Documentation Home
> Deployment Example: SAML v2 Using Sun OpenSSO Enterprise 8.0
Deployment Example: SAML v2 Using Sun OpenSSO Enterprise 8.0
Book Information
Preface
Part I About This Deployment
Chapter 1 Components and Features
1.1 Key Features of Deployment
1.2 Deployment Architecture and Components
1.2.1 Identity Provider Deployment
1.2.2 Service Provider Deployment
1.3 Sequential Component Interactions
Chapter 2 Technical Overview
2.1 Host Machines
2.2 Software
2.3 Main Service URLs
2.3.1 Identity Provider Main Service URLs
2.3.2 Service Provider Main Service URLs
2.4 Viewing Replicated Entries
Chapter 3 Before You Begin
3.1 Technical Reference
3.2 Setting Up the Load Balancers
3.3 Obtaining Secure Socket Layer Certificates
3.4 Resolving Host Names
3.5 Known Issues and Limitations
Part II Building the Identity Provider Environment
Chapter 4 Installing Sun Java System Directory Server and Creating Instances for User Data
4.1 Installing and Configuring Directory Server 1 and Directory Server 2
To Download the Directory Server Bits and Required Patches to the Host Machines
To Patch the Directory Server Host Machines
To Install Directory Server 1
To Create a User Data Instance on Directory Server 1
To Create a Base Suffix for the User Data Instance on Directory Server 1
To Install Directory Server 2
To Create a User Data Instance on Directory Server 2
To Create a Base Suffix for the User Data Instance on Directory Server 2
4.2 Enabling Multi-Master Replication of the User Data Instances
To Enable Multi-Master Replication for the User Data Instance on Directory Server 1
To Enable Multi-Master Replication for the User Data Instance on Directory Server 2
To Change the Default Replication Manager Password for Each User Data Instance
To Create Replication Agreements for Each User Data Instance
To Initialize the Replication Agreements
To Verify Successful User Data Replication
4.3 Modifying the Directory Server Schema
To Modify the Directory Server LDAP Schema for SAML v2 User Data
4.4 Enabling Secure Communication for the Directory Server User Data Instances
To Import a Root Certificate and a Server Certificate to Directory Server 1
To Import a Root Certificate and a Server Certificate to Directory Server 2
4.5 Configuring the Directory Server Load Balancer
To Import the Root Certificate to Directory Server Load Balancer 1
To Configure the Directory Server Load Balancer 1
4.6 Creating a Test User
To Import Test User Data into the Replicated Directory Server Instances
Chapter 5 Deploying and Configuring OpenSSO Enterprise
5.1 Installing the Application Server Web Containers
To Patch the OpenSSO Enterprise Host Machines
To Create a Non-Root User on the OpenSSO Enterprise 1 Host Machine
To Install Application Server on the OpenSSO Enterprise 1 Host Machine
To Create a Non-Root User on the OpenSSO Enterprise 2 Host Machine
To Install Application Server on the OpenSSO Enterprise 2 Host Machine
5.2 Configuring the OpenSSO Enterprise Load Balancer
To Request a Certificate for OpenSSO Enterprise Load Balancer 2
To Install the Certificate Authority Root Certificate to OpenSSO Enterprise Load Balancer 2
To Install the Server Certificate to OpenSSO Enterprise Load Balancer 2
To Configure OpenSSO Enterprise Load Balancer 2
To Create an SSL Proxy for SSL Termination at the OpenSSO Enterprise Load Balancer 2
5.3 Deploying and Configuring OpenSSO Enterprise 1 and OpenSSO Enterprise 2
To Generate an OpenSSO Enterprise WAR on the OpenSSO Enterprise 1 Host Machine
To Deploy the OpenSSO Enterprise WAR as OpenSSO Enterprise 1
To Copy the OpenSSO Enterprise WAR to the OpenSSO Enterprise 2 Host Machine
To Deploy the OpenSSO Enterprise WAR File as OpenSSO Enterprise 2
To Configure OpenSSO Enterprise 1
To Configure OpenSSO Enterprise 2
5.4 Configuring the OpenSSO Enterprise Platform Service
To Create a Site on OpenSSO Enterprise 1
To Verify that the OpenSSO Enterprise Site was Configured Properly
5.5 Configuring OpenSSO Enterprise for SAML v2
To Configure OpenSSO Enterprise for the Modified LDAP Schema
Chapter 6 Configuring OpenSSO Enterprise Realms for User Authentication
6.1 Modifying the Top-Level Realm for Test Users
To Modify the Top-Level Realm for User Authentication
To Verify that a User Can Successfully Authenticate
6.2 Creating and Configuring a Sub Realm for Test Users
To Create a Sub Realm
To Change the User Profile Configuration for the Sub Realm
To Modify the Sub Realm for User Authentication
To Verify That the Sub Realm Can Access the External User Data Store
To Verify That the Sub Realm Subjects Can Successfully Authenticate
Part III Building the Service Provider Environment
