test

Sun Java System Access Manager 7.1 Federation and SAML Administration Guide

Installing the Common Domain Services for Federation Management

The Common Domain Services for Federation Management are installed as a web application within Access Manager using the Sun Java Enterprise System installer. However, the Common Domain Services for Federation Management can also be installed as a standalone web application (separate from the Access Manager product) on a Java Enterprise Edition web container. This option allows for generating common domain cookies on a machine on which Access Manager is not installed. Once the Common Domain Services for Federation Management is installed, you must set up the writer URL attribute for any identity providers and the reader URL for any service providers. These URLs point to the machine on which Common Domain Services for Federation Management is installed. For more information, see the Sun Java Enterprise System 5 Installation Guide for UNIX.

Tip –

In most real world deployments, installing the Common Domain Services for Federation Management on a separate machine is the obvious choice because of the need to setup a third-level common domain between service providers and identity providers in disparate enterprises.

ProcedureTo Test a Common Domain Services for Federation Management Installation

For troubleshooting, make sure the debug level property in FSIntroConfig.properties is set to message.

  1. Install the Common Domain Services for Federation Management as a standalone application in a web container in the common domain.

    Ensure that the common domain has been defined and the web container is installed in it.

  2. Modify the properties in FSIntroConfig.properties as needed.

    See Configuring the Common Domain Services for Federation Management Properties for more information.

  3. Configure at least two identity providers for a service provider.

    Ensure that the Writer Service URL is configured for each identity provider and the Reader Service URL is configured for each service provider.

  4. Login as a user and complete federation and single sign-on between one identity provider and the service provider.

    Ensure that the _liberty_idp cookie is set to the common domain.

  5. Login as a user and complete federation and single sign-on between the second identity provider and the service provider.

    After the initial successful federation and single sign-on, all service providers in the common domain are redirected to the first identity provider based on the information in the common domain cookie.

    Note –

    Whether the cookie is persistent or for this browser session alone is dependent on how FSIntroConfig.properties is configured.