test

Deployment Example: SAML v2 Using Sun OpenSSO Enterprise 8.0

Chapter 14 Testing Attribute Mapping

In this deployment there is no user data on the service provider side so, because of this, we map all identity provider users to an anonymous user which represents all users in the identity provider user data store when it presents itself to the service provider. This use case illustrates how you can pass user profile attributes from the identity provider to the service provider, and from the service provider site to its agent-protected applications. Communication from the identity provider to the service provider takes place using SAML v2 protocols. Communication from the service provider to its agent-protected applications uses agent-to-LDAP attribute mapping. This chapter contains the following sections.

14.1 Creating a Test User

Create a test user and modify the user profile for attribute mapping. Use the following as a checklist to complete this procedure.

  1. To Create a Test User for Attribute Mapping

  2. To Edit the Test User Profile

ProcedureTo Create a Test User for Attribute Mapping

  1. Access https://lb2.idp-example.com:1081/opensso/console from a web browser.

  2. Log in to the OpenSSO Enterprise console as the administrator.

    Username

    amadmin

    Password

    ossoadmin

    The Common Tasks tab is displayed.

  3. Click the Access Control tab.

  4. Click the / (Top Level Realm) realm.

  5. Under the Subjects tab, click User.

  6. Under User, click New.

    The New User page is displayed.

  7. Enter the following values and click OK.

    ID

    jsmith

    First Name

    John

    Last Name

    Smith

    Full Name

    John Smith

    Password

    jsmith

    Password (confirm)

    jsmith.

    User Status

    Click Active.

  8. Log out of the OpenSSO Enterprise console.

ProcedureTo Edit the Test User Profile

Before You Begin

This procedure assumes you have completed To Create a Test User for Attribute Mapping.

  1. Access https://lb2.idp-example.com:1081/opensso/console from a web browser.

  2. Log in to the OpenSSO Enterprise console as the administrator.

    Username

    amadmin

    Password

    ossoadmin

    The Common Tasks tab is displayed.

  3. Click the Access Control tab.

  4. Click the / (Top Level Realm) realm.

  5. Under the Subjects tab, click User.

  6. Under User, click John Smith.

    The Edit User — John Smith page is displayed.

  7. Enter the following values and click Save.

    Email Address

    jsmith@jsmith.com

    Telephone Number

    408-555-5454

    The profile is updated.

  8. Log out of the OpenSSO Enterprise console.

14.2 Configuring OpenSSO Enterprise for Attribute Mapping

This section contains the instructions to configure OpenSSO Enterprise for attribute mapping. Use the following as a checklist to complete the configurations.

  1. To Add SAML v2 Mappings to the Identity Provider Metadata

  2. To Enable Anonymous Authentication

  3. To Modify the Agent Profile to Use SAMLv2 Transient

  4. To Map Identity Provider User Attributes to Service Provider Anonymous User Attributes

ProcedureTo Add SAML v2 Mappings to the Identity Provider Metadata

Map the appropriate LDAP attributes in the user data store to the attributes passed using SAML v2 using the OpenSSO Enterprise console on the identity provider side. When attributes on one OpenSSO Enterprise instance on the identity provider side are mapped, the mapping is made available to the second OpenSSO Enterprise instance on the identity provider side through the previous configuration of the two instances as a site in 5.4 Configuring the OpenSSO Enterprise Platform Service

  1. Access https://lb2.idp-example.com:1081/opensso/console from a web browser.

  2. Log in to the OpenSSO Enterprise console as the administrator.

    Username

    amadmin

    Password

    ossoadmin

    The Common Tasks tab is displayed.

  3. Click the Federation tab.

  4. Under Entity Providers, click https://lb2.idp-example.com:1081/opensso.

    The IDP profile page is displayed.

  5. Click the Assertion Processing tab.

  6. Under Attribute Mapping, enter the following values and click Add.


    EmailAddress=EmailAddress
Telephone=Telephone

  7. Click Save.

    The profile is updated.

  8. Log out of the OpenSSO Enterprise console.

ProcedureTo Enable Anonymous Authentication

Enable the Anonymous authentication module and confirm the creation of the anonymous user account on the service provider side.

Before You Begin

This procedure assumes you have completed To Create a Test User for Attribute Mapping.

  1. Access https://lb4.sp-example.com:1081/opensso/console from a web browser.

  2. Log in to the OpenSSO Enterprise console as the administrator.

    Username

    amadmin

    Password

    ossoadmin

    The Common Tasks tab is displayed.

  3. Click the Access Control tab.

  4. Click the / (Top Level Realm) realm.

  5. Click the Authentication tab.

  6. Click the Modules Instances link.

  7. Under Modules Instances, click New.

    The New Module Instance page is displayed.

  8. Enter the following values and click Save.

    Name

    Anonymous

    Type

    Select Anonymous

    The profile is updated.

  9. Under Modules Instances, click Anonymous.

    The Anonymous module instance profile is displayed.

  10. Confirm the default values for the following attributes.

    If the values in your instance are different, change them and save the profile.

    Default Anonymous User Name

    anonymous

    Authentication Level

    0

  11. Log out of the OpenSSO Enterprise console.

ProcedureTo Modify the Agent Profile to Use SAMLv2 Transient

A transient name identifier is a temporary user identifier. In this use case, there is no user account on the service provider side so single sign-on is accomplished using a transient name identifier. All users passed from the identity provider to the service provider will be mapped to the anonymous user created in To Enable Anonymous Authentication. In this procedure, we modify the agent profile to use the transient name identifier format.

  1. Access https://lb4.sp-example.com:1081/opensso/console from a web browser.

  2. Log in to the OpenSSO Enterprise console as the administrator.

    Username

    amadmin

    Password

    ossoadmin

    The Common Tasks tab is displayed.

