Secure Attribute Exchange (also referred to as Virtual Federation Proxy) provides a mechanism for one application to communicate identity information to a second application in a different domain. More specifically, it provides a secure gateway that enables legacy applications to communicate authentication attributes without having to deal with federation protocols and processing. Secure Attribute Exchange uses SAML v2 to transfer identity data between the communicating entities. This chapter contains the following sections for setting up and testing Secure Attribute Exchange.
13.2 Installing Application Server on the Secure Attribute Exchange Identity Provider Host Machine
13.3 Installing Application Server on the Secure Attribute Exchange Service Provider Host Machine
This chapter assumes you have completed Part II, Building the Identity Provider Environment and Part III, Building the Service Provider Environment; in effect, creating two domains that can communicate using SAML v2. In this test, we use symmetric key encryption (one shared secret is used for both encryption and decryption) between all providers and applications.
Patch the host machines that will be used to deploy the sample Secure Attribute Exchange JavaServer Pages application (bundled with OpenSSO Enterprise Client SDK). Towards this end, use different web containers from those on which OpenSSO Enterprise is installed. On our lab machines, the required Application Server patch is 117461–08. Results for your machine might be different. Read the latest documentation for your web container to determine if you need to install patches and, if so, what they might be. You can search for patches directly at http://sunsolve.sun.com. Navigate to the PatchFinder page, enter the patch number, click Find Patch, and download the appropriate patch for the Secure Attribute Exchange identity provider application host machine (sae.idp-example.com) and the Secure Attribute Exchange service provider application host machine (sae.sp-example.com).
Log in to the sae.idp-example.com host machine as a root user.
Run patchadd to see if the patch is already installed.
# patchadd -p | grep 117461-08 |
A series of patch numbers are displayed, and patch 117461–08 is present so there is no need to install any patches at this time.
Log out of the sae.idp-example.com host machine.
Log in to the sae.sp-example.com host machine as a root user.
Run patchadd to see if the patch is already installed.
# patchadd -p | grep 117461-08 |
A series of patch numbers are displayed, and patch 117461–08 is present so there is no need to install any patches at this time.
Log out of the sae.sp-example.com host machine.
To test a Secure Attribute Exchange we configure and use JavaServer Pages (bundled with the OpenSSO Enterprise Client SDK) to emulate real world applications. saeIDPApp.jsp represents the identity provider application that will invoke a remote service provider application and pass attributes to it. It will be installed on the sae.idp-example.com host machine. The following procedures will install and configure one instance of Application Server as the web container for the identity provider application.
To Install Application Server on the Secure Attribute Exchange Identity Provider Host Machine
To Secure Communications from the Identity Provider Host Machine
To Modify the Identity Provider Web Container domain.xml Configuration File
To Deploy the Client SDK on the Identity Provider Host Machine
This procedure assumes you have completed 13.1 Patching the Secure Attribute Exchange Host Machines.
Log in to the sae.idp-example.com host machine as a root user.
Create a directory into which the Application Server bits can be downloaded and change into it.
# mkdir /export/AS91 # cd /export/AS91 |
Download the Sun Java System Application Server 9.1 Update 1 binary from the Sun Microsystems Product Download page to the /export/AS91 directory.
Grant the downloaded binary execute permission using the chmod command.
# chmod +x sjsas-9_1_01-solaris-sparc.bin |
Install the software.
# ./sjsas-9_1_01-solaris-sparc.bin -console |
When prompted, provide the following information.
|
Press Enter to continue. |
|
|
Enter yes. |
|
|
Enter /opt/SUNWappserver91 |
|
|
Enter 1 to create the directory. |
|
|
Press Enter to accept the default value. |
|
|
Press Enter to accept the default value. |
|
|
Enter domain1pwd and then re-enter domain1pwd. |
|
|
Press Enter to accept the default value. |
|
|
Press Enter to accept the three default values. |
|
|
Press Enter to accept the default value. |
|
|
Press Enter to accept the default value. |
|
|
Press Enter to accept the default value and begin the installation process. |
|
|
When installation is complete, an Installation Successful message is displayed: |
|
|
Press Enter to exit the installation program. |
Log out of the sae.idp-example.com host machine.
