Chapter 10 Deploying the Identity Provider (IDP) Discovery Service

Sun OpenSSO Enterprise 8.0 implements the Identity Provider Discovery profile (part of the SAMLv2 binding profiles) for its Identity Provider Discovery Service to keep track of the identity providers for each user. Deploying the IPP Discovery Service includes these steps:

• Generating an IDP Discovery Service WAR File

• Configuring the IDP Discovery Service

Generating an IDP Discovery Service WAR File

To generate an IDP Discovery Service WAR file, use the jar command to extract the files from the opensso.war file and then to generate the specialized WAR file.

To Generate an IDP Discovery Service WAR File

Before You Begin

Download and unzip the opensso_enterprise_80.zip file. You will then need the following files:

• zip-root/deployable-war/opensso.war is the OpenSSO Enterprise WAR file that contains all components, including the IDP Discovery Service files.

• zip-root/deployable-war/fam-idpdiscovery.list specifies the files that are required to generate an IDP Discovery Service WAR file.

• zip-root/deployable-war/idpdiscovery directory contains additional files you will need to deploy and configure the IDP Discovery Service.

where zip-root is where you unzipped the opensso_enterprise_80.zip file.

For more information about the opensso.war file, see Downloading OpenSSO Enterprise.

1. Make sure that your JAVA_HOME environment variable points to JDK 1.5 or later.

2. Create a new staging directory and extract the files from opensso.war in this staging directory. For example:

   # mkdir idpdiscovery
   # cd idpdiscovery
   # jar xvf zip-root/opensso/deployable-war/opensso.war

3. Create the IDP Discovery Service WAR using the files in fam-idpdiscovery.list:

   # cd idpdiscovery
   # jar cvf zip-root/opensso/deployable-war/idpdiscovery.war \
   @zip-root/opensso/deployable-war/fam-idpdiscovery.list

   where idpdiscovery.war is the name of the new IDP Discovery Service WAR file.

4. Update the idpdiscovery.war file created in previous step with the additional files required for the IDP Discovery Service. For example:

   # cd zip-root/opensso/deployable-war/idpdiscovery
   # jar uvf zip-root/opensso/deployable-war/idpdiscovery.war *

   You are now ready to configure the new idpdiscovery.war, as described in the next section.

Configuring the IDP Discovery Service

OpenSSO Enterprise includes the IDP Discovery Service Configurator (Configurator.jsp) to configure the service.

To Configure the IDP Discovery Service

1. Login as a user who has the following privileges:

   • Access to the web container administration console, if you plan to deploy idpdiscovery.war using this console.

     or

   • The capability to execute the web container's deploy command-line utility, if you plan to deploy idpdiscovery.war using the CLI.

2. Deploy the idpdiscovery.war to the web container using either the web container administration console or CLI command.

3. Launch the Configurator using the following URL:

   protocol://host.domain:port/idpdiscovery

   For example: http://idpdiscoveryhost.example.com:8080/idpdiscovery

   If the IDP Discovery Service is not already configured, you will be directed to the Configurator page.

4. On the Configurator page, specify the following information:

   • Debug Directory:

   • Debug Level: error (default), warning, message, or off.

   • Cookie Type: PERSISTENT (default) or SESSION

   • Cookie Domain:

   • Secure Cookie: True or False (default)

   • Encode Cookie: True (default) or False

5. Click Configure.

6. On the SP host machine, use the console to create a Circle of Trust with the IDP Discovery Service URL used as the prefix for the value of the Reader and Writer URL attributes. For example:

   SAML2 Writer Service URL: http://idp-discovery-server-machine:port/idpdiscovery/saml2writer

   SAML2 Reader Service URL: http://idp-discovery-server-machine:port/idpdiscovery/saml2reader

7. On the IDP host machine, use the console to create a Circle of Trust with the value of the prefix attribute also set to the identity provider discovery service URL. For example:

   http://idp-discovery-server-machine:port/idpdiscovery

8. Generate metadata for both the IDP and the SP using the ssoadm command-line utility with the create-metadata-templ option.

9. Load the SP metadata into the IDP machine.

10. Change the value of the host in the IDP metadata from 0 or remote.

11. Load the IDP metadata into the SP machine.

    After this configuration, the values of the Writer URL and Reader URL in each Circle of Trust are the URL of the IDP Discovery Service.

Next Steps

Perform the SAMLv2 test cases for SP-initiated and IDP-initiated single sign-on and single logout. Each time you perform these operations from the SP side, the Discovery Service logs will show the redirection to the IDP.