test

Sun Java System Access Manager 7 2005Q4 Federation and SAML Administration Guide

ProcedureTo Configure and Test Dynamic Identity Provider Proxying

The following steps describe the procedure to enable three machines for identity provider proxying and test the configuration. The procedure assumes the three machines have Access Manager installed and are configured as follows:

Machine 

Authentication Function 

Federation Function 

Machine 1 

Authenticating Identity Provider 

Identity Provider 

Machine 2 

Proxying Identity Provider 

Identity Provider and Service Provider 

Machine 3 

Requesting Service Provider 

Service Provider 

All of the WAR files and metadata used in the following procedure can be found in /AccessManager-base/samples/liberty/sample1.

  1. To configure machine 3, deploy the SP1 WAR files and load sp1Metadata.xml.

    Ensure that the metadata defines machine 2 as an identity provider and machine 3 as a service provider.

  2. To configure machine 1, deploy the IDP1 WAR files and load idp1Metadata.xml.

    Ensure that the metadata defines machine 1 as an identity provider and machine 2 as a service provider.

  3. To configure machine 2, do the following:

    1. To configure machine 2 as a service provider, deploy the SP1 WAR files.

      Modify AMClient.properties to reflect this.

    2. To configure machine 2 as an identity provider, load a second, modified idp1Metadata.xml.

      Ensure that idp1Metadata.xml contains only data that defines machine 1 as an identity provider. Remove all other metadata.

  4. Log in to machine 2 and modify the following metadata:

    1. Change the value of the Authentication Type attribute to Local.

      This attribute can be found in the Access Manager Configuration section of the entity describing machine 2 as a service provider.

    2. Add machine 1 and machine 3 to the list of Trusted Providers configured for machine 2.

      This attribute can be found in the Trusted Provider section of the entity describing machine 2 as a service provider.

    3. Save the configuration.

  5. Also on machine 2, modify the following metadata regarding machine 3.

    1. Select the check box next to Enable Proxy Authentication.

      This attribute can be found in the Proxy Authentication Configuration section of the entity that defines machine 3 as an identity provider.

    2. Add machine 1 to the list of Proxy Identity Providers List.

      This attribute can be found in the Proxy Authentication Configuration section of the entity that defines machine 3 as an identity provider. The value is a URI defined as the provider's identifier.

    3. Set Maximum Number of Proxies to 1.

    4. Save the configuration.

  6. Federate a user between machine 3 (acting as a service provider) and machine 2 (acting as an identity provider).

  7. Federate a user between machine 2 (acting as a service provider) and machine 1 (acting as an identity provider).

  8. Close the browser and attempt single sign-on.

    You will be redirected to machine 1 rather than machine 2 if you enter the username and password used to federate with machine 1.