Create a request for a server certificate and import the certificate authority (CA) root certificate and server certificate to the keystore. This will secure communications initiated by the identity provider application.
Backup domain.xml before modifying it.
Log in to the sae.idp-example.com host machine as a root user.
Generate a private/public key pair and reference it with the alias, sae-idp.
sae-idp will be used in a later step to retrieve the public key which is contained in a self-signed certificate.
# cd /opt/SUNWappserver91/domains/domain1/config # keytool -genkey -noprompt -keyalg rsa -keypass changeit -alias sae-idp -keystore keystore.jks -dname "CN=sae.idp-example.com, OU=OpenSSO, O=Sun Microsystems, L=Santa Clara, ST=California, C=US" -storepass changeit |
Verify that the key pair was successfully created and stored in the certificate store using the following command.
# keytool -list -v -keystore keystore.jks -storepass changeit |
The output of this command lists a key entry with the alias sae-idp.
The output of this command may list more than one certificate based on the entries in the keystore.
Generate a server certificate request.
# keytool -certreq -alias sae-idp -keypass changeit -keystore keystore.jks -storepass changeit file sae-idp.csr |
sae-idp.csr is the server certificate request.
(Optional) Verify that sae-idp.csr was created.
# ls -la sae-idp.csr -rw-r--r-- 1 osso80adm staff 715 Apr 4 15:04 sae-idp.csr |
Send sae-idp.csr to the CA of your choice.
The CA issues and returns a certified server certificate named sae-idp.cer.
Import ca.cer, the CA root certificate, into the certificate store.
The root certificate must be imported into two keystores (keystore.jks and cacerts.jks) with Application Server.
# keytool -import -trustcacerts -alias OpenSSLTestCA -file ca.cer -keystore keystore.jks -storepass changeit Owner: EMAILADDRESS=nobody@nowhere.com, CN=openssltestca, OU=am, O=sun, L=santa clara, ST=california, C=us Issuer: EMAILADDRESS=nobody@nowhere.com, CN=openssltestca, OU=am, O=sun, L=santa clara, ST=california, C=us Serial number: f59cd13935f5f498 Valid from: Thu Sep 20 11:41:51 PDT 2007 until: Thu Jun 17 11:41:51 PDT 2010 Certificate fingerprints: MD5: 78:7D:F0:04:8A:5B:5D:63:F5:EC:5B:21:14:9C:8A:B9 SHA1: A4:27:8A:B0:45:7A:EE:16:31:DC:E5:32:46:61:9E:B8:A3:20:8C:BA Trust this certificate? [no]: Yes Certificate was added to keystore |
# keytool -import -trustcacerts -alias OpenSSLTestCA -file ca.cer -keystore cacerts.jks -storepass changeit Owner: EMAILADDRESS=nobody@nowhere.com, CN=openssltestca, OU=am, O=sun, L=santa clara, ST=california, C=us Issuer: EMAILADDRESS=nobody@nowhere.com, CN=openssltestca, OU=am, O=sun, L=santa clara, ST=california, C=us Serial number: f59cd13935f5f498 Valid from: Thu Sep 20 11:41:51 PDT 2007 until: Thu Jun 17 11:41:51 PDT 2010 Certificate fingerprints: MD5: 78:7D:F0:04:8A:5B:5D:63:F5:EC:5B:21:14:9C:8A:B9 SHA1: A4:27:8A:B0:45:7A:EE:16:31:DC:E5:32:46:61:9E:B8:A3:20:8C:BA Trust this certificate? [no]: Yes Certificate was added to keystore |
Replace the self-signed public key certificate (associated with the s1as alias) with the server certificate received from the CA.
