The previous sections detailed how to create and configure entities and circles of trust using the OpenSSO Enterprise console. But entities can also be created and configured using the ssoadm command-line interface. Rather than filling in provider attribute values manually, you would create an XML file containing the provider attributes and corresponding values and import it using ssoadm.
The format of the XML file used as input is based on the sms.dtd. Alterations to the DTD files may hinder the operation of OpenSSO Enterprise.
This section contains the following information:
ssoadm is used to manage the provider metadata. The following table describes the ssoadm subcommands specific to metadata management.
Table 7–1 ssoadm Subcommands for Managing Metadata
Subcommand |
Description |
---|---|
import-entity |
Loads standard and extended metadata in XML format into a local configuration data store. Note – Use the –spec option to specify saml2 , idff, or wsfed. |
export-entity |
Exports standard and extended metadata in XML format from a local configuration data store. Note – Use the –spec option to specify saml2 , idff, or wsfed. |
create-meadata-templ |
Generates a metadata configuration file for any provider type with defined values for default metadata properties. The generated file can be modified for use with import-entity. Note – Use the –spec option to specify saml2 , idff, or wsfed. |
delet-entity |
Removes standard or extended metadata from a local configuration data store. Note – Use the –spec option to specify saml2 , idff, or wsfed. |
list-entities |
Generates a list of all the entity identifiers on the system. Note – Use the –spec option to specify saml2 , idff, or wsfed. |
update-entity-key-info |
Update XML signing and encryption key information for a hosted IDP or SP. |
There are two types of entity provider metadata (formatted in XML files) that can be used as input to ssoadm:
Standard metadata properties are defined in the Liberty ID-FF and SAMLv2 specification.
Extended metadata properties are proprietary and used by features specific to OpenSSO Enterprise.
Information regarding the attributes and possible values of the metadata can be found in Chapter 6, Federation Attributes for Entity Providers, in Sun OpenSSO Enterprise 8.0 Administration Reference. The following sections contain information on loading the metadata.
To load metadata compliant with the Liberty ID-FF, SAMLv2, or WS-Federation protocols, use the following command (options in square brackets are optional):
ssoadm import-entity --amadmin admin-ID --password-file password_filename [--realm] realm-name[--metadata-file] metadatafilename [--cot] circle_of-trust [--spec] idff_or_saml2_or_wsfed_or_wsfed |
This option is usually used to load provider metadata sent from a trusted partner in an XML file Here is an example of a service provider metadata XML file compliant with the Liberty ID-FF.
<!-- Copyright (c) 2005 Sun Microsystems, Inc. All rights reserved Use is subject to license terms. --> <EntityDescriptor meta:providerID="http://sp10.com" meta:cacheDuration="360" xmlns:meta="urn:liberty:metadata:2003-08" xmlns="urn:liberty:metadata:2003-08"> <SPDescriptor cacheDuration="180" xmlns:meta="urn:liberty:metadata:2003-08" aaa="aaa" protocolSupportEnumeration="urn:liberty:iff:2003-08"> <KeyDescriptor use="signing"> <EncryptionMethod>http://something/encrypt</EncryptionMethod> <KeySize>4567</KeySize> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Certificate xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> MIIC1DCCApICBD8poYwwCwYHKoZIzjgEAwUAMFAxCzAJBgNVBAYTAlVTMQwwCgYDVQQKEwNTdW4x IDAeBgNVBAsTF1NVTiBPTkUgSWRlbnRpdHkgU2VydmVyMREwDwYDVQQDEwhzdW4tdW5peDAeFw0w MzA3MzEyMzA5MDBaFw0wNDAxMjcyMzA5MDBaMFAxCzAJBgNVBAYTAlVTMQwwCgYDVQQKEwNTdW4x IDAeBgNVBAsTF1NVTiBPTkUgSWRlbnRpdHkgU2VydmVyMREwDwYDVQQDEwhzdW4tdW5peDCCAbcw