test

Deployment Example: SAML v2 Using Sun OpenSSO Enterprise 8.0

14.2 Configuring OpenSSO Enterprise for Attribute Mapping

This section contains the instructions to configure OpenSSO Enterprise for attribute mapping. Use the following as a checklist to complete the configurations.

  1. To Add SAML v2 Mappings to the Identity Provider Metadata

  2. To Enable Anonymous Authentication

  3. To Modify the Agent Profile to Use SAMLv2 Transient

  4. To Map Identity Provider User Attributes to Service Provider Anonymous User Attributes

ProcedureTo Add SAML v2 Mappings to the Identity Provider Metadata

Map the appropriate LDAP attributes in the user data store to the attributes passed using SAML v2 using the OpenSSO Enterprise console on the identity provider side. When attributes on one OpenSSO Enterprise instance on the identity provider side are mapped, the mapping is made available to the second OpenSSO Enterprise instance on the identity provider side through the previous configuration of the two instances as a site in 5.4 Configuring the OpenSSO Enterprise Platform Service

  1. Access https://lb2.idp-example.com:1081/opensso/console from a web browser.

  2. Log in to the OpenSSO Enterprise console as the administrator.

    Username

    amadmin

    Password

    ossoadmin

    The Common Tasks tab is displayed.

  3. Click the Federation tab.

  4. Under Entity Providers, click https://lb2.idp-example.com:1081/opensso.

    The IDP profile page is displayed.

  5. Click the Assertion Processing tab.

  6. Under Attribute Mapping, enter the following values and click Add.


    EmailAddress=EmailAddress
Telephone=Telephone

  7. Click Save.

    The profile is updated.

  8. Log out of the OpenSSO Enterprise console.

ProcedureTo Enable Anonymous Authentication

Enable the Anonymous authentication module and confirm the creation of the anonymous user account on the service provider side.

Before You Begin

This procedure assumes you have completed To Create a Test User for Attribute Mapping.

  1. Access https://lb4.sp-example.com:1081/opensso/console from a web browser.

  2. Log in to the OpenSSO Enterprise console as the administrator.

    Username

    amadmin

    Password

    ossoadmin

    The Common Tasks tab is displayed.

  3. Click the Access Control tab.

  4. Click the / (Top Level Realm) realm.

  5. Click the Authentication tab.

  6. Click the Modules Instances link.

  7. Under Modules Instances, click New.

    The New Module Instance page is displayed.

  8. Enter the following values and click Save.

    Name

    Anonymous

    Type

    Select Anonymous

    The profile is updated.

  9. Under Modules Instances, click Anonymous.

    The Anonymous module instance profile is displayed.

  10. Confirm the default values for the following attributes.

    If the values in your instance are different, change them and save the profile.

    Default Anonymous User Name

    anonymous

    Authentication Level

    0

  11. Log out of the OpenSSO Enterprise console.

ProcedureTo Modify the Agent Profile to Use SAMLv2 Transient

A transient name identifier is a temporary user identifier. In this use case, there is no user account on the service provider side so single sign-on is accomplished using a transient name identifier. All users passed from the identity provider to the service provider will be mapped to the anonymous user created in To Enable Anonymous Authentication. In this procedure, we modify the agent profile to use the transient name identifier format.

  1. Access https://lb4.sp-example.com:1081/opensso/console from a web browser.

  2. Log in to the OpenSSO Enterprise console as the administrator.

    Username

    amadmin

    Password

    ossoadmin

    The Common Tasks tab is displayed.

  3. Click the Access Control tab.

  4. Click the / (Top Level Realm) realm.

  5. Click the Agents tab.

  6. Click the Web tab.

    The Web profile page is displayed.

  7. Click webagent-1 in the Agent table.

    The webagent-1 profile page is displayed.

  8. Click the OpenSSO Services tab.

  9. Select https://lb4.sp-example.com:1081/opensso/spssoinit?metaAlias=/sp&idpEntityID=https://lb2.idp-example.com:1081/opensso in the OpenSSO Login URL property box and click Delete.

  10. Enter https://lb4.sp-example.com:1081/opensso/spssoinit?metaAlias=/sp&idpEntityID=https://lb2.idp-example.com:1081/opensso&NameIDFormat=transient in the OpenSSO Login URL text box and click Add.

  11. Click Save.

    The profile is updated.

  12. Log out of the OpenSSO Enterprise console.

ProcedureTo Map Identity Provider User Attributes to Service Provider Anonymous User Attributes

Map the attributes being sent from the identity provider to the attributes configured for the anonymous user on the service provider side.

  1. Access https://lb4.sp-example.com:1081/opensso/console from a web browser.

  2. Log in to the OpenSSO Enterprise console as the administrator.

    Username

    amadmin

    Password

    ossoadmin

    The Common Tasks tab is displayed.

  3. Click the Access Control tab.

  4. Click the / (Top Level Realm) realm.

  5. Click the Agents tab.

  6. Click the Web tab.

    The Web profile page is displayed.

  7. Click webagent-1 in the Agent table.

    The webagent-1 profile page is displayed.

  8. Click the Application tab.

  9. Click the Session Attribute Processing link.

  10. Select HTTP_HEADER as the value for the Session Attribute Fetch Mode property.

  11. Enter the following new values in the Session Attribute Map property text box and click Add.

    Map Key

    Telephone

    Corresponding Map Value

    Telephone

  12. Enter the following new values in the Session Attribute Map property text box and click Add.

    Map Key

    EmailAddress

    Corresponding Map Value

    EmailAddress

  13. Click Save.

    The profile is updated.

  14. Log out of the OpenSSO Enterprise console.