# keytool -import -file sae-idp.cer -alias sae-idp -keystore keystore.jks -storepass changeit Certificate reply was installed in keystore |
(Optional) Verify that the self-signed public key certificate has been overwritten by the server certificate received from the CA.
# keytool -list -alias sae-idp -v -keystore keystore.jks -storepass changeit The certificate indicated by the alias "sae-idp" is signed by CA. |
Change the certificate alias from the default s1as to the new sae-idp in the domain.xml file for the domain1 domain.
The Application Server configuration file is domain.xml.
<http-listener acceptor-threads="1" address="0.0.0.0" blocking-enabled="false" default-virtual-server="server" enabled="true" family="inet" id="http-listener-2" port="1081" security-enabled="true" server-name="" xpowered-by="true"> <ssl cert-nickname="sae-idp" client-auth-enabled="false" ssl2-enabled="false" ssl3-enabled="true" tls-enabled="true" tls-rollback-enabled="true"/>
Modify the following Java Virtual Machine (JVM) options in the Application Server configuration file, domain.xml to prepare for the installation of the Client SDK.
This procedure assumes you are still logged in as the root user to the sae-idp host machine.
Backup domain.xml before modifying it.
Change to the config directory.
# cd /opt/SUNWappserver91/domains/domain1/config |
Open domain.xml in a text editor and make the following changes:
Replace <jvm-options>-client</jvm-options> with <jvm-options>-server</jvm-options>.
Replace <jvm-options>-Xmx512m</jvm-options> with <jvm-options>-Xmx1024m</jvm-options>.
Save the file and close it.
Restart the domain1 domain.
# cd /opt/SUNWappserver91/bin # ./asadmin stop-domain Server was successfully stopped. ./asadmin start-domain Redirecting output to /opt/SUNWappserver91/domains/domain1/logs/server.log |
Verify that the certificate used for SSL communication is the root CA certificate.
When you deploy the Client SDK, you also deploy the saeIDPApp.jsp.
This procedure assumes you are still logged in as the root user to the sae-idp host machine.
Get the Client SDK WAR using the following sub procedure.
Access http://sae.idp-example.com:4848/login.jsf from a web browser.
admin
domain1pwd
Click Web Applications in the left frame of Application Server.
Click Deploy.
The Deploy Enterprise Applications/Modules page is displayed.
Click the radio button next to Packaged file to be uploaded to the server and browse for the opensso-client-jdk15.war WAR in the /export/OSSO_BITS/opensso/samples/war directory.
Enter opensso-client as the Application Name.
Click OK to deploy the Client SDK.
(Optional) List the contents of the j2ee-modules directory to verify that the WAR was successfully deployed.
Log out of the sae.idp-example.com host machine.
Add the IP address and host machine names to the /etc/hosts file on both the sae.idp-example.com and the sae.sp-example.com host machines as well as the host machine on which the browser is located.
To test a Secure Attribute Exchange we configure and use JavaServer Pages (bundled with the OpenSSO Enterprise Client SDK) to emulate real world applications. saeSPApp.jsp represents the service provider application that will receive the attributes from the identity provider. It will be installed on the sae.sp-example.com host machine. The following procedures will install and configure one instance of Application Server as the web container for the service provider application.
To Install Application Server on the Secure Attribute Exchange Service Provider Host Machine
To Secure Communications from the Service Provider Application
To Modify the Service Provider Web Container domain.xml Configuration File
To Deploy the Client SDK on the Service Provider Host Machine
This procedure assumes you have completed 13.1 Patching the Secure Attribute Exchange Host Machines.
Log in to the sae.sp-example.com host machine as a root user.
Create a directory into which the Application Server bits can be downloaded and change into it.
# mkdir /export/AS91 # cd /export/AS91 |
Download the Sun Java System Application Server 9.1 Update 1 binary from the Sun Microsystems Product Download page to the /export/AS91 directory.
