Managing Federation Using the Console

The Federation component of the OpenSSO Enterprise console provides an interface for creating, modifying, and deleting circles of trust, and the corresponding member entity providers (both identity and service).

• Creating an Entity

• Circle of Trust

Creating an Entity

An entity holds the metadata for individual identity and service providers. (Metadata contains the specific protocols, profiles, endpoints, and security mechanisms being used by the entity.) OpenSSO Enterprise allows you create an entity for communication using either the SAML v2, the Liberty ID-FF, and the WS-Federation specifications. Within each entity type, you can assign roles by configuring the attributes to perform the specific function. The following sections describe the entity types and the roles you can assign.

• SAMLv2 Entity

• SAMLv2 Hosted Affiliation Customization

• ID-FF Entity Provider

• WS-Federation Entity Provider

SAMLv2 Entity

The SAMLv2 entity type is based on the SAML v2 specification. This entity supports various profiles (including single sign-on and single logout) and allows you to assign and configure the following roles:

• Identity Provider

• Service Provider

• XACML PEP

• XACML PDP

• Attribute Authority

• Attribute Query

• Authentication Authority

• Hosted Affiliation

To Create a SAMLv2 Entity Provider

Use these steps to create a hosted entity provider based on the SAMLv2 protocol. You can assign one, more than one, or all of the provider roles to the entity, but all of the roles that you define will belong to the same entity provider.

1. Log in as an administrator.

2. Go to the Federation tab in the console and click New in the Entity Provider table.

3. When prompted, select SAMLv2 as the entity provider.

4. Select the Realm to which the entity provider will belong.

5. Type a name in the Entity Identifier field.

6. Enter values for the following attributes under the role category to which the entity provider will be assigned.

   Entering data in the Meta Alias field will automatically create and assign the entity provider role to the entity provider upon completion.

   Meta Alias

   Specifies a metaAlias for the provider role being configured. The metaAlias is used to locate the provider's entity identifier and the organization in which it is located. The value is a string equal to the realm or organization name coupled with a forward slash and the provider name. For example, /suncorp/travelprovider.

   ---

   Caution –

   The names used in the metaAlias must not contain a /.

   ---

   Signing Certificate Alias

   Specifies the provider certificate alias used to find the correct signing certificate in the keystore.

   Encryption Certificate alias

   Specifies the provider certificate alias used to find the correct encryption certificate in the keystore.

   Owner ID (Hosted Affiliation only)

   An identifier for the owner of the affiliation.

   Affiliation Members (Hosted Affiliation only)

   A provider must be a member of a circle of trust, or it cannot participate in SAMLv2-based communications. The provider can belong to one or more affiliations. The selected provider must have the Affiliation Federation attribute enabled. Enter the meta alias of the provider in the New Value field and click Add.

7. Click Create.

   The entity provider, its assigned provider roles, and location will be displayed in the Entity Providers table. To customize the entity providers' roles behavior, click the name of the entity provider from the list and choose the tab that corresponds to the role you wish to customize. See Chapter 6, Federation Attributes for Entity Providers, in Sun OpenSSO Enterprise 8.0 Administration Reference for definitions attributes for provider customization.

SAMLv2 Hosted Affiliation Customization

A Hosted Affiliation contains a grouping of service providers. The affiliation is formed and maintained by an affiliation owner who chooses the member providers from already configured provider entities. The affiliation enables a user to federate amongst the group of associated sites. The chosen providers may invoke services either as a member of the affiliation, or individually as a provider. If services are invoked as an affiliation member, a service provider might issue an authentication request for a user on behalf of an affiliation. When authentication is secured, the user can achieve single sign-on with all members of the affiliation.

A hosted affiliation provider holds the metadata that defines the grouping of one or more provider entities that comprise the affiliation. It does not contain the configuration information for any providers (which is defined in a provider entity), only the configuration information for the affiliation itself. If there are several service providers and identity providers in the same circle of trust, use an affiliate entity to avoid having to generate different name identifiers for commonly shared services. Hosted Affiliation contains the following attributes for customization:

• Meta Alias

• Members

• Cert Alias

Meta Alias

Specifies a metaAlias for the provider being configured. The metaAlias is used to locate the provider's entity identifier and the organization in which it is located. The value is a string equal to the realm or organization name (dependent on whether the SAML v2 Plug-in for Federation Services is installed in OpenSSO Enterprise) coupled with a forward slash and the provider name. For example, /suncorp/travelprovider.

