test

Sun Java System Access Manager 7.1 Federation and SAML Administration Guide

Generating Security Tokens

In general, a discovery service and an identity provider are hosted on the same machine. Because the identity provider hosting the Discovery Service might be fulfilling other roles for an identity (such as a Policy Decision Point or an Authentication Authority), it can be configured to provide the requesting entity with security tokens. The Discovery Service can include a security token (inserted into a SOAP message header) in a DiscoveryLookup response. The token can then be used as a credential to invoke the service returned with it.

ProcedureTo Configure the Discovery Service to Generate Security Tokens

After completing the following procedure, you can test the functionality by running the samples. See Web Services Framework Samples for information.

  1. Generate the keystore and certificate aliases for the machines that are hosting the Discovery Service, the WSP and the WSC.

    Access Manager uses a Java keystore for storing the public and private keys so, if this is a new deployment, you might need to generate one. keystore.html in AccessManager-base/SUNWam/samples/saml/xmlsig/ has information on accomplishing this using keytool, the key and certificate management utility supplied with the Java Platform, Standard Edition. In short, keytool generates key pairs as separate key entries (one for a public key and the other for its associated private key). It wraps the public key into an X.509 self-signed certificate (one for which the issuer/signer is the same as the subject), and stores it as a single-element certificate chain. Additionally, the private key is stored separately, protected by a password, and associated with the certificate chain for the corresponding public key. All public and private keystore entries are accessed via unique aliases.

  2. Update the values of the following key-related properties in the AMConfig.properties files of the appropriate deployed instances of Access Manager.

    AMConfig.properties is located in /etc/opt/SUNWam/config/.

    Note –

    The same property might have already been edited depending on the deployment scenario.

    1. Update the values of the following key-related properties in the AMConfig.properties files on the machine that hosts the Discovery Service.

      • com.sun.identity.saml.xmlsig.keystore defines the location of the keystore file.

      • com.sun.identity.saml.xmlsig.storepass defines the location of the file that contains the password used to access the keystore file.

      • com.sun.identity.saml.xmlsig.keypass defines the location of the file that contains the password used to protect the private key of a generated key pair.

      • com.sun.identity.liberty.ws.ta.certalias defines the certificate alias used by the Discovery Service to sign SAML assertions.

      • com.sun.identity.liberty.ws.wsc.certalias defines the certificate alias used by the Discovery Service to sign the protocol response.

    2. Update the values of the following key-related properties in the AMConfig.properties files on the machines that acts as the WSP.

      • com.sun.identity.saml.xmlsig.keystore defines the location of the keystore file.

      • com.sun.identity.saml.xmlsig.storepass defines the location of the file that contains the password used to access the keystore file.

      • com.sun.identity.saml.xmlsig.keypass defines the location of the file that contains the password used to protect the private key of a generated key pair.

      • com.sun.identity.liberty.ws.wsc.certalias defines the certificate alias used for signing the WSP protocol responses.

      • com.sun.identity.liberty.ws.trustedca.certaliases defines the certificate alias and the Provider ID list on which the WSP is trusting.

    3. Update the values of the following key-related properties in the AMConfig.properties files on the machine that acts as the WSC.

      • com.sun.identity.saml.xmlsig.keystore defines the location of the keystore file.

      • com.sun.identity.saml.xmlsig.storepass defines the location of the file that contains the password used to access the keystore file.

      • com.sun.identity.saml.xmlsig.keypass defines the location of the file that contains the password used to protect the private key of a generated key pair.

      • com.sun.identity.liberty.ws.wsc.certalias defines the certificate alias used by web service clients for signing protocol requests.

        Note –

        The com.sun.identity.liberty.ws.wsc.certalias property must be added to the AMConfig.properties file.

  3. Configure each identity provider and service provider as an entity using the Access Manager Federation module.

    This entails configuring a entity for each provider using the Access Manager Console or loading an XML metadata file using amadmin. See Entities for information on the former and Chapter 1, The amadmin Command Line Tool, in Sun Java System Access Manager 7.1 Administration Reference for information on the latter.

    Note –

    Be sure to configure each provider's entity so that all providers in the scenario are defined as Trusted Providers.

  4. Establish provider trust between the entities by creating an authentication domain using the Access Manager Federation module.

    See Authentication Domains.

  5. Change the default value of the Provider ID for the Discovery Service on the machine where the Discovery Service is hosted to the value that reflects the previously loaded metadata.

    1. Click the Web Services tab from the Access Manager Console.

    2. Click the Discovery Service tab under Web Services.

    3. Change the default value of the Provider ID from protocol://host:port/deployuri/Liberty/disco.

    Note –

    If using the samples, make sure that the value of Provider ID in discovery-modify.jsp is changed, if necessary, before the WSP registers with the Discovery Service.

  6. Change the default value of the Provider ID for the Liberty Personal Profile Service on the machine where the Liberty Personal Profile Service is hosted to the value that reflects the previously loaded metadata.

    1. Click the Web Services tab from the Access Manager Console.

    2. Click the Liberty Personal Profile Service tab under Web Services.

    3. Change the default value of the Provider ID from protocol://host:port/deployuri/Liberty/idpp.

  7. Register a resource offering for the WSP using either of the following methods.

    • Access Manager Console

      See Storing Resource Offerings for information on registering a resource offering using the Access Manager Console.

    • Client API

      See discovery-modify.jsp in AccessManager-base/samples/phase2/wsc which calls the API for registering a resource offering.

    Also, make sure that the appropriate directives are chosen.

    • For SAML Bearer token use GenerateBearerToken or AuthenticateRequester.

    • For SAML Token (Holder of key) use AuthenticateRequester or AuthorizeRequester.