Grant the downloaded binary execute permission using the chmod command.
# chmod +x sjsas-9_1_01-solaris-sparc.bin |
Install the software.
# ./sjsas-9_1_01-solaris-sparc.bin -console |
When prompted, provide the following information.
|
Press Enter to continue. |
|
|
Enter yes. |
|
|
Enter /opt/SUNWappserver91 |
|
|
Enter 1 to create the directory. |
|
|
Press Enter to accept the default value. |
|
|
Press Enter to accept the default value. |
|
|
Enter domain1pwd and then re-enter domain1pwd. |
|
|
Press Enter to accept the default value. |
|
|
Press Enter to accept the three default values. |
|
|
Press Enter to accept the default value. |
|
|
Press Enter to accept the default value. |
|
|
Press Enter to accept the default value and begin the installation process. |
|
|
When installation is complete, an Installation Successful message is displayed: |
|
|
Press Enter to exit the installation program. |
Log out of the sae.sp-example.com host machine.
Create a request for a server certificate and import the certificate authority (CA) root certificate and server certificate to the keystore. This will secure communications initiated by the service provider application.
Backup domain.xml before modifying it.
Log in to the sae.sp-example.com host machine as a root user.
Generate a private/public key pair and reference it with the alias, sae-sp.
sae-sp will be used in a later step to retrieve the public key which is contained in a self-signed certificate.
# cd /opt/SUNWappserver91/domains/domain1/config # keytool -genkey -noprompt -keyalg rsa -keypass changeit -alias sae-sp -keystore keystore.jks -dname "CN=sae.sp-example.com, OU=OpenSSO, O=Sun Microsystems, L=Santa Clara, ST=California, C=US" -storepass changeit |
Verify that the key pair was successfully created and stored in the certificate store using the following command.
# keytool -list -v -keystore keystore.jks -storepass changeit |
The output of this command lists a key entry with the alias sae-sp.
The output of this command may list more than one certificate based on the entries in the keystore.
Generate a server certificate request.
# keytool -certreq -alias sae-sp -keypass changeit -keystore keystore.jks -storepass changeit file sae-sp.csr |
sae-sp.csr is the server certificate request.
(Optional) Verify that sae-sp.csr was created.
# ls -la sae-sp.csr -rw-r--r-- 1 osso80adm staff 715 Apr 4 15:04 sae-sp.csr |
Send sae-sp.csr to the CA of your choice.
The CA issues and returns a certified server certificate named sae-sp.cer.
Import ca.cer, the CA root certificate, into the certificate store.
The root certificate must be imported into two keystores (keystore.jks and cacerts.jks) with Application Server.
# keytool -import -trustcacerts -alias OpenSSLTestCA -file ca.cer -keystore keystore.jks -storepass changeit Owner: EMAILADDRESS=nobody@nowhere.com, CN=openssltestca, OU=am, O=sun, L=santa clara, ST=california, C=us Issuer: EMAILADDRESS=nobody@nowhere.com, CN=openssltestca, OU=am, O=sun, L=santa clara, ST=california, C=us Serial number: f59cd13935f5f498 Valid from: Thu Sep 20 11:41:51 PDT 2007 until: Thu Jun 17 11:41:51 PDT 2010 Certificate fingerprints: MD5: 78:7D:F0:04:8A:5B:5D:63:F5:EC:5B:21:14:9C:8A:B9 SHA1: A4:27:8A:B0:45:7A:EE:16:31:DC:E5:32:46:61:9E:B8:A3:20:8C:BA Trust this certificate? [no]: Yes Certificate was added to keystore |
# keytool -import -trustcacerts -alias OpenSSLTestCA -file ca.cer -keystore cacerts.jks -storepass changeit Owner: EMAILADDRESS=nobody@nowhere.com, CN=openssltestca, OU=am, O=sun, L=santa clara, ST=california, C=us Issuer: EMAILADDRESS=nobody@nowhere.com, CN=openssltestca, OU=am, O=sun, L=santa clara, ST=california, C=us Serial number: f59cd13935f5f498 Valid from: Thu Sep 20 11:41:51 PDT 2007 until: Thu Jun 17 11:41:51 PDT 2010 Certificate fingerprints: MD5: 78:7D:F0:04:8A:5B:5D:63:F5:EC:5B:21:14:9C:8A:B9 SHA1: A4:27:8A:B0:45:7A:EE:16:31:DC:E5:32:46:61:9E:B8:A3:20:8C:BA Trust this certificate? [no]: Yes Certificate was added to keystore |
Replace the self-signed public key certificate (associated with the s1as alias) with the server certificate received from the CA.
