Documentation Home
> Sun Java System Access Manager 7.1 Federation and SAML Administration Guide
Sun Java System Access Manager 7.1 Federation and SAML Administration Guide
Book Information
Index
A
B
C
D
E
F
G
I
K
L
M
N
O
P
Q
R
S
T
U
W
X
Preface
Part I The Liberty Alliance Project Specifications and Access Manager
Chapter 1 Introduction to the Liberty Alliance Project
Overview of the Liberty Alliance Project
Members of the Liberty Alliance Project
Objectives of the Liberty Alliance Project Specifications
Concept of Identity
Concept of Federation
Identity Federation
Provider Federation
Concept of Trust
Liberty Alliance Project Terms
Account Federation
Affiliation
Attribute Provider
Authentication Context
Authentication Domain
Binding
Circle of Trust
Client
Common Domain
Defederation
Federation
Federation Cookie
Federated Identity
Federation Termination
Identity
Identity Federation
Identity Provider
Identity Service
Liberty-Enabled Client
Liberty-Enabled Proxy
Name Identifier
Principal
Profile
Protocol
Provider Federation
Pseudonym
Receiver
Resource Offering
Sender
Server
Service Provider
Single Logout
Single Sign-On
Trusted Provider
Web Service Consumer
Web Service Provider
Liberty Alliance Project Specifications
Liberty Identity Federation Framework
The Liberty ID-FF Model
The Liberty ID-FF Convergence
Liberty ID-FF Protocols and Schema
Single Sign-On and Federation Protocol
Name Registration Protocol
Federation Termination Notification Protocol
Single Logout Protocol
Name Identifier Mapping Protocol
Liberty ID-FF Bindings and Profiles
Additional Liberty ID-FF Documents
Liberty Identity Web Services Framework
SOAP Binding Specification
Discovery Service Specification
Security Mechanisms Specification
Data Services Template Specification
Interaction Service Specification
Authentication Service Specification
Client Profiles Specification
Additional Liberty ID-WSF Documents
Liberty Identity Service Interface Specifications
Liberty ID-SIS Personal Profile Service Specification
Liberty ID-SIS Employee Profile Service Specification
Additional Liberty ID-SIS Service Specifications
Schema Files and Service Definition Documents
Support Documents
Chapter 2 Implementation of the Liberty Alliance Project Specifications
Overview
Sample Use Case
Liberty Alliance Project Architecture in Access Manager
The Federation Module
Identity Federation and Single Sign-On
Auto-Federation
Bulk Federation
Authentication and Authentication Context
Identifiers and Name Registration
Global Logout
Dynamic Identity Provider Proxying
The Liberty-based Web Services Modules
Liberty Personal Profile Service
Discovery Service
SOAP Binding Service
Authentication Web Service
The Liberty-based Application Programming Interfaces
The SAML Service
Liberty-Based Samples
Part II Federation Management
Chapter 3 Federation
Process of Federation
Pre-login Process
Federation and Single Sign-On
Federation Graphical User Interface
Entities and Authentication Domains
Entities
Creating Entities
To Create a Provider Entity or an Affiliate Entity
Configuring Provider Entities
To Configure a Provider Entity
To Configure General Attributes for a Provider Entity
To Configure Hosted or Remote Identity Provider Attributes for a Provider Entity
To Configure Hosted or Remote Service Provider Attributes for a Provider Entity
Configuring Affiliate Entities
To Configure an Affiliate Entity
To Configure General Attributes for an Affiliate Entity
To Configure Affiliate Attributes for an Affiliate Entity
Deleting Entities
To Delete a Provider or Affiliate Entity
Creating and Configuring Entities using amadmin
Loading Standard Metadata Using amadmin
Loading Proprietary Metadata Using amadmin
Authentication Domains
To Create An Authentication Domain
