test

Sun Java System Portal Server Secure Remote Access 7.2 Administration Guide

Chapter 17 Federation Management Scenarios

This chapter describes .... The following topics are discussed:

Using Federation Management

Federation Management enables users to aggregate their local identities so that they have one network identity. Federation Management uses the network identity to allow users to login at one service provider’s site and access other service providers' sites without having to re-authenticate their identity. This is referred to as single sign-on.

Federation management can be configured in open mode and secure mode on the Portal Server. The Portal Server Administration Guide describes how to configure federation management in open mode. Before configuring Federation management in secure mode, using Portal Server Secure Remote Access server, ensure that it works in open mode. If you want your users to use Federation Management from the same browser in both open and secure mode, they must clear the cookies and cache from the browser.

For detailed information on Federation Management, see the Access Manager Federation Management Guide.

Federation Management Scenario

A user authenticates to an initial service provider. Service providers are commercial or not-for-profit organizations that offer web-based services. This broad category can include internet portals, retailers, transportation providers, financial institutions, entertainment companies, libraries, universities, and governmental agencies.

The service provider uses a cookie to store the user’s session information in the client browser. The cookie also includes the user’s identity provider.

Identity providers are service providers that specialize in providing authentication services. As the administrating service for authentication, they also maintain and manage identity information. Authentication accomplished by an identity provider is honored by all service providers with whom they are affiliated.

When the user attempts to access a service that is not affiliated with the identity provider, the identity provider forwards the cookie to the unaffiliated service provider. This service provider can then access the identity provider called out in the cookie.

However, cookies cannot be read across different DNS domains. Therefore a Common Domain Cookie Service is used to redirect the service provider to the correct identity provider thus enabling single sign-on for the user.

Configuring Federation Management Resources

The Federation resources, the service providers, identity providers, and the Common Domain Cookie Service (CDCS), are configured in the gateway profile based on where they reside. This section describes how to configure three scenarios:

ProcedureTo Configure Federation Management Resources

  1. When all resources are inside the corporate intranet

  2. When all resources are not inside the corporate intranet or the identity provider resides in the Internet

  3. When all resources are not inside the corporate intranet or the service provider is a third party residing in the Internet while the identity provider is protected by the Gateway.

Configuration 1

In this configuration the service providers, identity providers and the Common Domain Cookie Service are deployed in the same corporate intranet and the identity providers are not published in the Internet Domain Name Server (DNS). The CDCS is optional.

In this configuration the Gateway points to the service provider, which is the Portal Server. This configuration is valid for multiple instances of the Portal Server.

ProcedureTo Configure Gateway to a Service Provider (Portal Server)

  1. Log into the Portal Server administration console as administrator.

  2. Select the Secure Remote Access tab and select the appropriate gateway profile to modify its attributes.

    The Edit Gateway Profile page is displayed.

  3. Select the Core tab.

  4. Select the Enable Cookie Management checkbox to enable cookie management.

  5. Select the Security tab.

  6. In the Portal Servers field, enter Portal Server names to use the relative URLs such as: /amserver or /portal/dt listed in the Non-Authenticated URLs list. For example:

    http://idp-host:port/amserver/js

    http://idp-host:port/amserver/UI/Login

    http://idp-host:port/amserver/css

    http://idp-host:port/amserver/SingleSignOnService

    http://idp-host:port/amserver/UI/blank

    http://idp-host:port/amserver/postLogin

    http://idp-host:port/amserver/login_images

  7. In the Portal Servers field, enter the Portal Server name. For example, /amserver.

  8. Click Save.

  9. Select the Security tab.

  10. In the Non-Authenticated URLs list, add the federation resources. For example:

    /amserver/config/federation

    /amserver/IntersiteTransferService

    /amserver/AssertionConsumerservice

    /amserver/fed_images

    /amserver/preLogin

    /portal/dt

  11. Click Add.

  12. Click Save.

  13. If web proxies are needed to reach the URLs listed in the Non-authenticated URLs list, select the Deployment tab.

  14. In the Proxies for Domains and Subdomains field, enter the necessary web proxies.

  15. Click Add.

  16. Click Save.

  17. From a terminal window, restart the Gateway:

    ./psadmin start-sra-instance –u amadmin – f <password file> –N <profile name>– t <gateway>

Configuration 2

In this configuration the identity providers, identity providers and the Common Domain Cookie Provider (CDCP) are not deployed in the corporate intranet or the identity provider is a third party provider residing the in Internet.

