Documentation Home
> Sun OpenSSO Enterprise 8.0 Administration Guide
Sun OpenSSO Enterprise 8.0 Administration Guide
Book Information
Index
A
B
C
D
E
F
G
H
I
J
L
M
N
O
P
Q
R
S
T
U
X
Preface
Part I Access Control
Chapter 1 Logging In To The Console
Administrator Interface
User Interface
Legacy Support
Chapter 2 Organizing Data within Realms
Understanding Realms
Creating and Modifying Realms
To Create a New Realm
To Modify a Realm's General Properties
Managing Configuration Data Within Realms
Managing Authentication
Adding Services
To Add a Service to a Realm
To Modify the Attributes of a Realm's Added Services
Plugging in Data Stores
To Create a New Data Store
Delegating Administrator Privileges
Configuring Policy
Defining Subjects
Creating Agent Profiles
Chapter 3 Configuring Authentication
Understanding the Authentication Service
Authentication Service User Interface
Authentication Modules
Active Directory
Anonymous
Certificate
Data Store
Federation
HTTP Basic
JDBC
LDAP
Membership
MSISDN
RADIUS
SAE
SafeWord
SecurID
Unix
Windows Desktop SSO
Windows NT
WSSAuth
Authentication Types
Authentication Post Processing
Configuring the Core Authentication Service
To Modify Core Authentication Properties Globally
To Modify Core Authentication Properties By Realm
Configuring the Authentication Process
Before You Begin
Setting Up for RADIUS and SafeWord Authentication
To Set Up RADIUS or SafeWord with Sun Java System Application Server
Setting Up Windows Desktop SSO Authentication
To Create a User in the Windows Domain Controller
To Reduce the Size of a Kerberos Ticket
To Set Up Internet Explorer
Installing a Samba Client for Windows NT Authentication
To Install the Samba Client
Configuring Authentication Modules
To Define Global Values for an Authentication Module
To Add an Authentication Module Instance to a Realm or Sub Realm
Creating Authentication Chains
To Create an Authentication Chain
Initiating the Authentication Type
Realm Authentication
Configuring Realm Authentication
To Configure A Realms’s Authentication Process
Initiating Realm Authentication with the Login URL
Redirecting Users After Realm Authentication
Successful Realm Authentication Redirection URL Precedence
Failed Realm Authentication Redirection URL Precedence
Service Authentication
Configuring Service Authentication
Initiating Service Authentication with the Login URL
Redirecting Users After Service Authentication
Successful Service Authentication Redirection URL Precedence
Failed Service Authentication Redirection URL Precedence
User Authentication
Configuring User Authentication
To Configure A User Authentication Process
Initiating User Authentication with the Login URL
Redirecting Users After User Authentication
Successful User Authentication Redirection URL Precedence
Failed User Authentication Redirection URL Precedence
Authentication Level-based Authentication
Configuring Authentication Levels
Initiating Authentication Level-based Authentication with the Login URL
Redirecting Users After Authentication Level-based Authentication
Successful Authentication Level-based Authentication Redirection URL Precedence
Failed Authentication Level-based Authentication Redirection URL Precedence
Module Authentication
Configuring Module Authentication
Initiating Module Authentication with the Login URL
Redirecting Users After Module Authentication
Successful Module Authentication Redirection URL Precedence
Failed Module Authentication Redirection URL Precedence
Role Authentication (Legacy Mode)
Configuring Role Authentication
To Configure An Authentication Process for a Role
Initiating Role Authentication with the Login URL
Redirecting Users After Role Authentication
Successful Role Authentication Redirection URL Precedence
Failed Role Authentication Redirection URL Precedence
