The Pre-Login URL
The pre-login process is the entry point for applications participating
in Liberty-based single sign-on. The principal would be redirected
to the location defined by the pre-login URL if no OpenSSO Enterprise
session token is found. This default process, though, can be modified
based on the values of query parameters passed to OpenSSO Enterprise
by the service provider within a URL.
A query parameter is a name/value pair appended to the end
of a URL. The parameter starts with a question mark (?) and takes
the form name=value.
A number of parameters can be combined in one URL; when more than
one parameter exists, they are separated by an ampersand (&).
Use the format http://hostname:port/deploy-uri/preLogin?metaAlias=metaAlias. Additional parameters are appended
to the URL as ¶m1=value1¶m2=value2 and so on. These parameters and their usage
and values are described in the following table.
Table 8–1 Pre-login URL Parameters for
Federation
Parameter
|
Description
|
actionOnNoFedCookie
|
The actionOnNoFedCookie parameter provides
the flexibility to redirect a user when the fedCookie is
not present in the browser, and when there is only one identity provider.
It takes the following values:
-
commonlogin will redirect to a
common login page.
-
locallogin will redirect to the
local OpenSSO Enterprise login page.
-
passive will issue a request to
the identity provider by setting the isPassive parameter
of the AuthnRequest element to true.
-
active will issue a normal single
sign-on request to the identity provider.
|
anonymousOnetime
|
The anonymousOnetime parameter can be used
by service providers that authenticate users with anonymous, one time
federation sessions. A value of true enables the
service provider to issue a one time federation request and generate
an anonymous session after successful verification of the authentication
assertion from the identity provider. This feature is useful when
the service provider doesn't have a user repository (for example, http://www.weather.com) but would like to depend on an identity
provider for authentication. When the service provider receives a
successful authentication assertion from an identity provider, they
would generate an anonymous, temporary session.
|
authlevel
|
The authlevel parameter takes as a value
a positive number that maps to an authentication level defined in
the OpenSSO Enterprise Authentication Framework. The authentication
level indicates how much to trust a method of authentication.
In this framework, each service provider is configured with
a default authentication context (preferred method of authentication).
However, the provider might like to change the assigned authentication
context to one that is based on the defined authentication level.
For example, provider B would like to generate a local session with
an authentication level of 3 so it requests the identity provider
to authenticate the user with an authentication context assigned that
level. The value of this query parameter determines the authentication
context to be used by the identity provider.
|
goto
|
The goto parameter takes as a value a URL
to which the principal will be redirected after a successful SSO.
If the value is not specified, default redirection will occur based
on the value of the Provider Home Page URL attribute defined in the
service provider configuration. The value of this URL can be configured
by changing the iplanet-am-provider-homepage-url attribute
in the amProviderConfig.xml file.
|
gotoOnFedCookieNo
|
The gotoOnFedCookieNo parameter takes as
a value a URL to which the principal is redirected if a fedCookie with a value of no is found. The default
behavior is to redirect the user to the OpenSSO Enterprise login page.
|
In order to modify the pre-login URL, edit the relevant properties
in either the AMConfig.properties file or the AMAgent.properties file, dependent on your deployment.
To Configure for Pre-login
In a federation setup, OpenSSO Enterprise acts as a service
provider and manages an application that runs on a separate instance
of Sun Java System Web Server. You must configure the agent that is protecting this
application as follows:
-
Point the com.sun.am.policy.loginURL property
in the AMAgent.properties file to the pre-login
service URL running on OpenSSO Enterprise.
For example: com.sun.am.policy.loginURL = http://www.sp1.com:58080/opensso/preLogin?metaAlias=www.sp1.com
-
Point the com.sun.am.policy.am.library.loginURL in
the AMAgent.properties file to the login URL
of the instance of OpenSSO Enterprise acting as the service provider.
For example: com.sun.am.policy.am.library.loginURL
= http://www.sp1.com:58080/opensso/UI/Login
To Configure for Global Logout
To implement the logout process for all service providers using
the Liberty Logout method, do the following:
-
Copy the AMClient.properties file
to the service provider's web container.
-
Revise the Logout method, as follows:
ResourceBundle rsbu =ResourceBundle.getBundle("AMClient"); String
logouturl = rsbu.getString ("com.sun.identity.federation.client.samples.logoutURL"); response.sendRedirect(logouturl);
This revision is equivalent to a redirection to http://www.sp1.com:58080/opensso/liberty-logout?metaAlias=www.sp1.com.