  3. Click the Access Control tab.

  4. Click the / (Top Level Realm) realm.

  5. Click the Agents tab.

  6. Click the Web tab.

    The Web profile page is displayed.

  7. Click webagent-1 in the Agent table.

    The webagent-1 profile page is displayed.

  8. Click the OpenSSO Services tab.

  9. Select https://lb4.sp-example.com:1081/opensso/spssoinit?metaAlias=/sp&idpEntityID=https://lb2.idp-example.com:1081/opensso in the OpenSSO Login URL property box and click Delete.

  10. Enter https://lb4.sp-example.com:1081/opensso/spssoinit?metaAlias=/sp&idpEntityID=https://lb2.idp-example.com:1081/opensso&NameIDFormat=transient in the OpenSSO Login URL text box and click Add.

  11. Click Save.

    The profile is updated.

  12. Log out of the OpenSSO Enterprise console.

ProcedureTo Map Identity Provider User Attributes to Service Provider Anonymous User Attributes

Map the attributes being sent from the identity provider to the attributes configured for the anonymous user on the service provider side.

  1. Access https://lb4.sp-example.com:1081/opensso/console from a web browser.

  2. Log in to the OpenSSO Enterprise console as the administrator.

    Username

    amadmin

    Password

    ossoadmin

    The Common Tasks tab is displayed.

  3. Click the Access Control tab.

  4. Click the / (Top Level Realm) realm.

  5. Click the Agents tab.

  6. Click the Web tab.

    The Web profile page is displayed.

  7. Click webagent-1 in the Agent table.

    The webagent-1 profile page is displayed.

  8. Click the Application tab.

  9. Click the Session Attribute Processing link.

  10. Select HTTP_HEADER as the value for the Session Attribute Fetch Mode property.

  11. Enter the following new values in the Session Attribute Map property text box and click Add.

    Map Key

    Telephone

    Corresponding Map Value

    Telephone

  12. Enter the following new values in the Session Attribute Map property text box and click Add.

    Map Key

    EmailAddress

    Corresponding Map Value

    EmailAddress

  13. Click Save.

    The profile is updated.

  14. Log out of the OpenSSO Enterprise console.

14.3 Testing Attribute Mapping

This test uses snoop.jsp to display the HTTP headers being passed in a browser window. Within the headers you see the attributes being passed to the service provider protected by the agent.

ProcedureTo Verify That Attribute Mapping is Working Properly

  1. Log into the pr1.sp-example.com host machine as the root user.

  2. Copy snoop.jsp to the /opt/SUNWwbsvr/https-pr1.sp-example.com/docs directory.

    snoop.jsp is in Appendix F, The snoop.jsp File.

  3. Access http://pr1.sp-example.com:1080/snoop.jsp from a web browser.

    The Web Policy Agent redirects the request to the OpenSSO Enterprise console on the identity provider side.

  4. Log in to the OpenSSO Enterprise console as the test user.

    Username

    jsmith@jsmith.com

    Password

    jsmith

    JSP Snoop page is the header from the HTTP request in the browser. Note the following:

    • John Smith's telephone number and email address are included.

    • The Remote user is anonymous and serves as confirmation of the transient user previously configured.


    JSP Snoop page
Request information
Requested URL: http://pr1.sp-example.com:1080/snoop.jsp
Request method: GET
Request URI: /snoop.jsp
Request protocol: HTTP/1.1
Servlet path: /snoop.jsp
Path info: null
Path translated: null
Query string: null
Content length: -1
Content type: null
Server name: pr1.sp-example.com
Server port: 1080
Remote user: anonymous
Remote address: 192.18.120.83
Remote host: 192.18.120.83
Authorization scheme: DSAME
Request headers
Header: Value:
cookie  JSESSIONID=A7092AD436027D5B18DFCC8C65D7B580; 
  iPlanetDirectoryPro=AQIC5wM2LY4SfcxahJE41EKzHCTvKn
  lulj6F8sTjtxvBpA8=@AAJTSQACMDMAAlMxAAIwMQ==#; amlbcookie=01
host 	pr1.sp-example.com:1080
user-agent 	Mozilla/5.0 (X11; U; SunOS sun4u; en-US; 
rv:1.8.1.15) Gecko/20080703 Firefox/2.0.0.15
accept 	text/xml,application/xml,application/xhtml+xml,
text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
accept-language 	en-us,en;q=0.5
accept-encoding 	gzip,deflate
accept-charset 	ISO-8859-1,utf-8;q=0.7,*;q=0.7
keep-alive 	300
connection 	keep-alive
emailaddress 	jsmith@jsmith.com
telephone 	408-555-5454
Init parameters
Parameter: 	Value:
fork 	false
mappedfile 	false
logVerbosityLevel 	warning
com.sun.appserv.jsp.classpath 	/opt/SUNWwbsvr/lib/webserv-rt.jar:
  /opt/SUNWwbsvr/lib/pwc.jar:/opt/SUNWwbsvr/lib/ant.jar:
  /opt/SUNWwbsvr/jdk/lib/tools.jar:/opt/SUNWwbsvr/lib/ktsearch.jar:
  /opt/SUNWwbsvr/lib/webserv-jstl.jar:/opt/SUNWwbsvr/lib/jsf-impl.jar:
  /opt/SUNWwbsvr/lib/jsf-api.jar:/opt/SUNWwbsvr/lib/webserv-jwsdp.jar:
  /opt/SUNWwbsvr/lib/container-auth.jar:/opt/SUNWwbsvr/lib/mail.jar:
  /opt/SUNWwbsvr/lib/activation.jar:
httpMethods 	GET,HEAD,POST