Accessing the Authentication Service User Interface with a Login URL
goto Parameter
gotoOnFail Parameter
realm Parameter
user Parameter
locale Parameter
module Parameter
service Parameter
arg Parameter
authlevel Parameter
forceAuth Parameter
IDTokenN Parameters
iPSPCookie Parameter
PersistAMCookie Parameter
role Parameter (Legacy Mode)
org Parameter (Legacy Mode)
domain Parameter (Legacy Mode)
Customizing Authentication
Enabling Account Lockout
Authentication Service Failover
Mapping Fully Qualified Domain Names
Possible Uses For FQDN Mapping
Using Persistent Cookies
To Use Persistent Cookies
Upgrading Sessions
Sharing User Credentials Among Authentication Modules (Shared State)
Redirecting Users After Authentication
Configuring Multiple LDAP Authentication Modules (Legacy Mode)
To Configure Multiple LDAP Authentication Modules
Chapter 4 Managing Policies
Understanding the Authorization Process
Defining a Policy and a Referral
Policy
Rules
Discovery Service (with resource name)
Liberty Personal Profile Service (with resource name)
URL Policy Agent (with resource name)
Subjects
Conditions
Response Providers
Referral
Rules
Referrals
Creating Policies and Referrals
To Add Multiple Policies Using the ssoadm Command Line Utility
To Create a Policy Using the OpenSSO Enterprise Console
To Create a Referral Using the OpenSSO Enterprise Console
Modifying Policies and Referrals
Modifying Policies
To Modify a Policy
Modifying Referrals
To Modify a Referral
Using Wild Cards in Policies
Applying Policy Logic
Enabling Policy in a Service
To Add a New Policy Enabled Service
Authenticating Based on Resource
To Configure Resource Authentication
Chapter 5 Creating Subjects
Storing Subjects
Creating Users
To Create a User
To Modify a User
Creating Groups
To Create a Group
To Add Users to a Group
Administrative Users and Default Subjects
amadmin
To Change the amadmin Password
amldapuser
UrlAccessAgent
Directory Manager
Administrator
demo
test
dsameuser
puser
anonymous
Chapter 6 Storing Policy Agent and Web Services Security Agent Profiles
Centralizing Agent Profiles
Web Policy Agent Profile
J2EE Policy Agent Profile
Web Service Provider Security Agent Profile
Web Service Client Security Agent Profile
STS Client Agent Profile
2.2 Agents
Agent Authenticator
Creating New Agent Profiles and Groups
To Create a New Agent Profile
To Create a New Group
To Modify an Agent Profile to Inherit Properties From a Group
Part II Federation, Web Services, and SAML Administration
Chapter 7 Configuring and Managing Federation
Configuring Federation
Managing Federation Using the Console
Creating an Entity
SAMLv2 Entity
To Create a SAMLv2 Entity Provider
SAMLv2 Hosted Affiliation Customization
Meta Alias
Members
Cert Alias
ID-FF Entity Provider
To Create an ID-FF Entity Provider
WS-Federation Entity Provider
To Create a WS-Federation Entity Provider
Circle of Trust
To Create a New Circle of Trust
To Modify a Circle of Trust Profile
To Add Providers to a Circle of Trust
To Delete a Circle of Trust Profile
Managing Federation Using ssoadm
Managing Entity Metadata using ssoadm
Loading Standard Metadata Using ssoadm
Loading Extended Metadata Using ssoadm
Managing Circles of Trust Using ssoadm
Chapter 8 Federated Operations
Finding an Identity Provider for Authentication
Configuring the SAMLv2 Identity Provider Discovery Service
SAMLv2 Writer Service URL
SAMLv2 Reader Service URL
Configuring the ID-FF Identity Provider Introduction Service
ID–FF Writer Service URL
ID-FF Reader Service URL
Configuring WS-Federation Home Realm Discovery Service
Customizing SAMLv2 the Identity Provider Discovery Service and the ID-FF Identity Provider Introduction Service
To Create a Specialized WAR file for the Identity Provider Services