To Configure or Modify an Authentication Domain
To Delete an Authentication Domain
The Pre-login URL
To Configure for Pre-login
To Configure for Global Logout
Federation API
com.sun.identity.federation.plugins
com.sun.identity.federation.services
com.sun.liberty
Liberty ID-FF Operations
Auto-Federation
To Enable Auto Federation
Bulk Federation
Configuring Trust Between Providers
To Configure Trust Between Service Providers and Identity Providers
Signing Liberty ID-FF Requests and Responses
To Enable Signing of Service Provider Authentication Requests
Dynamic Identity Provider Proxying
To Configure and Test Dynamic Identity Provider Proxying
Sample Federation Environment
Chapter 4 Common Domain Services for Federation Management
Common Domain
Common Domain Cookie
Configuring the Common Domain Services for Federation Management URLs
Writer Service URL
Reader Service URL
Configuring the Common Domain Services for Federation Management Properties
Installing the Common Domain Services for Federation Management
To Test a Common Domain Services for Federation Management Installation
Part III Supported Web Services
Chapter 5 Liberty Alliance Project Web Services Framework
Web Services
Authentication Web Service
Liberty Personal Profile Service
Discovery Service
SOAP Binding Service
Liberty ID-WSF Architecture in Access Manager
Web Services and Security
Developing New Web Services
To Host a Custom Service
To Invoke the Custom Service
Setting Up Liberty ID-WSF 1.1 Profiles
To Configure Access Manager to Use Liberty ID-WSF 1.1 Profiles
Chapter 6 Authentication Web Service
Authentication Web Service Overview
XML Service File
Authentication Web Service APIs
Which Authentication Service to Use?
Authentication Web Service Process
Authentication Web Service Attribute
Mechanism Handlers List
key Parameter
class Parameter
Authentication Web Service API
com.sun.identity.liberty.ws.authnsvc Package
com.sun.identity.liberty.ws.authnsvc.mechanism Package
com.sun.identity.liberty.ws.authnsvc.protocol Package
Access the Authentication Web Service
Authentication Web Service Sample
Chapter 7 Data Services
Data Services Overview
Liberty ID-WSF Data Services Template Specification
Liberty Personal Profile Service
XML Service File
XSD Schema Definition
Liberty Employee Profile Service
XML Service File
XSD Schema Definition
Data Services API
Liberty Personal Profile Service
Liberty Personal Profile Service Process
Liberty Personal Profile Service Attributes
ResourceID Mapper
Authorizer
Attribute Mapper
Provider ID
Name Scheme
Namespace Prefix
Supported Containers
PPLDAP Attribute Map List
Require Query PolicyEval
Require Modify PolicyEval
Extension Container Attributes
Extension Attributes Namespace Prefix
Service Update
Service Instance Update Class
Alternate Endpoint
Alternate Security Mechanisms
Access the Liberty Personal Profile Service
Liberty Employee Profile Service
Data Services Template API
com.sun.identity.liberty.ws.dst Package
com.sun.identity.liberty.ws.dst.service Package
Developing A New Data Service
Chapter 8 Discovery Service
Discovery Service Overview
Discovery Service WSDL
amDisco XML Service Files
Discovery Service Architecture
Discovery Service Process
Discovery Service Attributes
Provider ID
Supported Authentication Mechanisms
Supported Directives
Policy Evaluation for Discovery Lookup
Policy Evaluation for Discovery Update
Authorizer Plug-in Class
Entry Handler Plug-in Class
Classes For ResourceIDMapper Plug-in
Authenticate Response Message
SessionContextStatement for Bootstrapping
Encrypt NameIdentifier in Session Context for Bootstrapping
Implied Resource
Resource Offerings for Bootstrapping
Storing Resource Offerings
Storing Resource Offerings as User Attributes
To Store a Resource Offering as a User Attribute