In this configuration the Gateway points to the service provider, which is the Portal Server. This configuration is valid for multiple instances of the Portal Server.

ProcedureTo Configure Gateway to a Service Provider (Portal Server)

  1. Log into the Portal Server administration console as administrator.

  2. Select the Secure Remote Access tab and select the appropriate gateway profile to modify its attributes.

  3. Select the Core tab.

  4. Select the Enable Cookie Management checkbox to enable cookie management.

  5. In the Portal Servers field, enter portal server names of the service provider to use the relative URLs such as: /amserver or /portal/dt listed in the Non-Authenticated URLs list.

    http://idp-host:port/amserver/js

    http://idp-host:port/amserver/UI/Login

    http://idp-host:port/amserver/css

    http://idp-host:port/amserver/SingleSignOnService

    http://idp-host:port/amserver/UI/blank

    http://idp-host:port/amserver/postLogin

    http://idp-host:port/amserver/login_images

  6. Click Save.

  7. Click the Security tab.

  8. In the Non-Authenticated URLs list, add the Federation resources. For example:

    /amserver/config/federation

    /amserver/IntersiteTransferService

    /amserver/AssertionConsumerservice

    /amserver/fed_images

    /amserver/preLogin

    /portal/dt

  9. Click Add.

  10. Click Save.

  11. If web proxies are needed to reach the URLs listed in the Non-authenticated URLs list, select the Deployment tab.

  12. In the Proxies for Domains and Subdomains field, enter information about the web proxies.

  13. Click Add.

  14. Click Save.

  15. From a terminal window, restart the Gateway:

    ./psadmin start-sra-instance –u amadmin – f <password file> –N <profile name>– t <gateway>

Configuration 3

In this configuration the identity providers, identity providers and the Common Domain Cookie Provider (CDCP) are not deployed in the corporate intranet or the service provider is a third party provider residing the in Internet and the identity provider is protected by the Gateway.

In this configuration the Gateway points to the identity provider, which is the Portal Server.

This configuration is valid for multiple instances of the Portal Server. This configuration is unlikely on the Internet, however, some corporate networks may have such a configuration within their intranet, that is the identity provider may reside in a subnet this is protected by a firewall and the service providers are directly accessible from within the corporate network.

ProcedureTo Configure Gateway to an Identity Provider (Portal Server)

  1. Log into the Portal Server administration console as administrator.

  2. Select the Secure Remote Access tab and select the appropriate gateway profile to modify its attributes.

  3. Select the Core tab.

  4. Select the Enable Cookie Management checkbox to enable cookie management.

  5. In the Portal Servers field, enter the portal server name of the identity provider to use the relative URLs such as: /amserver or /portal/dt listed in the Non-Authenticated URLs list.

    http://idp-host:port/amserver/js

    http://idp-host:port/amserver/UI/Login

    http://idp-host:port/amserver/css

    http://idp-host:port/amserver/SingleSignOnService

    http://idp-host:port/amserver/UI/blank

    http://idp-host:port/amserver/postLogin

    http://idp-host:port/amserver/login_images

  6. Click Save.

  7. Select the Security tab.

  8. In the Non-authenticated URLs list, add the federation resources. For example:

    /amserver/config/federation

    /amserver/IntersiteTransferService

    /amserver/AssertionConsumerservice

    /amserver/fed_images

    /amserver/preLogin

    /portal/dt

  9. Click Add.

  10. Click Save.

  11. If web proxies are needed to reach the URLs listed in the Non-authenticated URLs list, select the Deployment tab.

  12. In the Proxies for Domains and Subdomains field, enter information about the web proxies.

  13. Click Add.

  14. Click Save.

  15. From a terminal window, restart the Gateway:

    ./psadmin start-sra-instance –u amadmin – f <password file> –N <profile name>– t <gateway>