---

Caution –

The names used in the metaAlias must not contain a /.

---

Members

A provider must be a member of a circle of trust, or it cannot participate in Liberty-based communications. The provider can belong to one or more affiliations. Enter the entity ID of the provider in the New Value field and click Add.

Cert Alias

This attribute defines the certificate alias elements for the provider. Signing specifies the provider certificate alias used to find the correct signing certificate in the keystore. Encryption specifies the provider certificate alias used to find the correct encryption certificate in the keystore.

ID-FF Entity Provider

The ID-FF provider entity is based on the Liberty Alliance Project Identity Federation Framework for implementing single sign-on with federated identities. The ID-FF provider entity allows you to assign and configure the following roles:

• Identity Provider

• Service Provider

To Create an ID-FF Entity Provider

Use these steps to create an entity provider based on the ID-FF protocol for Federation Services. You can assign the identity provider or service provider (or both) role to the entity, but multiple roles will belong to the same entity provider.

1. Log in as an administrator.

2. Go to the Federation tab in the console and click New in the Entity Provider table.

3. When prompted, select ID-FF as the entity provider.

4. Select the Realm to which the entity provider will belong.

5. Type a name in the Entity Identifier field.

6. Choose the entity provider role you wish to assign to the entity provider.

   Entering data in the Meta Alias field will automatically create and assign the entity provider role to the entity provider upon completion.

7. Enter values for the following attributes for one or more roles:

   Meta Alias

   Specifies a metaAlias for the provider role being configured. The metaAlias is used to locate the provider's entity identifier and the organization in which it is located. The value is a string equal to the realm or organization name coupled with a forward slash and the provider name. For example, /suncorp/travelprovider.

   ---

   Caution –

   The names used in the metaAlias must not contain a /.

   ---

   Signing Certificate Alias

   Specifies the provider certificate alias used to find the correct signing certificate in the keystore.

   Encryption Certificate alias

   Specifies the provider certificate alias used to find the correct encryption certificate in the keystore.

8. Click Create.

   The entity provider, its assigned provider roles, and location will be displayed in the Entity Providers list.

9. To customize the entity providers' roles behavior, click on the name of the entity provider and choose the tab that corresponds to the role you wish to customize. See Chapter 6, Federation Attributes for Entity Providers, in Sun OpenSSO Enterprise 8.0 Administration Reference for definitions attributes for provider customization.

WS-Federation Entity Provider

The WS-Federation entity provider type is based on the WS-Federation protocol. The implementation of this protocol allows single sign-on between OpenSSO Enterprise and the Microsoft Active Directory Federation Service. The WS-Federation provider entity allows you to assign and configure the following roles:

• Identity Provider

• Service Provider

To Create a WS-Federation Entity Provider

Use these steps to create to create an entity provider based on the WS-Federation protocol for Federation Services. You can assign the identity provider or service provider (or both) role to the entity, but multiple roles will belong to the same entity provider.

1. Log in as an administrator.

2. Go to the Federation tab in the console and click New in the Entity Provider table.

3. When prompted, select WS-FED as the entity provider.

4. Select the Realm to which the entity provider will belong.

5. Type a name in the Entity Identifier field.

6. Choose the entity provider role you wish to assign to the entity provider.

   Entering data in the Meta Alias field will automatically create and assign the entity provider role to the entity provider upon completion.

7. Enter values for the following attributes for one or more roles:

   Meta Alias

   Specifies a metaAlias for the provider role being configured. The metaAlias is used to locate the provider's entity identifier and the organization in which it is located. The value is a string equal to the realm or organization name coupled with a forward slash and the provider name. For example, /suncorp/travelprovider.

   ---

   Caution –

   The names used in the metaAlias must not contain a /.

   ---

   Signing Certificate Alias

   Specifies the provider certificate alias used to find the correct signing certificate in the keystore.

   Encryption Certificate alias

   Specifies the provider certificate alias used to find the correct encryption certificate in the keystore.

8. Click Create.

   The entity provider, its assigned provider roles, and location will be displayed in the Entity Providers list.

9. To customize the entity providers' roles behavior, click on the name of the entity provider and choose the tab that corresponds to the role you wish to customize. See Chapter 6, Federation Attributes for Entity Providers, in Sun OpenSSO Enterprise 8.0 Administration Reference for definitions attributes for provider customization.

