Sun OpenSSO Enterprise 8.0 Deployment Planning Guide

Configuring the SAMLv2 Identity Provider Proxy with No Introduction Cookie

This is the default configuration. You can use the OpenSSO Enterprise administration console or the ssoadmin command-line interface to generate and import metadata (steps 3 through 6).

  1. Create your own keystore using keytool.

    You can also use the keystore.jks file created during deployment of OpenSSO Enterprise instance. The keystore.jks file is located in the opensso/opensso directory. The keystore.jks file contains a private key named test and an associated public certificate.

  2. Encrypt the keystore password for each host machine.

    If you use the keystore.jks file mentioned in step 1 and created during OpenSSO Enterprise deployment, the cert alias test is already encoded. You can use test for both security and encoding purposes. For example, for spscertalias, specertalias, idpscertalias, and idpecertalias.

  3. Generate Service Provider and Identity Provider metadata.

    In each of the following substeps, save the standard and extended metadata in their respective files.

    1. Generate the Service Provider metadata, and upload these local metadata into its console.

    2. Generate the Identity Provider metadata, and upload these local metadata into its console.

    3. Generate the Identity Provider Proxy metadata, and upload these local metadata into its console.

  4. Import the Service Provider and Identity Provider metadata.

    1. In each of the extended meta XML files, in the EntityConfig element to be imported, change hosted=1 to hosted=0. The value 0 means “remote.”

    2. Import the Service Provider metadata to the Identity Provider Proxy.

    3. Import the Identity Provider metadata to the Identity Provider Proxy.

    4. Import the Service Provider portion of the Identity Provider proxy metadata to the Identity Provider.

    5. Import the Identity Provider portion of the Identity Provider Proxy metadata to the Service Provider.

  5. Create a circle of trust on each of the systems.

  6. Import the metadata and create the provider entity.

    Specify the name of the circle of trust into where you would like to import the metadata.

  7. Enable the Identity Provider Proxy.

    You can use the OpenSSO Enterprise console in both the Service Provider and Identity Provider Proxy, or you can modify the SAMLv2 extended configuration metadata.

    To Use the OpenSSO Enterprise Console:

    1. Click on SP URL under Entity Providers, then click the Advanced tab.

      IDP Proxy

      Mark the Enabled box.

      Proxy Count

      Enter 1 or more.

      IDP Proxy List

      Enter the Identity Provider Proxy URL as a new value.

    2. Click Add.

    3. Click on Proxy IDP URL under Entity Providers, then click the Advance tab for SP.

      IDP Proxy

      Mark the Enabled box.

      Proxy Count

      Enter 1 or more.

      IDP Proxy List

      Enter the actual Identity Provider Proxy URL as a new value.

    To modify the SAMLv2 extended configuration metadata

    Edit the following entries for the Service Provider on the Service Provider host, and also on the Service Provider portion of the Identity Provider Proxy on the Identity Provider Proxy host:

    EnabledIDProxy:

    The key to turn the SAMLv2 IDP proxy feature on or off.

    IdpProxyList:

    The Identity Providers trusted by the requester (the Service Provider) to authenticate the presenter (the user).

    IdpProxyCount:

    The number of proxies permissible between the Identity Provider that receives this <AuthnRequest> and the actual Identity Provider that ultimately authenticates the principals. A count of zero means no proxying.

    UseIntroductionForIDPProxy:

    When this key is on, the SAMLv2 Introduction Cookie picks a preferred IDP instead of going through the Identity Provider Proxy list.

  8. After all the configuration steps are done, restart the web containers of all the servers on the Service Provider, Identity Provider Proxy, and the actual Identity Provider.

  9. As a verification step, on the Service Provider host, log in to the OpenSSO Enterprise administration console and click the Federation tab.

    You should see the profiles for both Service Provider and Identity Provider Proxy.

    Perform the SAMLv2 test cases for single sign-on and single logout through a proxy.