This section describes the procedures to configure and implement CDSSO.
The CDC Servlet (/amserver/cdcservlet) is always available and enabled on the Access Manager server. There are no special steps to install and configure it. However, if you deploy multiple AM instances behind a load balancer, you need to configure the Access Manager instances accordingly. The configuration has nothing to do with CDSSO. For instructions on how to configure multiple Access Manager instances behind a load balancer, see "Deployment Example: Access Manager Load Balancing, Distributed Authentication, and Session Failover" at the following URL:
http://docs.sun.com/app/docs/doc/819-6258.
The policy agent part of the configuration will vary depending upon whether you are using a single Access Manager instance or multiple Access Manager instances.
For J2EE agents, the CDSSO Redirect Servlet is also deployed but disabled by default. No special steps are required during agent installation. After the installation, you should see the following default CDSSO processing properties in the AMAgent.properties file:
com.sun.identity.agents.config.cdsso.enable = false com.sun.identity.agents.config.cdsso.redirect.uri = /agentapp/sunwCDSSORedirectURI com.sun.identity.agents.config.cdsso.cdcservlet.url[0] = https://am-pool0.red.iplanet.com:8443/amserver/cdcservlet com.sun.identity.agents.config.cdsso.clock.skew = 0 com.sun.identity.agents.config.cdsso.trusted.id.provider[0] = https://am-pool0.red.iplanet.com:8443/amserver/cdcservlet |
the URL https://am-pool0.red.iplanet.com:8443/amserver/cdcservlet points to the CDC servlet on the Access Manager. The Access Manager protocol, host and port are provided during the agent installation. The two properties, cdcservlet.url and provider, are typically added by the agent installer.
If a J2EE agent resides in the same DNS domain as the Access Manager, CDSSO is not necessary and should be disabled. Check AMAgent.properties and ensure this property value remains the default "false": com.sun.identity.agents.config.cdsso.enable = false.
If a J2EE agent resides in a different DNS domain than the Access Manager, CDSSO can be enabled like this:
com.sun.identity.agents.config.cdsso.enable = true com.sun.identity.agents.config.cdsso.redirect.uri = /agentapp/sunwCDSSORedirectURI com.sun.identity.agents.config.cdsso.cdcservlet.url[0] = https://am-pool0.red.iplanet.com:8443/amserver/cdcservlet com.sun.identity.agents.config.cdsso.clock.skew = 0 com.sun.identity.agents.config.cdsso.trusted.id.provider[0] = https://am-pool0.red.iplanet.com:8443/amserver/cdcservlet |
If multiple Access Manager instances are behind a load balancer, then the actual Access Manager CDC servlet URL for all Access Manager instances should be added to the trusted ID provider list. This list will be consulted when the policy agent CDSSO Redirect Servlet receives the AuthNResponse. If the individual Access Manager CDC servlet URLs are not in the list, the agent rejects the AuthnReponse from a non trusted provider like this:
ERROR: LibertyAuthnResponseHandler : Response received from an untrusted provider - https://ide-14.red.iplanet.com:443/amserver/cdcservlet |
For example: if ide-14 and ide-15 are two SSL-enabled Access Manager instances behind a load balancer am-pool0.red.iplanet.com:8443, then the agent CDSSO configuration should look like this:
com.sun.identity.agents.config.cdsso.enable = true com.sun.identity.agents.config.cdsso.redirect.uri = /agentapp/sunwCDSSORedirectURI com.sun.identity.agents.config.cdsso.cdcservlet.url[0] = https://am-pool0.red.iplanet.com:8443/amserver/cdcservlet com.sun.identity.agents.config.cdsso.clock.skew = 0 com.sun.identity.agents.config.cdsso.trusted.id.provider[0] = https://am-pool0.red.iplanet.com:8443/amserver/cdcservlet com.sun.identity.agents.config.cdsso.trusted.id.provider[1] = https://ide-14.red.iplanet.com:443/amserver/cdcservlet com.sun.identity.agents.config.cdsso.trusted.id.provider[2] = https://ide-15.red.iplanet.com:443/amserver/cdcservlet |
Technically, you don't need the load balancer's URL in the trusted provider list. The load balancer URL is derived from the detected Access Manager host, port, and URL, and then added by the agent installer. But it doesn't hurt to have the load balancer URL in the trusted provider list.
The clock skew factor is used to handle minor system clock drifts between the agent and the Access Manager instances. Even with the presence of this parameter, it's a good practice to synchronize system clocks between Access Manager servers and policy agents with a NTP service.
Web policy agents CDSSO has considerably fewer configurable parameters than J2EE policy agents. During the installation of the web policy agents, you are prompted to enable or disable CDSSO. If you choose to enable, after the installation, you should see the following default CDSSO processing properties in the AMAgent.properties file:
com.sun.am.policy.agents.config.cdsso.enable=true com.sun.am.policy.agents.config.cdcservlet.url = https://am-pool0.red.iplanet.com:8443/amserver/cdcservlet |
The URL https://am-pool0.red.iplanet.com:8443/amserver/cdcservlet points to the CDC servlet on the Access Manager. The Access Manager protocol, host and port are provided during the agent installation. The property cdcservlet.url is typically added by the agent installer.