To Customize the Identity Provider Services Through the Console
Bulk Federation
ID-FF Federation Operations
The Pre-Login URL
To Configure for Pre-login
To Configure for Global Logout
Configuring ID-FF Single Sign-on
To Configure ID-FF Single Sign-on
ID-FF Auto-Federation
To Enable ID-FF Auto Federation
Enabling ID-FF XML Signing
To Enable ID-FF XML Signing
Dynamic Identity Provider Proxying
To Configure and Test Dynamic Identity Provider Proxying
SAMLv2 Operations
POST Binding with Single Sign-on and Single Logout
Creating Affiliations
Requesting Attribute Values Using a SAMLv2 Assertion
Requesting a SAMLv2 Assertion
Requesting a SAMLv2 Assertion for Authentication Context
To Configure for Authentication Context Queries
Encoding Artifacts
Managing SAMLv2 Name Identifiers
idpMNIRequestInit.jsp
spMNIRequestInit.jsp
Mapping SAMLv2 Name Identifiers
Enhanced Client and Proxy
To Configure for ECP on the Identity Provider Side
To Configure for ECP on the Service Provider Side (Optional)
Formatting Name Identifiers
Configuring SAMLv2 Single Sign-on without Service Provider User Accounts
To Use the Transient Name Identifier
To Federate Disparate Accounts with Auto Federation
To Map Attributes to anonymous User Account
To Achieve Single Sign-on Without Data Store Writes
Auto-creation of User Accounts
To Enable Auto-creation
Using Non-Default Federation Attributes
To Store Federation Information in Existing Attributes
Enabling XML Signing and Encryption
Securing SOAP Binding
Basic Authentication
Secure Socket Layer/Transport Layer Security
Server Certificate Authentication
Client Certificate Authentication
Load Balancing
To Enable Load Balancer Support
Access Control
To Enable Access Control Using Agents
Certificate Revocation List Checking
To Set Up for Certificate Revocation List Checking
To Manually Populate a Directory Server with a Certificate Revocation List
To Enable Certificate Revocation List Checking for SAMLv2
SAMLv2 IDP Discovery Service
Bootstrapping the Liberty ID-WSF with SAML v2
To Enable an Identity Provider for SAML v2 Bootstrapping of Liberty ID-WSF
To Enable a Service Provider for SAML v2 Bootstrapping of Liberty ID-WSF
Retrieving SAMLv2 Bootstrapping of Liberty ID-WSF from the WSC
WS-Federation Operations
To Configure OpenSSO Enterprise as a Service Provider
To Configure OpenSSO Enterprise as an Identity Provider
Chapter 9 Identity Web Services
Authentication Web Service
Authentication Web Service Attribute
Mechanism Handlers List
key Parameter
class Parameter
Challenge Cleanup Interval
Transform Classes
PLAIN Mechanism Handler Authentication Module
CRAM-MD5 Mechanism Handler Authentication Module
Liberty Personal Profile Service
Liberty Personal Profile Service Attributes
ResourceID Mapper
Authorizer
Attribute Mapper
Provider ID
Name Scheme
Namespace Prefix
Supported Containers
PPLDAP Attribute Map List
Require Query PolicyEval
Require Modify PolicyEval
Extension Container Attributes
Extension Attributes Namespace Prefix
Service Update
Service Instance Update Class
Alternate Endpoint
Discovery Service
Discovery Service Attributes
Provider ID
Supported Authentication Mechanisms
Supported Directives
Policy Evaluation for Discovery Lookup
Policy Evaluation for Discovery Update
Authorizer Plug-in Class
Entry Handler Plug-in Class
Classes For ResourceIDMapper Plug-in
Authenticate Response Message
SessionContextStatement for Bootstrapping
Encrypt NameIdentifier in Session Context for Bootstrapping
Implied Resource
Name Identifier Mapper
Global Entry Handler Plug-in Class
Resource Offerings for Bootstrapping
Storing Resource Offerings
Storing Resource Offerings as User Attributes
To Store a Resource Offering as a User Attribute
Storing Resource Offerings as Dynamic Attributes
To Store Resource Offerings as Dynamic Attributes in a Realm
