test

Deployment Example: SAML v2 Using Sun OpenSSO Enterprise 8.0

Chapter 6 Configuring OpenSSO Enterprise Realms for User Authentication

This chapter contains instructions on configuring OpenSSO Enterprise to use the external user data store (set up in Chapter 4, Installing Sun Java System Directory Server and Creating Instances for User Data) for authentication credentials. This is done by modifying the top-level realm or, alternately, configuring a sub realm for the external users and creating an authentication chain. Choose either of the sections listed to configure OpenSSO Enterprise for user authentication.

Caution – Caution –

Do not do both.

6.1 Modifying the Top-Level Realm for Test Users

At this point in the deployment, the root realm (by default, / (Top Level Realm)) is configured to authenticate special OpenSSO Enterprise accounts (for example, amadmin and agents) against the embedded configuration data store. Since the external user data store is an instance of Directory Server and not part of the embedded configuration data store, we modify the configuration details of the top-level realm to include the user data stores schema, allowing OpenSSO Enterprise to recognize users in the external user data store. Use the following list of procedures as a checklist for completing this task.

  1. To Modify the Top-Level Realm for User Authentication

  2. To Verify that a User Can Successfully Authenticate

ProcedureTo Modify the Top-Level Realm for User Authentication

  1. Access https://osso1.idp-example.com:1081/opensso/console in a web browser.

  2. Log in to the OpenSSO Enterprise console as the administrator.

    User Name:

    amadmin

    Password:

    ossoadmin

  3. Click the Access Control tab.

  4. Click / (Top Level Realm), the root realm, under the Access Control tab.

  5. Click the Data Stores tab.

    The embedded data store link is displayed.

  6. Click embedded.

    The Generic LDAPv3 properties page is displayed.

  7. On the Generic LDAPv3 properties page, set the following attribute values and click Save.

    LDAP People Container Naming Attribute

    Enter ou.

    LDAP Groups Container Value

    Enter Groups.

    LDAP Groups Container Naming Attribute

    Enter ou.

    LDAP People Container Value

    Enter users.

    Note –

    If this field is empty, the search for user entries will start from the root suffix.

  8. Click Back to Data Stores.

  9. (Optional) Click the Subjects tab to verify that the test users are now displayed.

    idpuser is displayed under Users (as well as others created during OpenSSO Enterprise configuration).

  10. Click the Authentication tab.

  11. Click the Advanced Properties link under General.

    The Core Realm Attributes page is displayed.

  12. Change the value of User Profile to Ignored.

    This new value specifies that a user profile is not required by the Authentication Service in order to issue a token after successful authentication. This modification is specific to this deployment example because the OpenSSO Enterprise schema and the Directory Server schema have not been mapped.

  13. Click Save.

  14. Click Back to Authentication.

  15. Click Back to Access Control.

  16. Log out of the OpenSSO Enterprise console.

ProcedureTo Verify that a User Can Successfully Authenticate

You should be able to log in successfully as the test user.

  1. Access https://osso1.idp-example.com:1081/opensso/UI/Login in a web browser.

  2. Log in to the OpenSSO Enterprise console as the administrator.

    User Name:

    idpuser

    Password:

    idpuser

    You should be able to log in successfully and see a page with a message that reads You're logged in. Since the User Profile attribute was previously set to Ignored, the user's profile is not displayed after a successful login. If the login is not successful, watch the Directory Server access log to troubleshoot the problem.

6.2 Creating and Configuring a Sub Realm for Test Users

At this point in the deployment, / (Top Level Realm), the root realm, is configured to authenticate special OpenSSO Enterprise accounts (for example, amadmin and agents) against the embedded configuration data store. Since the external user data store is an instance of Directory Server and not part of the embedded configuration data store, we create a sub realm and modify the configuration details to include the external user data stores schema, allowing OpenSSO Enterprise to recognize users in the Directory Server instances. The sub realm creates a demarcation between OpenSSO Enterprise configuration and administrative data and the user data. Use the following list of procedures as a checklist for completing this task.