# keytool -import -file sae-sp.cer -alias sae-sp -keystore keystore.jks -storepass changeit Certificate reply was installed in keystore |
(Optional) Verify that the self-signed public key certificate has been overwritten by the server certificate received from the CA.
# keytool -list -alias sae-sp -v -keystore keystore.jks -storepass changeit The certificate indicated by the alias "sae-sp" is signed by CA. |
Change the certificate alias from the default s1as to the new sae-sp in the domain.xml file for the domain1 domain.
The Application Server configuration file is domain.xml.
<http-listener acceptor-threads="1" address="0.0.0.0" blocking-enabled="false" default-virtual-server="server" enabled="true" family="inet" id="http-listener-2" port="1081" security-enabled="true" server-name="" xpowered-by="true"> <ssl cert-nickname="sae-sp" client-auth-enabled="false" ssl2-enabled="false" ssl3-enabled="true" tls-enabled="true" tls-rollback-enabled="true"/>
Modify the following Java Virtual Machine (JVM) options in the Application Server configuration file, domain.xml to prepare for the installation of the Client SDK.
This procedure assumes you are still logged in as the root user to the sae-sp host machine.
Backup domain.xml before modifying it.
Change to the config directory.
# cd /opt/SUNWappserver91/domains/domain1/config |
Open domain.xml in a text editor and make the following changes:
Replace <jvm-options>-client</jvm-options> with <jvm-options>-server</jvm-options>.
Replace <jvm-options>-Xmx512m</jvm-options> with <jvm-options>-Xmx1024m</jvm-options>.
Save the file and close it.
Restart the domain1 domain.
# cd /opt/SUNWappserver91/bin # ./asadmin stop-domain Server was successfully stopped. ./asadmin start-domain Redirecting output to /opt/SUNWappserver91/domains/domain1/logs/server.log |
Verify that the certificate used for SSL communication is the root CA certificate.
When you deploy the Client SDK, you also deploy the saeSPApp.jsp.
This procedure assumes you are still logged in as the root user to the sae-sp host machine.
Get the Client SDK WAR using the following sub procedure.
Access http://sae.sp-example.com:4848/login.jsf from a web browser.
admin
domain1pwd
Click Web Applications in the left frame of Application Server.
Click Deploy.
The Deploy Enterprise Applications/Modules page is displayed.
Click the radio button next to Packaged file to be uploaded to the server and browse for the opensso-client-jdk15.war WAR in the /export/OSSO_BITS/opensso/samples/war directory.
Enter opensso-client as the Application Name.
Click OK to deploy the Client SDK.
(Optional) List the contents of the j2ee-modules directory to verify that the WAR was successfully deployed.
Log out of the sae.sp-example.com host machine.
Add the IP address and host machine names to the /etc/hosts file on both the sae.idp-example.com and the sae.sp-example.com host machines as well as the host machine on which the browser is located.
The following procedures will establish trust relationships between the communicating entities (in this case, the included JSP).