Chapter 7 Installing Sun Java System Directory Server and Creating Instances for User Data
7.1 Installing and Configuring Directory Server 1 and Directory Server 2
To Download the Directory Server Bits and Required Patches to the Directory Server Host Machines
To Patch the Directory Server Host Machines
To Install Directory Server 1
To Create a User Data Instance on Directory Server 1
To Create a Base Suffix for the User Data Instance on Directory Server 1
To Install Directory Server 2
To Create a User Data Instance on Directory Server 2
To Create a Base Suffix for the User Data Instance on Directory Server 2
7.2 Enabling Multi-Master Replication of the User Data Instances
To Enable Multi-Master Replication for User Data Instance on Directory Server 1
To Enable Multi-Master Replication for User Data Instance on Directory Server 2
To Change the Default Replication Manager Password for Each User Data Instance
To Create Replication Agreements for Each User Data Instance
To Initialize the Replication Agreements
To Verify Successful User Data Replication
7.3 Modifying the Directory Server Schema
To Modify the Directory Server LDAP Schema for SAML v2 User Data
7.4 Enabling Secure Communication for the Directory Server User Data Instances
To Install a Root Certificate and a Server Certificate on Directory Server 1
To Install a Root Certificate and a Server Certificate on Directory Server 2
7.5 Configuring the Directory Server Load Balancer
To Import the Root Certificate to the User Data Load Balancer
To Configure Directory Server Load Balancer 1
7.6 Creating a Test User
To Import Test User Data into the Replicated Directory Server Instances
Chapter 8 Deploying and Configuring OpenSSO Enterprise
8.1 Installing the Application Server Web Containers
To Patch the OpenSSO Enterprise Host Machines
To Create a Non-Root User on the OpenSSO Enterprise 1 Host Machine
To Install Application Server on the OpenSSO Enterprise 1 Host Machine
To Create a Non-Root User on the OpenSSO Enterprise 2 Host Machine
To Install Application Server on the OpenSSO Enterprise 2 Host Machine
8.2 Configuring the OpenSSO Enterprise Load Balancer
To Request a Certificate for OpenSSO Enterprise Load Balancer 2
To Install a CA Root Certificate to OpenSSO Enterprise Load Balancer 2
To Install the Server Certificate to OpenSSO Enterprise Load Balancer 2
To Configure OpenSSO Enterprise Load Balancer 2
To Create an SSL Proxy for SSL Termination at the OpenSSO Enterprise Load Balancer 2
8.3 Deploying and Configuring OpenSSO Enterprise 1 and OpenSSO Enterprise 2
To Generate an OpenSSO Enterprise WAR on the OpenSSO Enterprise 1 Host Machine
To Deploy the OpenSSO Enterprise WAR as OpenSSO Enterprise 1
To Copy the OpenSSO Enterprise WAR to the OpenSSO Enterprise 2 Host Machine
To Deploy the OpenSSO Enterprise WAR File as OpenSSO Enterprise 2
To Configure OpenSSO Enterprise 1
To Configure OpenSSO Enterprise 2
8.4 Configuring the OpenSSO Enterprise Platform Service
To Create a Site on OpenSSO Enterprise 1
To Verify that the OpenSSO Enterprise Site was Configured Properly
8.5 Configuring OpenSSO Enterprise for SAML v2
To Configure OpenSSO Enterprise for the Modified LDAP Schema
Chapter 9 Configuring OpenSSO Enterprise Realms for User Authentication
9.1 Modifying the Top-Level Realm for Test Users
To Modify the Top-Level Realm for User Authentication
To Verify that a User Can Successfully Authenticate
9.2 Creating and Configuring a Sub Realm for Test Users
To Create a Sub Realm
To Change the User Profile Configuration for the Sub Realm
To Modify the Sub Realm for User Authentication
To Verify That the Sub Realm Can Access the External User Data Store
To Verify That the Sub Realm Subjects Can Successfully Authenticate
Chapter 10 Configuring the Service Provider Protected Resource Host Machine
10.1 Installing the J2EE Container and J2EE Policy Agent on Protected Resource 1
To Install BEA WebLogic Server on Protected Resource 1
To Configure BEA WebLogic Server on Protected Resource 1
To Import a Certificate Authority Root Certificate to Protected Resource 1
To Install the J2EE Policy Agent on Protected Resource 1
To Deploy and Start the J2EE Policy Agent Housekeeping Application
To Deploy the J2EE Policy Agent Sample Application
To Configure the J2EE Policy Agent to Bypass Application Server Administrator Authentication
To Enable the J2EE Policy Agent to Run in SSO Only Mode
To Configure the J2EE Policy Agent for SAML v2 Communication
10.2 Installing the Web Server and Web Policy Agent on Protected Resource 1
To Patch the Protected Resource 1 Host Machine
To Install and Configure Sun Java System Web Server on Protected Resource 1
