The previous sections detailed how to create and configure entities using the Access Manager console. But entities can also be created and configured in one step using the amadmin command-line interface and prepared XML files. Rather than filling in provider attribute values manually, you would create an XML file containing the provider attributes and corresponding values and import it using amadmin. Alternatively, you can modify the sample provider metadata XML files included with Access Manager. See sample1 Directory for information.
The format of the XML file used as input is based on the sms.dtd, located in /AccessManager-base/SUNWam/dtd. Alterations to the DTD files may hinder the operation of Access Manager.
There are two types of provider metadata (formatted in XML files) that can be used as input to amadmin:
Standard metadata properties are defined in the Liberty ID-FF specification.
Extended metadata properties are proprietary and used by features specific to Access Manager.
amadmin uses different options to load the different types of metadata XML files. Information on how to use amadmin can be found in Using amadmin for Federation Management in Sun Java System Access Manager 7.1 Administration Reference. Information regarding the attributes and possible values can be found in the online help of the Access Manager console or in the following sections:
Following are instructions to load the provider metadata:
To load metadata compliant with the Liberty ID-FF use the following command:
amadmin --runasdn userdn --password password --import metadata_filename |
This option is usually used to load provider metadata sent from a trusted partner in an XML file compliant with the Liberty ID-FF. Here is an example of a service provider metadata XML file compliant with the Liberty ID-FF.
<!-- Copyright (c) 2005 Sun Microsystems, Inc. All rights reserved Use is subject to license terms. --> <EntityDescriptor meta:providerID="http://sp10.com" meta:cacheDuration="360" xmlns:meta="urn:liberty:metadata:2003-08" xmlns="urn:liberty:metadata:2003-08"> <SPDescriptor cacheDuration="180" xmlns:meta="urn:liberty:metadata:2003-08" aaa="aaa" protocolSupportEnumeration="urn:liberty:iff:2003-08"> <KeyDescriptor use="signing"> <EncryptionMethod>http://something/encrypt</EncryptionMethod> <KeySize>4567</KeySize> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Certificate xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> MIIC1DCCApICBD8poYwwCwYHKoZIzjgEAwUAMFAxCzAJBgNVBAYTAlVTMQwwCgYDVQQKEwNTdW4x IDAeBgNVBAsTF1NVTiBPTkUgSWRlbnRpdHkgU2VydmVyMREwDwYDVQQDEwhzdW4tdW5peDAeFw0w MzA3MzEyMzA5MDBaFw0wNDAxMjcyMzA5MDBaMFAxCzAJBgNVBAYTAlVTMQwwCgYDVQQKEwNTdW4x IDAeBgNVBAsTF1NVTiBPTkUgSWRlbnRpdHkgU2VydmVyMREwDwYDVQQDEwhzdW4tdW5peDCCAbcw ggEsBgcqhkjOOAQBMIIBHwKBgQD9f1OBHXUSKVLfSpwu7OTn9hG3UjzvRADDHj+AtlEmaUVdQCJR +1k9jVj6v8X1ujD2y5tVbNeBO4AdNG/yZmC3a5lQpaSfn+gEexAiwk+7qdf+t8Yb+DtX58aophUP BPuD9tPFHsMCNVQTWhaRMvZ1864rYdcq7/IiAxmd0UgBxwIVAJdgUI8VIwvMspK5gqLrhAvwWBz1 AoGBAPfhoIXWmz3ey7yrXDa4V7l5lK+7+jrqgvlXTAs9B4JnUVlXjrrUWU/mcQcQgYC0SRZxI+hM KBYTt88JMozIpuE8FnqLVHyNKOCjrh4rs6Z1kW6jfwv6ITVi8ftiegEkO8yk8b6oUZCJqIPf4Vrl nwaSi2ZegHtVJWQBTDv+z0kqA4GEAAKBgCNS1il+RQAQGcQ87GBFde8kf8R6ZVuaDDajFYE4/LNT Kr1dhEcPCtvL+iUFi44LzJf8Wxh+eA5K1mjIdxOo/UdwTpNQSqiRrm4Pq0wFG+hPnUTYLTtENkVX IIvfeoVDkXnF/2/i1Iu6ttZckimOPHfLzQUL4ldL4QiaYuCQF6NfMAsGByqGSM44BAMFAAMvADAs AhQ6yueX7YlD7IlJhJ8D4l6xYqwopwIUHzX82qCzF+VzIUhi0JG7slSpyis= </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </KeyDescriptor> <SingleLogoutServiceURL>http://www.sun.com/slo"</SingleLogoutServiceURL> <SingleLogoutServiceReturnURL>http://www.sun.com/sloservice </SingleLogoutServiceReturnURL> <FederationTerminationServiceURL>http://www.sun.com/fts </FederationTerminationServiceURL> <FederationTerminationServiceReturnURL>http://www.sun.com/ftsr </FederationTerminationServiceReturnURL> <FederationTerminationNotificationProtocolProfile>http://projectliberty.org/profiles/ fedterm-sp-http</FederationTerminationNotificationProtocolProfile> <SingleLogoutProtocolProfile>http://projectliberty.org/profiles/slo-sp-http </SingleLogoutProtocolProfile> <RegisterNameIdentifierProtocolProfile>http://projectliberty.org/profiles/ rni-sp-http</RegisterNameIdentifierProtocolProfile> <RegisterNameIdentifierServiceURL>http://www.sun2.com/risu </RegisterNameIdentifierServiceURL> <RegisterNameIdentifierServiceReturnURL>http://www.sun2.com/rstu </RegisterNameIdentifierServiceReturnURL> <RelationshipTerminationNotificationProtocolProfile>http://projectliberty.org/ profiles/rel-term-soap</RelationshipTerminationNotificationProtocolProfile> <NameIdentifierMappingBinding AuthorityKind="ppp:AuthorizationDecisionQuery" Location="http://eng.sun.com" Binding="http://www.sun.com" xmlns:ppp="urn:oasis:names:tc:SAML:1.0:protocol"></NameIdentifierMappingBinding> <AdditionalMetaLocation namespace="abc">http://www.aol.com</AdditionalMetaLocation> <AdditionalMetaLocation namespace="efd">http://www.netscape.com</AdditionalMetaLocation> <AssertionConsumerServiceURL id="jh899" isDefault="true"> http://www.iplanet.com/assertionurl</AssertionConsumerServiceURL> <AuthnRequestsSigned>true</AuthnRequestsSigned> </SPDescriptor> <ContactPerson xmlns:meta="urn:liberty:metadata:2003-08" contactType="technical" meta:libertyPrincipalIdentifier="myid"> <Company>SUn Microsystems</Company> <GivenName>Joe</GivenName> <SurName>Smith</SurName> <EmailAddress>joe@sun.com</EmailAddress> <EmailAddress>smith@sun.com</EmailAddress> <TelephoneNumber>45859995</TelephoneNumber> </ContactPerson> <Organization xmlns:xml="http://www.w3.org/XML/1998/namespace"> <OrganizationName xml:lang="en">sun com</OrganizationName> <OrganizationName xml:lang="en">sun micro com</OrganizationName> <OrganizationDisplayName xml:lang="en">sun.com</OrganizationDisplayName> <OrganizationURL xml:lang="en">http://www.sun.com/liberty</OrganizationURL> </Organization> </EntityDescriptor> |
Access Manager provides proprietary attributes that are not a specific part of the Liberty ID-FF. To load Access Manager proprietary metadata use the following command:
amadmin --runasdn userdn --password password --data proprietary_metadata_filename |
After loading the metadata, the --export option can be used to export metadata compliant with the Liberty ID-FF. This file can then be exchanged with trusted partners. Here is an example of an identity provider metadata XML file for proprietary attributes.
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE Requests PUBLIC "-//iPlanet//Sun Java System Access Manager 2005Q4 Admin CLI DTD//EN" "jar://com/iplanet/am/admin/cli/amAdmin.dtd"> <Requests> <OrganizationRequests DN="dc=companyA,dc=com"> <CreateHostedProvider id="http://sp.companyA.com" role="SP" defaultUrlPrefix="http://sp.companyA.com:80"> <AttributeValuePair> <Attribute name="iplanet-am-provider-name"/> <Value>sp</Value> </AttributeValuePair> <AttributeValuePair> <Attribute name="iplanet-am-provider-alias"/> <Value>sp.companyA.com</Value> </AttributeValuePair> <AttributeValuePair> <Attribute name="iplanet-am-list-of-authenticationdomains"/> <Value>samplecot</Value> </AttributeValuePair> <AttributeValuePair> <Attribute name="iplanet-am-certificate-alias"/> <Value>cert_alias</Value> </AttributeValuePair> <AttributeValuePair> <Attribute name="iplanet-am-trusted-providers"/> <Value>http://idp.companyB.com</Value> <Value>http://idp.companyC.com</Value> </AttributeValuePair> <SPAuthContextInfo AuthContext="Password" AuthLevel="1"/> <AttributeValuePair> <Attribute name="iplanet-am-provider-homepage-url"/> <Value>http://sp.companyA.com:80/idff/index.jsp</Value> </AttributeValuePair> </CreateHostedProvider> </OrganizationRequests> </Requests> |