ggEsBgcqhkjOOAQBMIIBHwKBgQD9f1OBHXUSKVLfSpwu7OTn9hG3UjzvRADDHj+AtlEmaUVdQCJR +1k9jVj6v8X1ujD2y5tVbNeBO4AdNG/yZmC3a5lQpaSfn+gEexAiwk+7qdf+t8Yb+DtX58aophUP BPuD9tPFHsMCNVQTWhaRMvZ1864rYdcq7/IiAxmd0UgBxwIVAJdgUI8VIwvMspK5gqLrhAvwWBz1 AoGBAPfhoIXWmz3ey7yrXDa4V7l5lK+7+jrqgvlXTAs9B4JnUVlXjrrUWU/mcQcQgYC0SRZxI+hM KBYTt88JMozIpuE8FnqLVHyNKOCjrh4rs6Z1kW6jfwv6ITVi8ftiegEkO8yk8b6oUZCJqIPf4Vrl nwaSi2ZegHtVJWQBTDv+z0kqA4GEAAKBgCNS1il+RQAQGcQ87GBFde8kf8R6ZVuaDDajFYE4/LNT Kr1dhEcPCtvL+iUFi44LzJf8Wxh+eA5K1mjIdxOo/UdwTpNQSqiRrm4Pq0wFG+hPnUTYLTtENkVX IIvfeoVDkXnF/2/i1Iu6ttZckimOPHfLzQUL4ldL4QiaYuCQF6NfMAsGByqGSM44BAMFAAMvADAs AhQ6yueX7YlD7IlJhJ8D4l6xYqwopwIUHzX82qCzF+VzIUhi0JG7slSpyis= </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </KeyDescriptor> <SingleLogoutServiceURL>http://www.sun.com/slo"</SingleLogoutServiceURL> <SingleLogoutServiceReturnURL>http://www.sun.com/sloservice </SingleLogoutServiceReturnURL> <FederationTerminationServiceURL>http://www.sun.com/fts </FederationTerminationServiceURL> <FederationTerminationServiceReturnURL>http://www.sun.com/ftsr </FederationTerminationServiceReturnURL> <FederationTerminationNotificationProtocolProfile> http://projectliberty.org/profiles/ fedterm-sp-http</FederationTerminationNotificationProtocolProfile> <SingleLogoutProtocolProfile>http://projectliberty.org/profiles/slo-sp-http </SingleLogoutProtocolProfile> <RegisterNameIdentifierProtocolProfile>http://projectliberty.org/profiles/ rni-sp-http</RegisterNameIdentifierProtocolProfile> <RegisterNameIdentifierServiceURL>http://www.sun2.com/risu </RegisterNameIdentifierServiceURL> <RegisterNameIdentifierServiceReturnURL>http://www.sun2.com/rstu </RegisterNameIdentifierServiceReturnURL> <RelationshipTerminationNotificationProtocolProfile>http://projectliberty.org/ profiles/rel-term-soap</RelationshipTerminationNotificationProtocolProfile> <NameIdentifierMappingBinding AuthorityKind="ppp:AuthorizationDecisionQuery" Location="http://eng.sun.com" Binding="http://www.sun.com" xmlns:ppp="urn:oasis:names:tc:SAML:1.0:protocol"></NameIdentifierMappingBinding> <AdditionalMetaLocation namespace="abc">http://www.aol.com</AdditionalMetaLocation> <AdditionalMetaLocation namespace="efd">http://www.netscape.com</AdditionalMetaLocation> <AssertionConsumerServiceURL id="jh899" isDefault="true"> http://www.iplanet.com/assertionurl</AssertionConsumerServiceURL> <AuthnRequestsSigned>true</AuthnRequestsSigned> </SPDescriptor> <ContactPerson xmlns:meta="urn:liberty:metadata:2003-08" contactType="technical" meta:libertyPrincipalIdentifier="myid"> <Company>SUn Microsystems</Company> <GivenName>Joe</GivenName> <SurName>Smith</SurName> <EmailAddress>joe@sun.com</EmailAddress> <EmailAddress>smith@sun.com</EmailAddress> <TelephoneNumber>45859995</TelephoneNumber> </ContactPerson> <Organization xmlns:xml="http://www.w3.org/XML/1998/namespace"> <OrganizationName xml:lang="en">sun com</OrganizationName> <OrganizationName xml:lang="en">sun micro com</OrganizationName> <OrganizationDisplayName xml:lang="en">sun.com</OrganizationDisplayName> <OrganizationURL xml:lang="en">http://www.sun.com/liberty</OrganizationURL> </Organization> </EntityDescriptor> |
OpenSSO Enterprise provides proprietary attributes that are not a specific part of the Liberty ID-FF, WS-Federation, or SAMLv2 protocols. To load OpenSSO Enterprise proprietary metadata use the following command:
ssoadm import-entity --amadmin admin-ID --password-file password_filename [--realm realm-name] [--meta-data-file metadatafilename] [--extended-data-file extended_metadata_filename] [--cot circle_of-trust] [--spec]idff_or_saml2_or-wsfed] |
After loading the metadata, the ssoadm export-entity option can be used to export metadata. This file can then be exchanged with trusted partners. Here is an example of an identity provider metadata XML file for proprietary attributes.
