the Provider ID from protocol://host:port/deployuri/Liberty/disco to the Entity ID of the identity provider.

  6. Change the default value of the Provider ID for the Liberty Personal Profile Service on the machine where the Liberty Personal Profile Service is hosted to the value that reflects the previously loaded metadata.

    1. Click the Web Services tab from the OpenSSO Enterprise Console.

    2. Click the Liberty Personal Profile Service tab under Web Services.

    3. Change the default value of the Provider ID from protocol://host:port/deployuri/Liberty/idpp to the Entity ID of the identity provider.

  7. Register a resource offering for the WSP using either of the following methods.

    Make sure that the appropriate directives are chosen.

    • For SAML Bearer token use GenerateBearerToken or AuthenticateRequester.

    • For SAML Token (Holder of key) use AuthenticateRequester or AuthorizeRequester.