In the ADFS environment, Add a new Resource Partner to adfsaccount.adatum.com and configure the following attributes:
Enter a name, for example OpenSSO SP.
This must be the same as the TokenIssuerName in the service provider metadata file that you will create. For example:
urn:federation:mywsfedsp
The last path component of this URL must the match metaAlias in the service provider extended meta data file that you will create. For example:
https://amhost(:amsecureport)/fam/WSFederationServlet/metaAlias
/mywsfedsp
Convert the Active Directory machine's token signing certificate file (for example, adfsaccount_ts.cer) to PEM format. You use OpenSSL for this conversion. For example:
openssl x509 in adfsaccount_ts.cer inform DER -out adfsaccount_ts.pem outform PEM
Create the metadata and extended metadata for an identity provider using the ssoadm command line utility. For example purposes, the files are named adatum.xml and adatumx.xml..
For example:
create-meadata-templ –u amadmin –f password_file –m adatum.xml –x adtumx.xml –i /metaalias –y entity_id –c wsfed
Create the metadata and extended metadata for a service provider using the ssoadm command line utility. For example purposes, the files are named wsfedsp.xml and wsfedspx.xml.
You can also use the OpenSSO Enterprise console to create a hosted service provider or identity provider. For more information, see WS-Federation Entity Provider.
For example:
create-metadata-templ –u amadmin –f password_file –m wsfedsp.xml –x wsfedspx.xml –s /metaalias –y entity_id –c wsfed
In adatum.xml, paste the PEM-encoded certificate from adfsaccount_ts.pem into the <ns2:X509Certificate> element.
In the hosted service provider (wsfedsp.xml), change the hostname and port in the <ns3:Address> element to match your configuration. For example:
<?xml version="1.0" encoding="UTF8" standalone="yes"?> <Federation FederationID="mywsfedsp" xmlns="http://schemas.xmlsoap.org/ws/2006/12/federation"> <TokenIssuerName>urn:federation:mywsfedsp</TokenIssuerName> <TokenIssuerEndpoint> <ns3:Address xmlns:ns3="http://www.w3.org/2005/08/addressing">https://patlinux.red.ip lanet.com:8443/fam/WSFederationServlet/metaAlias/mywsfedsp</ns3:Address> </TokenIssuerEndpoint> </Federation> |
In the hosted service provider (adatumx.xml), change the hostname and port in the <HomeRealmDiscoveryService> attribute to match your configuration. For example:
<FederationConfig xmlns="urn:sun:fm:wsfederation:1.0:federationconfig" xmlns:fm="urn:sun:fm:wsfederation:1.0:federationconfig" hosted="1" FederationID="mywsfedsp"> <SPSSOConfig metaAlias="/mywsfedsp"> <Attribute name="displayName"> <Value>My Open Federation Service Provider</Value> </Attribute> <Attribute name="AccountRealmSelection"> <Value>cookie</Value> </Attribute> <Attribute name="AccountRealmCookieName"> <Value>amWSFederationAccountRealm</Value> </Attribute> <Attribute name="HomeRealmDiscoveryService"> <Value>http://patlinux.red.com:8180/fam/RealmSelectio n/metaAlias/mywsfedsp</Value> </Attribute> <Attribute name="spAccountMapper"> <Value>com.sun.identity.wsfederation.plugins.DefaultADFSPartn erAccountMapper</Value> </Attribute> <Attribute name="spAttributeMapper"> <Value>com.sun.identity.wsfederation.plugins.DefaultSPAttribu teMapper</Value> </Attribute> </SPSSOConfig> </FederationConfig> |
Load the identity provider and service provider metadata to OpenSSO Enterprise. From the console:
Log in to the console and click the Federation tab and then the Import Entity button.
Choose the realm to which the requesting service provider belongs.
In the Where Does the Meta Data File Reside field, choose File and click Upload.
Choose adatum.xml.
Click Ok.
In the Where Does the Extended Meta Data File Reside field, choose File and click Upload.
Choose adtumx.xml.
Click Ok.
Repeat the steps for loading the service provider meta data (wsfedsp.xml and wsfedspx.xml).
Create a circle of trust and add the identity provider and service provider. For instructions, see Circle of Trust.
On the OpenSSO Enterprise instance, go to https://opensssohost(:openssosecureport)/opensso WSFederationServlet/metaAlias/mywsfedsp?goto=https://openssohost(:openssosecureport)/opensso
You should be forwarded to the realm selection page. Click 'Proceed. You may see a few redirections in the browser's address bar before reaching the user's profile page in OpenSSO Enterprise.
If you do this from outside the Window domain, you will get an HTTPBasic authentication username/password dialog. Enter the user's Active Directory credentials to gain access.
The realm selection process sets a persistent cookie. If you enter the same URL a second time, you should not be prompted for a realm and should be redirected to the OpenSSO Enterprise user page.
Configure your installed policy agent profile with the WS-Federation servlet as its login URL.
For the J2EE policy agent profile:
Log in to the console and go to Access Control>realm>Agents
Click the name of the J2EE policy agent you wish to edit.
In the OpenSSO Login URL attribute, enter the WS-Federation servlet, for example:
https://openssohost(:openssosecureport)/opensso/WSFederationServlet/metaAlias/mywsfedsp
For the web policy agent profile:
Log in to the console and go to Access Control>realm>Agents
Click the name of the web policy agent you wish to edit.
In the OpenSSO Login URL attribute, enter the WS-Federation servlet, for example:
https://openssohost(:openssosecureport)/opensso/WSFederationServlet/metaAlias/mywsfedsp
When accessing the resource protected by the policy agent, you should be authenticated through WS-Federation.