To Establish Trust Between OpenSSO Enterprise and the Application on the Identity Provider Side
To Establish Trust Between OpenSSO Enterprise and the Application on the Service Provider Side
Set up a trust relationship between saeIDPApp.jsp, the identity provider application, and OpenSSO Enterprise on the identity provider side.
Choose a shared secret for use between the identity provider application and the instance of OpenSSO Enterprise on the identity provider side; in this procedure, secret12.
Make the following modifications to saeIDPApp.jsp and save the file.
saeIDPApp.jsp is found in the OpenSSO-Deploy-Base/samples/saml2/sae directory.
Change the value of saeServiceURL to https://lb2.idp-example.com:1081/opensso/idpsaehandler/metaAlias/idp.
Change the value of secret to secret12.
In a real deployment the application would store this shared secret in an encrypted file.
Change the value of spapp to https://sae.sp-example.com:8181/opensso/saml2/sae/saeSPApp.jsp.
Log in to the OpenSSO Enterprise console at https://lb2.idp-example.com:1081/opensso as the administrator.
amadmin
ossoadmin
Access https://lb2.idp-example.com:1081/opensso/encode.jsp in a different browser window.
This JSP encodes the shared secret.
Enter secret12 in the test field and click Encode.
A string representing the identity provider's encoded password is displayed.
Save the string for later use and close the browser window.
In this case, AQICrLO+CuXkZFna8uAS0/GiUUtwyQltVdw2.
From the OpenSSO Enterprise console, click the Federation tab.
Under Entity Providers, click https://lb2.idp-example.com:1081/opensso, the hosted identity provider.
Click the Advanced tab.
Under SAE Configuration, type the following in the New Value text box of the Per Application Security Configuration property and click Add.
url=https://sae.idp-example.com:8181/opensso/saml2/sae/ saeIDPApp.jsp|type=symmetric|secret=AQICrLO+CuXkZFna8uAS0/GiUUtwyQltVdw2
Click Save to save the profile.
Click the Assertion Processing tab.
Click the Attribute Mapper link.
Under the Attribute Map property, type the following New Values and click Add.
mail=mail
branch=branch
These attributes will be sent as part of the SAML v2 assertion.
Click Save to save the profile.
Click Back to return to the Federation tab.
Under Entity Providers, click https://lb4.sp-example.com:1081/opensso, the remote service provider.
Click the Advanced tab.
Under SAE Configuration, enter https://lb4.sp-example.com:1081/opensso/spsaehandler/metaAlias/sp in the SP URL field.
Under SAE Configuration again, enter https://sae.sp-example.com:8181/opensso/saml2/sae/saeSPApp.jsp in the SP Logout URL field.
Click Save to save the profile.
Click Back to return to the Federation tab.
Click the Access Control tab.
Under the Access Control tab, click / (Top Level Realm).
Click the Authentication tab.
Under General, click Advanced Properties.
The Core profile page is displayed.
Under User Profile, select the Ignored radio button and click Save.
This modification is specific to this deployment example only.
Click Save to save the profile.
Click Back to Authentication.
Log out of the OpenSSO Enterprise console.
Set up a trust relationship between OpenSSO Enterprise on the service provider side and saeSPApp.jsp, the service provider application.
Choose a shared secret for use between the service provider application and the instance of OpenSSO Enterprise on the service provider side; in this procedure, secret12.
Log in to the OpenSSO Enterprise console at https://lb4.sp-example.com:1081/opensso as the administrator.
amadmin
ossoadmin
Access https://lb4.sp-example.com:1081/opensso/encode.jsp in a different browser window.
This JSP encodes the shared secret.
Enter secret12 and click Encode.
A string representing the identity provider's encoded password is displayed.
Save the string for later use and close the browser window.
In this case, AQICIbz4afzilWzbmo6QD9lQ9U4kEBrMlvZy.
From the OpenSSO Enterprise console, click the Federation tab.
Under Entity Providers, click https://lb4.sp-example.com:1081/opensso, the hosted service provider.