Storing Resource Offerings as Dynamic Attributes
To Store Resource Offerings as Dynamic Attributes in a Realm
To Store Resource Offerings as Dynamic Attributes in a Role
Storing a Resource Offering for Discovery Service Bootstrapping
To Store a Resource Offering for Discovery Service Bootstrapping
Generating Security Tokens
To Configure the Discovery Service to Generate Security Tokens
Discovery Service APIs
Client APIs in com.sun.identity.liberty.ws.disco
com.sun.identity.liberty.ws.disco.plugins.DiscoEntryHandler Interface
com.sun.identity.liberty.ws.interfaces.Authorizer Interface
To Configure Discovery Service Policy Definitions
com.sun.identity.liberty.ws.interfaces.ResourceIDMapper Interface
Access the Discovery Service
Discovery Service Sample
Chapter 9 SOAP Binding Service
SOAP Binding Service Overview
XML Service File
SOAPReceiver Servlet
SOAP Binding Service APIs
SOAP Binding Process
SOAP Binding Service Attributes
Request Handler List
Key Parameter
Class Parameter
SOAP Action Parameter
Web Service Authenticator
Supported Authentication Mechanisms
SOAP Binding Service Package
Part IV SAML Administration and Application Programming Interfaces
Chapter 10 SAML Administration
SAML Overview
Comparison of SAML and Liberty Specifications
SAML Architecture in Access Manager
Using the SAML Service
Elements of SAML
Queries and Responses
Queries
Responses
Assertions
Profiles
Web Browser Artifact Profile
Web Browser POST Profile
Single-Use Policy With POST Profile
SAML SOAP Receiver
SOAP Messages
Protecting SAML SOAP Receiver
To Configure Access Manager for Basic Authentication
SAML Attributes
amSAML.xml Attributes
To Modify Attributes in the amSAML.xml File
Console Attributes
Properties Group
Target Specifier
Site Identifiers
To Configure a Site Identifier
Trusted Partners
To Configure a Trusted Partner
Target URLs
Assertion
Assertion Timeout
Assertion Skew Factor For notBefore Time
Artifact
Artifact Timeout
SAML Artifact Name
Signing
Sign SAML Assertion
Sign SAML Request
Sign SAML Response
SAML API
com.sun.identity.saml Package
AssertionManager Class
SAMLClient Class
com.sun.identity.saml.assertion Package
com.sun.identity.saml.common Package
com.sun.identity.saml.plugins Package
ActionMapper Interface
AttributeMapper Interface
NameIdentifierMapper Interface
PartnerAccountMapper Interface
PartnerSiteAttributeMapper Interface
How to Set Up a PartnerSiteAttributeMapper
com.sun.identity.saml.protocol Package
AuthenticationQuery Class
AttributeQuery Class
AuthorizationDecisionQuery Class
com.sun.identity.saml.xmlsig Package
SAML Operations
Setting Up SAML Single Sign-on
To Set Up SAML Single Sign-on
To Verify the SAML Single Sign-on Configurations
SAML Samples
Chapter 11 Application Programming Interfaces
Public Interfaces
Common Service Interfaces
com.sun.identity.liberty.ws.common Package
com.sun.identity.liberty.ws.interfaces Package
com.sun.identity.liberty.ws.interfaces.Authorizer Interface
com.sun.identity.liberty.ws.interfaces.ResourceIDMapper Interface
Common Security API
com.sun.identity.liberty.ws.security Package
com.sun.identity.liberty.ws.common.wsse Package
Interaction Service
Configuring the Interaction Service
Interaction Service API
PAOS Binding
Comparison of PAOS and SOAP
PAOS Binding API
PAOS Binding Sample
Appendix A Liberty-based and SAML Samples
Federation Framework Samples
sample1 Directory
sample2 Directory
sample3 Directory
Web Services Framework Samples
wsc Directory
sis-ep Directory
paos Directory
authnsvc Directory
SAML Samples
Appendix B Key Management
Public Key Infrastructure Basics
Digital Signatures
Digital Certificates
keytool Command Line Interface
Setting Up a Keystore
To Set Up a Keystore
© 2010, Oracle Corporation and/or its affiliates