test

Sun OpenSSO Enterprise 8.0 Developer's Guide

Configuring for Virtual Federation Proxy

Configuring for VFP communication involves modifications on two different installations of OpenSSO Enterprise: one that is local to the identity provider and one that is local to the service provider. The following sections assume that you have downloaded the OpenSSO Enterprise bits and deployed the application to a supported web container. You should also be ready to configure a SAML v2 provider by executing the included SAML v2 sample, by running one of the Common Tasks using the Administration Console, or by importing provider metadata using the Administration Console or ssoadm command line interface. The following procedures contain more information.

Configure the Instance of OpenSSO Enterprise Local to the Identity Provider

The following procedure illustrates how to configure the instance of OpenSSO Enterprise local to the identity provider.

  1. Update the identity provider standard metadata.

    • If you have existing identity provider standard metadata, export it using ssoadm and make your modifications. After updating, delete the original file and reload the modified metadata using ssoadm.

    • If you have not yet configured identity provider standard metadata, use ssoadm to generate an identity provider metadata template. After updating the template, import the modified metadata also using ssoadm.

  2. Set up the keystore.

    If using the asymmetric cryptotype, add the public and private keys to the application's keystore. Additionally, populate the identity provider's keystore with the application's public key.

  3. Update the identity provider configuration.

    1. Setup the application's security configuration as symmetric or asymmetric by defining the Per Application Security Configuration attribute under the Advanced tab of the identity provider configuration.

      Note –

      Use ampassword to encrypt the shared secret used for a symmetric configuration.

    2. OPTIONAL: Modify the IDP URL attribute (if you want to use an alternative or custom SAE landing URL) under the local identity provider's Advanced tab with a value specific to your identity provider instance of OpenSSO Enterprise.

Configure the Instance of OpenSSO Enterprise Local to the Service Provider

The following procedure shows how to configure the instance of OpenSSO Enterprise local to the service provider.

  1. Update the service provider standard metadata.

    • If you have existing service provider standard metadata, export it using ssoadm and make your modifications. After updating, delete the original file and reload the modified metadata also using ssoadm.

    • If you have not yet configured service provider standard metadata, use ssoadm to generate a service provider metadata template. After updating the template, import the modified metadata also using ssoadm.

  2. Set up the keystore.

    If using the asymmetric cryptotype, add the public and private keys to the application's keystore. Additionally, populate the identity provider's keystore with the application's public key.

  3. Update the service provider extended metadata.

    1. Enable auto-federation and specify the attribute that will identify the user's identity under the Assertion Processing tab of the service provider configuration.

    2. Specify attributes from the incoming SAML v2 assertion to be used to populate the local OpenSSO Enterprise session under the Assertion Processing tab of the service provider configuration.

    3. Setup the application's security configuration as symmetric or asymmetric by defining the Per Application Security Configuration attribute under the Advanced tab of the service provider configuration.

      Note –

      Use ampassword to encrypt the shared secret used for a symmetric configuration.

    4. OPTIONAL: Modify the SP URL attribute ( if you want to use an alternative or custom SAE landing URL) under the local service provider's Advanced tab with a value specific to your identity provider instance of OpenSSO Enterprise.

    5. Configure the value of the SP Logout URL attribute. The value of this attribute is the URL that will receive global logout requests

      Note –

      The configured URL must have a defined symmetric or asymmetric CryptoType with corresponding shared secret and certificates established.

Configure the Instance of OpenSSO Enterprise Local to the Identity Provider for the Remote Service Provider

Both the standard and extended metadata retrieved from the remote service provider will be imported to the instance of OpenSSO Enterprise local to the identity provider.

  1. Get both the remote service provider standard metadata and the remote service provider extended metadata used in Configure the Instance of OpenSSO Local to the Service Provider.

  2. Modify the remote service provider extended metadata as follows:

    • Remove all shared secrets defined in the actual provider metadata file.

    • Set the hosted attribute to 0 (false) as in <EntityConfig .. hosted="0" ....>. This defines the entity as remote and can only be done using the actual provider metadata file.

    • Remove the value for the SP Logout URL attribute under the Advanced tab of the service provider configuration.

    • Add the following attribute and values to the Attribute Map attribute under the Assertion Processing tab.

      mail=mail
branch=branch

  3. Import both metadata files to the instance of OpenSSO Enterprise local to the identity provider.

    Use ssoadm the command line interface.

Configure the Instance of OpenSSO Enterprise Local to the Service Provider for the Remote Identity Provider

If the SAMLv2 sample has been executed on the instance of OpenSSO Enterprise local to the service provider, nothing else needs to be done. If metadata has been manually configured on the instance of OpenSSO Enterprise local to the service provider, do the following procedure.

  1. Get the remote identity provider metadata for import to the instance of OpenSSO Enterprise local to the service provider.

    The standard metadata is the same as the one used in Configure the Instance of OpenSSO Enterprise Local to the Identity Provider.

  2. Import the standard metadata to the instance of OpenSSO Enterprise local to the service provider using ssoadm.

  3. Add the identity provider to the service provider's configured circle of trust.

    Note –

    If using a flat file for a datastore, both the instance of OpenSSO Enterprise at the service provider and the instance at the identity provider must be restarted.