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE Requests PUBLIC "-//iPlanet//Sun Access Manager 2005Q4 Admin CLI DTD//EN" "jar://com/iplanet/am/admin/cli/amAdmin.dtd"> <Requests> <OrganizationRequests DN="dc=companyA,dc=com"> <CreateHostedProvider id="http://sp.companyA.com" role="SP" defaultUrlPrefix="http://sp.companyA.com:80"> <AttributeValuePair> <Attribute name="iplanet-am-provider-name"/> <Value>sp</Value> </AttributeValuePair> <AttributeValuePair> <Attribute name="iplanet-am-provider-alias"/> <Value>sp.companyA.com</Value> </AttributeValuePair> <AttributeValuePair> <Attribute name="iplanet-am-list-of-authenticationdomains"/> <Value>samplecot</Value> </AttributeValuePair> <AttributeValuePair> <Attribute name="iplanet-am-certificate-alias"/> <Value>cert_alias</Value> </AttributeValuePair> <AttributeValuePair> <Attribute name="iplanet-am-trusted-providers"/> <Value>http://idp.companyB.com</Value> <Value>http://idp.companyC.com</Value> </AttributeValuePair> <SPAuthContextInfo AuthContext="Password" AuthLevel="1"/> <AttributeValuePair> <Attribute name="iplanet-am-provider-homepage-url"/> <Value>http://sp.companyA.com:80/idff/index.jsp</Value> </AttributeValuePair> </CreateHostedProvider> </OrganizationRequests> </Requests> |
The ssoadm command line interface creates and manages the circles of trust used by the Federation services. The following table describes the ssoadm subcommands specific to circle of trust management.
Table 7–2 ssoadm Subcommands for Managing Circles of Trust
Subcommand |
Description |
---|---|
create-cot |
Creates a circle of trust. |
delete-cot |
Removes a circle of trust. Note – To delete a circle of trust that contains providers, use remove-cot-members to remove each provider first, then use delete-cot to delete the circle itself. |
add-cot-member |
Adds a trusted provider to an existing circle of trust. Note – add-cot-member can only add a single entity at a time. Add multiple entities when you first create the circle by using create-cot and the ---trustedproviders option. |
remove-cot-member |
Removes a trusted provider from an existing circle of trust. |
list-cot-members |
Lists the member providers in a particular circle of trust. |
list-cots |
Lists all the circles of trust configured on the system. |
The following command example will create a circle of trust:
ssoadm create-cot --cot COT-name --adminid admin-user --password-file password-filename [--realm realm-name] [--trustedproviders trusted-providers] [--prefix idp-discovery-URL-prefix] |
This second command example will add a trusted provider to an existing circle of trust:
ssoadm add-cot-member --cot COT-name --enitityid entitiy_ID --adminid admin-user --password-file password [--realm realm-name] [--spec saml2-or-idff] |
This next command example will remove a trusted provider from an existing circle of trust:
ssoadm remove-cot-member --cot COT-name --enitityid entitiy_ID --adminid admin-user --password-file password [--realm realm-name] [--spec saml2-or-idff] |
This command example will list all the providers belonging to an existing circle of trust:
ssoadm list-cot-members --cot COT-name --adminid admin-user --password-file password [--realm realm-name] [--spec saml2-or-idff] |
This command example will list all the available circles of trust:
ssoadm list-cots --adminid admin-user --password-file password [--realm realm-name] |