To Import a Certificate Authority Root Certificate to Protected Resource 1
To Install and Configure Web Policy Agent on Protected Resource 1
To Enable the Web Policy Agent to Run in SSO Only Mode
To Configure the Web Policy Agent for SAML v2 Communication
Part IV Configuring and Testing the SAML v2 Communications
Chapter 11 Configuring OpenSSO Enterprise for SAML v2
11.1 Configuring OpenSSO Enterprise as the Hosted Identity Provider
To Configure the Hosted Identity Provider
To View the Hosted Identity Provider Metadata in XML Format
11.2 Configuring OpenSSO Enterprise as the Hosted Service Provider
To Configure the Hosted Service Provider
To View the Hosted Service Provider Metadata in XML Format
11.3 Configuring the Hosted Service Provider to Communicate with the Remote Identity Provider
To Import the Remote Identity Provider Metadata into the Hosted Service Provider
Chapter 12 Testing the SAML v2 Profiles
12.1 Using the OpenSSO Enterprise Common Tasks Wizard
To Test SAML v2 Using the Common Tasks Wizard
12.2 Using Specially Constructed URLs
12.2.1 Testing Identity Provider Initiated URLs
12.2.1.1 Testing Persistent Federation
To Test Persistent Federation Using the Browser Artifact Profile
To Test Persistent Federation Using the Browser POST Profile
12.2.1.2 Testing Single Logout
To Test Single Logout Using Back Channel SOAP Over HTTP
To Test Single Logout Using Front Channel HTTP
12.2.1.3 Testing Single Sign On
To Test Single Sign-On Using the Browser Artifact Profile
To Test Single Sign-On Using the Browser POST Profile
12.2.1.4 Testing Federation Termination
To Test Federation Termination Using Back Channel SOAP Over HTTP
To Test Federation Termination Using Front Channel HTTP
12.2.2 Testing Service Provider Initiated URLs
12.2.2.1 Testing Persistent Federation
To Test Persistent Federation Using the Browser Artifact Profile
To Test Persistent Federation Using the Browser POST Profile
12.2.2.2 Testing Single Logout
To Test Single Logout Using Back Channel SOAP Over HTTP
To Test Single Logout Using Front Channel HTTP
12.2.2.3 Testing Single Sign On
To Test Single Sign On Using the Browser Artifact Profile
To Test Single Sign-On Using the Browser POST Profile
12.2.2.4 Testing Federation Termination
To Terminate Federation Using Back Channel SOAP Over HTTP
To Terminate Federation Using Front Channel HTTP
Chapter 13 Testing Secure Attribute Exchange
13.1 Patching the Secure Attribute Exchange Host Machines
To Patch the OpenSSO Enterprise Host Machines
13.2 Installing Application Server on the Secure Attribute Exchange Identity Provider Host Machine
To Install Application Server on the Secure Attribute Exchange Identity Provider Host Machine
To Secure Communications from the Identity Provider Host Machine
To Modify the Identity Provider Web Container domain.xml Configuration File
To Deploy the Client SDK on the Identity Provider Host Machine
13.3 Installing Application Server on the Secure Attribute Exchange Service Provider Host Machine
To Install Application Server on the Secure Attribute Exchange Service Provider Host Machine
To Secure Communications from the Service Provider Application
To Modify the Service Provider Web Container domain.xml Configuration File
To Deploy the Client SDK on the Service Provider Host Machine
13.4 Establishing Trust Between Communicating Entities
To Establish Trust Between OpenSSO Enterprise and the Application on the Identity Provider Side
To Establish Trust Between OpenSSO Enterprise and the Application on the Service Provider Side
13.5 Testing the Secure Attribute Exchange
To Test the Secure Attribute Exchange Configurations
Chapter 14 Testing Attribute Mapping
14.1 Creating a Test User
To Create a Test User for Attribute Mapping
To Edit the Test User Profile
14.2 Configuring OpenSSO Enterprise for Attribute Mapping
To Add SAML v2 Mappings to the Identity Provider Metadata
To Enable Anonymous Authentication
To Modify the Agent Profile to Use SAMLv2 Transient
To Map Identity Provider User Attributes to Service Provider Anonymous User Attributes
14.3 Testing Attribute Mapping
To Verify That Attribute Mapping is Working Properly
Part V Appendices
Appendix A Identity Provider Directory Server Host Machines, Load Balancer and Test User
Appendix B Service Provider Directory Server Host Machines, Load Balancer and Test User
Appendix C Identity Provider OpenSSO Enterprise Host Machines and Load Balancers
Appendix D Service Provider OpenSSO Enterprise Host Machines and Load Balancers
Appendix E Service Provider Protected Resource Host Machine Web Containers and Policy Agents
Appendix F The snoop.jsp File
Appendix G Known Issues and Limitations
© 2010, Oracle Corporation and/or its affiliates