Circle of Trust

A circle of trust, previously referred to as an authentication domain, is a federation of any number of service providers (and at least one identity provider) with whom principals can transact business in a secure and apparently seamless environment. To create and populate a circle of trust, you first create an entity to hold the metadata (configuration information that defines a particular identity service architecture) for each provider that will become a member of the circle of trust. Then, you configure and save the circle of trust. Finally, to add an entity (a configured provider) to the circle of trust, you edit the entity's properties.

The following tasks are associated with circles of trust:

• To Create a New Circle of Trust

• To Modify a Circle of Trust Profile

• To Add Providers to a Circle of Trust

• To Delete a Circle of Trust Profile

To Create a New Circle of Trust

Follow this procedure to create a new circle of trust. The starting point is New Circle of Trust under the Federation interface.

1. Click New to display the circle of trust attributes.

   The New circle of trust profile page is displayed.

2. Type a name for the circle of trust.

3. Type a description of the circle of trust in the Description field.

4. Type a value for the IDFF Writer Service URL.

   The IDFF Writer Service URL specifies the location of the servlet that writes the common domain cookie. Use the format http://common-domain-host :port/deployment_uri/idffwriter.

5. Type a value for the IDFF Reader Service URL.

   The IDFF Reader Service URL specifies the location of the servlet that reads the common domain cookie. Use the format http://common-domain-host :port/deployment_uri/idffreader.

6. Type a value for the SAML2 Writer Service URL.

   This specifies the location of the SAML2 Writer service that writes the cookie to the common domain. Use the format http://common-domain-host :port/deployment_uri/saml2writer.

7. Type a value for the SAML2 Reader Service URL.

   This specifies the location of the SAML2 Reader service that reads the cookie from the common domain. Use the format http://common-domain-host :port/deployment_uri/saml2reader.

8. Choose Active or Inactive.

   The default status is Active. Choosing Inactive disables communication within the circle of trust.

9. Select the Realm in which the circle of trust will be created.

10. Choose one or more of the available providers and click the Add arrow to select them.

    The list provided contains the names of entities that have been created and populated with providers. For more information, see To Add Providers to a Circle of Trust.

11. Click OK to complete the configuration.

    The new circle of trust is displayed in the Circle of Trust list.

To Modify a Circle of Trust Profile

Follow this procedure to edit the configured General attributes of an existing circle of trust, or to add providers to it. The starting point is Circle of Trust under the Federation interface.

1. Click the name of a configured circle of trust to modify its profile, or to add providers to it.

   The Edit Circle of Trust page is displayed.

2. Type new values or edit existing values for the circle of trust's General attributes:

   Name

   The static value of this attribute is the name provided when you created the circle of trust.

   Description

   The value of this attribute is a description of the circle of trust. You may modify the description already entered, if applicable.

   IDFF Writer Service URL

   This attribute specifies the location of the service that writes the common domain cookie. The URL is in the format http://common-domain-host:port/deployment_uri/idffwriter .

   IDFF Reader Service URL

   This attribute specifies the location of the service that reads the common domain cookie. The URL is in the format http://common-domain-host:port/deployment_uri//idffreader .

   SAML2 Writer URL

   This attribute specifies the location of the SAML2 Writer service that writes the cookie to the Common Domain. The URL is in the format http://common-domain-host:port/deployment_uri/saml2writer

   SAML2 Reader URL

   This attribute specifies the location of the SAML2 Writer service that writes the cookie to the Common Domain. The URL is in the format http://common-domain-host:port/deployment_uri/saml2reader

   Status

   The default status is Active. Selecting Inactive disables communication within the circle of trust.

3. Choose one or more of the available providers and click the Add arrow to select them.

   The list provided contains the names of entities that have been created and populated with providers. For more information, see To Add Providers to a Circle of Trust.

4. Click Save to complete the operation.

To Add Providers to a Circle of Trust

Identity providers and service providers must first be configured within an entity before they are available to add to a circle of trust. Once created and populated with providers, the entity (and thus the providers it contains) can be assigned to a circle of trust.

---

Note –

An entity will not be visible in the Available Providers list until it has been populated with providers.

---

1. Select one or more providers from the Available Providers list and click Add.

2. Finish your configurations and click Save to complete the operation.

To Delete a Circle of Trust Profile

A circle of trust must be empty of providers before you delete it. Follow this procedure to delete an existing circle of trust.

1. Check the box next to the name of the circle of trust you want to delete.

2. Click Delete.

   Deleting a circle of trust does not delete the providers that belong to it.