  1. To Create a Sub Realm

  2. To Change the User Profile Configuration for the Sub Realm

  3. To Modify the Sub Realm for User Authentication

  4. To Verify That the Sub Realm Can Access the External User Data Store

  5. To Verify That the Sub Realm Subjects Can Successfully Authenticate

ProcedureTo Create a Sub Realm

When a sub realm is created it inherits configuration data (including which user data store to access) from the root realm (by default, / (Top Level Realm)) and uses said data to authenticate users. The user data store can be modified per sub realm. In this deployment, we use the inherited Generic LDAPv3 data store.

  1. Access https://osso1.idp-example.com:1081/opensso/console from a web browser.

  2. Log in to the OpenSSO Enterprise console as the administrator.

    User Name:

    amadmin

    Password:

    ossoadmin

  3. Click the Access Control tab.

  4. Click New to create a new realm.

    The New Realm page is displayed.

  5. Set the following attribute values on the New Realm page.

    Name

    Enter users.

    Realm/DNS Aliases

    Enter users in the New Value field and click Add.

  6. Click OK.

    The users realm is listed as a sub realm of / (Top Level Realm), the root realm.

ProcedureTo Change the User Profile Configuration for the Sub Realm

Before You Begin

This procedure assumes you have just completed To Create a Sub Realm and are still logged in to the OpenSSO Enterprise console.

  1. Under the Access Control tab, click the users realm.

  2. Click the Authentication tab.

  3. Click the Advanced Properties link under General.

    The Core Realm Attributes page is displayed.

  4. Change the value of User Profile to Ignored.

    This new value specifies that a user profile is not required by the Authentication Service in order to issue a token after successful authentication.

  5. Click Save.

  6. Click Back to Access Control.

ProcedureTo Modify the Sub Realm for User Authentication

Before You Begin

This procedure assumes you have just completed To Change the User Profile Configuration for the Sub Realm and are still logged in to the OpenSSO Enterprise console.

  1. Click users, the sub realm, under the Access Control tab.

  2. Click the Data Stores tab.

    The embedded data store link is displayed.

  3. Click embedded.

    The Generic LDAPv3 properties page is displayed.

  4. On the Generic LDAPv3 properties page, set the following attribute values and click Save.

    LDAP People Container Naming Attribute

    Enter ou.

    LDAP Groups Container Value

    Enter Groups.

    LDAP Groups Container Naming Attribute

    Enter ou.

    LDAP People Container Value

    Enter users.

    Note –

    If this field is empty, the search for user entries will start from the root suffix.

  5. Click Back to Data Stores.

  6. (Optional) Click the Subjects tab to verify that the test users are now displayed.

    idpuser is displayed under Users (as well as others created during OpenSSO Enterprise configuration).

  7. Log out of the OpenSSO Enterprise console.

ProcedureTo Verify That the Sub Realm Can Access the External User Data Store

This optional procedure is to verify the modifications.

  1. Access https://osso1.idp-example.com:1081/opensso/console from a web browser.

  2. Log in to the OpenSSO Enterprise console as the administrator.

    User Name:

    amadmin

    Password:

    ossoadmin

  3. Click on the Access Control tab

  4. Click on the users sub realm.

  5. Click on the Subjects tab.

    spuser is displayed under Users.

  6. Log out of the OpenSSO Enterprise console.

ProcedureTo Verify That the Sub Realm Subjects Can Successfully Authenticate

  1. Access https://osso1.idp-example.com:1081/opensso/UI/Login?realm=users from a web browser.

    The parameter realm=users specifies the realm to use for authentication. At this point, a user can log in against Directory Server only if the realm parameter is defined in the URL.

  2. Log in to OpenSSO Enterprise with as a test user.

    User Name

    idpuser

    Password

    idpuser

    You should be able to log in successfully and see a page with a message that reads You're logged in. Since the User Profile attribute was set to Ignored, the user's profile is not displayed after a successful login. If the login is not successful, watch the Directory Server access log to troubleshoot the problem.