Storing a Resource Offering for Discovery Service Bootstrapping
To Store a Resource Offering for Discovery Service Bootstrapping
SOAP Binding Service
SOAP Binding Service Attributes
Request Handler List
Key Parameter
Class Parameter
SOAP Action Parameter
Web Service Authenticator
Supported Authentication Mechanisms
Enforce Only Known Providers
Certification Alias For SSL Client Authentication
Time Limit for Stale Message
Message ID Cache Cleanup Interval
Supported SOAP Actors
Namespace Prefix Mapping
JAXB Package List
Liberty Identity Web Service Version
Liberty Interaction Service
Liberty ID-WSF Security Service
Chapter 10 SAML 1.x Administration
SAML Attributes
Target Specifier
Site Identifiers
To Configure a Site Identifier
Trusted Partners
Trusted Partners: Selecting Partner Type and Profile
Trusted Partners: Configuring Trusted Partner Attributes
Target URLs
To Configure a Target URL
Default Protocol Version
Default Assertion Version
Remove Assertion
Assertion Timeout
Assertion Skew Factor for notBefore Time
Artifact Timeout
SAML Artifact Name
Sign SAML Assertion
Sign SAML Request
Sign SAML Response
Attribute Query
SAML Operations
Setting Up SAML Single Sign-on
To Set Up SAML Single Sign-on
To Verify the SAML Single Sign-on Configurations
Part III Directory Management and Default Services
Chapter 11 Directory Management
Managing Directory Objects
Organizations
To Create an Organization
To Delete an Organization
To Add an Organization to a Policy
Containers
To Create a Container
To Delete a Container
Group Containers
To Create a Group Container
To Delete a Group Container
Groups
To Create a Static Group
To Add or Remove Members to a Static Group
To Create a Dynamic Group
To Add or Remove Members to a Dynamic Group
To Add a Group to a Policy
People Containers
Create a People Container
To Delete a People Container
Users
To Create a User
To Edit the User Profile
To Add a User to Roles and Groups
To Add a User to a Policy
Roles
To Create a Static Role
To Add Users to a Static Role
To Create a Dynamic Role
To Remove Users from a Role
To Add a Role to a Policy
Chapter 12 Current Sessions
The Current Sessions Interface
Session Management
Session Information
Terminating a Session
To Terminate a Session
Chapter 13 Password Reset Service
Registering the Password Reset Service
To Register Password Reset for Users in a Different Realm
Configuring the Password Reset Service
To Configure the Service
To Localize the Secret Question
Password Reset Lockout
Memory Lockout
Physical Lockout
Password Policies
Example: To Create a Password Policy in Directory Server for Force Password Change After Reset
Password Reset for End Users
Customizing Password Reset
To Customize Password Reset
Resetting Forgotten Passwords
To Reset Forgotten Passwords
Chapter 14 Logging Service
Log Files
OpenSSO Enterprise Logs
Session Logs
Console Logs
Authentication Logs
Federation Logs
Policy Logs
Agent Logs
SAML Logs
ssoadm Logs
Logging Features
Secure Logging
To Enable Secure Logging through a JSS Provider
Logging Level Attributes and Properties
Database Logging
Remote Logging
Remote Client Logging
Remote OpenSSO Enterprise Server Logging
Debug Files
Debug Levels
Debug Output Files
Chapter 15 Backing Up and Restoring Configuration Data
Understanding Backup and Restore
Backing Up the Configuration Datastore
To Backup the Configuration Datastore
Restoring the Configuration Data Store
To Restore the Embedded Configuration Datastore by Loading XML
To Restore by Replication of the OpenSSO Configuration Data store
To Restore the Directory Server Configuration Datastore by Loading XML
To Restore by Replication of the Directory Server Configuration Datastore
Appendix A Changing the Host Name of an OpenSSO Instance
© 2010, Oracle Corporation and/or its affiliates