Click the Assertion Processing tab.
Under Attribute Mapper, add the following new values to the Attribute Map property.
mail=mail
branch=branch
Under Auto-Federation, check the Enabled box.
Also under Auto-Federation, enter mail in the Attribute field.
The value of the Attribute property is the attribute previously mapped between the identity provider and the service provider allowing Auto-Federation to work.
Click Save.
Click the Advanced tab.
Under SAE Configuration, type https://lb4.sp-example.com:1081/opensso/spsaehandler/metaAlias/sp as the value for the SP URL.
Type https://sae.sp-example.com:8181/opensso/saml2/sae/saeSPApp.jsp as the value for the SP Logout URL.
Type the following in the New Value field of the Per Application Security Configuration property and click Add.
url=https://sae.sp-example.com:8181/opensso/saml2/sae/ saeSPApp.jsp|type=symmetric|secret=AQICIbz4afzilWzbmo6QD9lQ9U4kEBrMlvZy
Click Save to save the profile.
Click Back to return to the Federation tab.
Click the Access Control tab.
Under the Access Control tab, click / (Top Level Realm).
Click the Authentication tab.
Under General, click Advanced Properties.
The Core profile page is displayed.
Under User Profile, select the Ignored radio button and click Save.
This modification is specific to this deployment example only.
Click Save to save the profile.
Click Back to Authentication.
Log out of the OpenSSO Enterprise console.
In this test, saeIDPApp.jsp securely sends user authentication credentials to OpenSSO Enterprise on the identity provider side. The identity provider then uses basic SAML v2 to communicate these attributes to OpenSSO Enterprise on the service provider side. Finally, the service provider securely passes these same attributes to saeSPApp.jsp, the consumer.
This test for Secure Attribute Exchange does not use the test users created in building the SP and IDP Environment. The values of Userid on local IDP, Authenticated auth level, mail attribute, and branch attribute are hard-coded in saeIDPApp.jsp as the default values for the test. Because we have not created the hard-coded test user on the service provider side, we previously set the User Profile to ignore on the service provider side.
Access https://sae.idp-example.com:8181/opensso/saml2/sae/saeIDPApp.jsp from a web browser.
The Secure Attributes Exchange IDP APP SAMPLE page is displayed.
Type the following values in the appropriate text field.
testuser
0
testuser@foo.com
mainbranch
https://sae.sp-example.com:8181/opensso/saml2/sae/saeSPApp.jsp
https://lb2.idp-example.com:1081/opensso/idpsaehandler/metaAlias/idp
https://sae.idp-example.com:8181/opensso/saml2/sae/saeIDPApp.jsp
Select symmetric from the drop down menu.
secret12
No value
No value
No value
Click Generate URL
The Secure Attributes Exchange IDP APP SAMPLE is generated and the following links are displayed.
Click here to invoke the remote SP App via http GET to local IDP : https://sae.sp-example.com:8181/ opensso/samples/saml2/sae/saeSPApp.jsp : ssourl Click here to invoke the remote SP App via http POST to IDP : https://sae.sp-example.com:8181/ opensso/samples/saml2/sae/saeSPApp.jsp : POST This URL will invoke global Logout : slourl |
ssourl, POST, and slourl are clickable.
Click ssourl.
The SAE SP APP SAMPLE page is displayed proving that Secure Attribute Exchange single sign-on has succeeded.
SAE SP APP SAMPLE Secure Attrs : sun.authlevel 0 sun.spentityid https://lb4.sp-example.com:1081/opensso branch mainbranch sun.idpentityid https://lb2.idp-example.com:1081/opensso mail testuser@foo.com |
Enter https://lb2.idp-example.com:1081/opensso/samples/saml2/sae/saeIDPApp.jsp in the browser to regenerate the Secure Attributes Exchange IDP APP SAMPLE page.
