With this release, OpenSSO Enterprise enhances its implementation of the Name Identifier Management Profile to include the termination of the association of a name identifier between a service provider and an identity provider (including the accompanying federation) and the issuance of a new name identifier. When metadata is created using OpenSSO Enterprise, XML is defined to support HTTP-Redirect, SOAP and HTTP-POST bindings. Following is the code for an identity provider.
<IDPSSODescriptor <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings: HTTP-Redirect" Location="http://isdev-3.red.iplanet.com: 58080/fam/IDPMniRedirect/metaAlias/idp" ResponseLocation= "http://isdev-3.red.iplanet.com:58080/fam/IDPMniRedirect/ metaAlias/idp"/> <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://isdev-3.red.iplanet.com:58080/fam/ IDPMniPOST/metaAlias/idp" ResponseLocation= "http://isdev-3.red.iplanet.com:58080/fam/IDPMniPOST/ metaAlias/idp"/> <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://isdev-3.red.iplanet.com:58080/fam/ IDPMniSoap/metaAlias/idp"/> </IDPSSODescriptor>
The ManageNameID (MNI) JSP provide a way to initiate name identifier changes or terminations. For example, after establishing a name identifier for use when referring to a principal, the identity provider may want to change its value and/or format. Additionally, an identity provider might want to indicate that a name identifier will no longer be used to refer to the principal. The identity provider will notify service providers of the change by sending them a ManageNameIDRequest. A service provider also uses this message type to register or change the SPProvidedID value (included when the underlying name identifier is used to communicate with it) or to terminate the use of a name identifier between itself and the identity provider. To initiate termination of a name identifier or creation of a new identifier, access the appropriate JSP using the URL and URL parameter information in the following sections.
The JSP are located in /OpenSSO-Deploy-base/opensso/saml2/jsp/. idpMNIRedirect.jsp, spMNIRedirect.jsp, idpMNIPOST.jsp, and spMNIPOST.jsp, also in that directory, are process pages served as endpoints.
idpMNIRequestInit.jsp initiates name identifier modifications or termination from the identity provider. The URL for this JSP is protocol://host:port/service-deploy-uri/saml2/jsp/idpMNIRequestInit.jsp. The following URL parameters are appended to it.
metaAlias: The value of the metaAlias property set in the identity provider's extended metadata configuration file. If the metaAlias attribute is not present, an error is returned.
spEntityID: The entity identifier of the service provider to which the response is sent.
requestType: The type of ManageNameIDRequest. Accepted values include Terminate and NewID.
binding: A URI specifying the binding to use for the communications. The supported values are:
urn:oasis:names:tc:SAML:2.0:bindings:SOAP
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
RelayState: The target URL of the request.
An example URL for using HTTP-POST communication might be:
http://dev-3.sun.com:58080/opensso/saml2/ jsp/idpMNIRequestInit.jsp?metaAlias=/idp&spEntityID= mach1.sun.com&requestType=Terminate&binding= urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
spMNIRequestInit.jsp initiates name identifier modifications or termination from the service provider. The URL for this JSP is protocol://host:port/service-deploy-uri/saml2/jsp/spMNIRequestInit.jsp. The following URL parameters are appended to it.
metaAlias: This parameter takes as a value the metaAlias set in the identity provider's extended metadata configuration file. If the metaAlias attribute is not present, an error is returned.
idpEntityID: The entity identifier of the identity provider to which the request is sent.
requestType: The type of ManageNameIDRequest. Accepted values include Terminate and NewID.
binding: A URI specifying the protocol binding to use for the Request. The supported values are:
urn:oasis:names:tc:SAML:2.0:bindings:SOAP
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
RelayState: The target URL of the request.
An example URL for using SOAP communication might be:
http://dev-3.sun.com:58080/opensso/saml2/ jsp/idpMNIRequestInit.jsp?metaAlias=/sp&idpEntityID= mach1.sun.com&requestType=NewID&binding= urn:oasis:names:tc:SAML:2.0:bindings:SOAP