The Secure Attributes Exchange IDP APP SAMPLE is regenerated and the following links are displayed.
Click here to invoke the remote SP App via http GET to local IDP : https://sae.sp-example.com:8181/ opensso/samples/saml2/sae/saeSPApp.jsp : ssourl Click here to invoke the remote SP App via http POST to IDP : https://sae.sp-example.com:8181/ opensso/samples/saml2/sae/saeSPApp.jsp : POST This URL will invoke global Logout : slourl |
ssourl, POST, and slourl are clickable.
Click slourl.
The Secure Attributes Exchange IDP APP SAMPLE is displayed.
Type the following values in the appropriate text field.
testuser
0
testuser@foo.com
mainbranch
https://sae.sp-example.com:8181/opensso/saml2/sae/saeSPApp.jsp
https://lb2.idp-example.com:1081/opensso/idpsaehandler/metaAlias/idp
https://sae.idp-example.com:8181/opensso/saml2/sae/saeIDPApp.jsp
symmetric
secret12
No value
No value
No value
Click Generate URL.
The Secure Attributes Exchange IDP APP SAMPLE page is displayed.
Secure Attributes Exchange IDP APP SAMPLE Setting up the following params: branch=mainbranch mail=testuser@foo.com sun.userid=testuser sun.authlevel=0 sun.spappurl=https://sae.sp-example.com:8181/opensso/ saml2/sae/saeSPApp.jsp sun.idpappurl=https://sae.idp-example.com:8181/opensso/ saml2/sae/saeIDPApp.jsp Click here to invoke the remote SP App via http GET to local IDP : https://sae.sp-example.com:8181/opensso/saml2/sae/saeSPApp.jsp : ssourl Click here to invoke the remote SP App via http POST to IDP : https://sae.sp-example.com:8181/opensso/saml2/sae/saeSPApp.jsp This URL will invoke global Logout : slourl |
Click slourl.
The SAE SP APP SAMPLE page is displayed proving successful logout.
SAE SP APP SAMPLE Secure Attrs : sun.cmd logout sun.returnurl https://lb4.sp-example.com:1081/opensso/SPSloRedirect/ metaAlias/sp?SAMLRequest=nZNva9swEMa%2FitHbkliS438iMQTCWErXpvUWxt5 d7HMqsCVPJ0P27WcnLaSDdlDQq5Oe%2Bz33cFoSdG2v7uzRDv4Jfw9IPghOXWtIna9 WbHBGWSBNykCHpHylyvW3OyXnXPXOelvZlgXbzYqRrKPDouKQQpOmnIsMRSMhgSgRIuU gU55jLEQlWbBHR9qaFRvbjGqiAbeGPBg%2FljjPZjyfyfy7jFSUjOcXCzajNW3An1XP3 vekwrA9zJI5aWdxXtlOCZ6J0PZoiGxY7srWPmGtHVY%2B7NDDutVAIfUsuLf%2BwTy4d ePR%2FQtcXIDFcgpAna25q0g%2BTgSI0E0eWXHlUc7xBF3fXrlsoFuGV4QX3P3Ycbv5B C6YlI8DtLrR00z%2FpbOg3L2veS9VFnyxrgP%2Fsa2poutZc36qvANDGo1nhfwqbv78u O334tGI26MRxzAWu%2F3NDp5%2FvsRxSeASR69KpGlPtqbG0yf2siC5iMe9SzMeJynK KhVCZsAhr6s6y2OIDg1WUSq4uODfEovX4psPUvwF&RelayState=s212b785d4bda31 faa635552f1233bbbb3a2c5badb&sun.appreturn=true Logout URL |
Click Logout URL on the page displayed in the previous step.
At the bottom of the displayed page, you will see This proves SLO success.
If there are issues running this test, see the OpenSSO Enterprise debug files located in the /export/ossoadm/config/opensso/debug/Federation directory on both the identity provider and the service provider sides.