Chapter 16 Use Case 2: User Attribute Mapping
In this use case, no user repository exists in the Service Provider site. All users in the Identity Provider site are mapped to an anonymous user. The anonymous user represents all users in the Identity Provider site when it presents itself to the Service Provider site. The anonymous user is used to map transient-based federation attributes.
This use case illustrates how you can pass user profile attributes from the Identity Provider site to the to Service Provider site, and the from Service Provider site to all of its Service Provider agent-protected applications. Communication from the Identity Provider site to the Service Provider site takes place using SAMLv2 protocols. Communication from Federation Manager site to all Service Provider agent-protected applications takes place using agent-to- LDAP attribute mapping.
16.1 Mapping User Attributes from the Identity Provider to a Single User on the Service Provider
Use the following as your checklist for mapping user attributes to a single user:
To Modify the usersLDAP User
Attributes
-
Go to the Access Manager URL:
https://LoadBalancer-3.example.com:9443/amserver/UI/Login
-
Log in to the Access Manager console using the following information:
- User name:
-
amadmin
- Password:
-
4m4dmin1
-
Add the usersLDAP user attributes that will be set for the user entry.
In this example, you will add the mail and telephone number attributes.
-
On the Realms page, click the users realm name, and then click Data Stores.
-
On the users — Data Stores page, click the usersLDAP data store name.
-
On the Edit Data Store page, add givenname to the LDAP User Attributes list.
In the LDAP User Attributes field, enter givenname, and then click Add.
-
In the same manner, add mail to the LDAP User Attributes list.
-
In the same manner, add telephonenumber to the LDAP User Attributes list.
-
Click Save.
-
To Create a New User
-
Go to the Access Manager URL:
https://LoadBalancer-3.example.com:9443/amserver/UI/Login
-
Log in to the Access Manager console using the following information:
- User name:
-
amadmin
- Password:
-
4m4dmin1
-
On the Realms page, click the users realm name, and then click the Subject tab.
-
On the User tab, click New.
-
On the New User page, provide the following information:
- ID:
-
jsmith
- First Name:
-
John
- Last Name:
-
Smith
- Full Name:
-
John Smith
- Password:
-
jsmith
- Password (confirm):
-
jsmith
Click Create, and then log out of the Access Manager console.
To Edit the New User's Contact Information
-
Go to the Access Manager URL:
https://LoadBalancer-3.example.com:9443/amserver/UI/Login
-
Log in to the Access Manager console using the following information:
- User name:
-
amadmin
- Password:
-
4m4dmin1
-
On the Realms page, click the users realm name, and then click the Subject tab.
-
On the User tab, in the list of users, click jsmith.
-
On the Edit User page, provide the following information:
- Email Address:
-
jsmith@example.com
- Telephone Number:
-
408–555–5454
Click Save, and then log out of the Access Manager console.
To Modify the Identity Provider Metadata
-
As a root user, log into the Access Manager 1 host.
-
In the Identity Provider extended metadata file, map the Email Address and Telephone Number attributes.
For example, in the first value-pair mapping, mail is the LDAP attribute name, and EmailAddress is the information to be sent over the wire using SAMLv2 protocols.
# cd /etc/opt/SUNWam/config # vi saml2-idp-extended-metadata.xml ... <Attribute name="attributeMap"> <Value>EmailAddress=mail</Value> <Value>Telephone=telephonenumber</Value> ...
Save the file.
-
Delete the existing metadata.
# /opt/SUNWam/saml2/bin/saml2meta delete -u amadmin -w 4m4dmin1 -r /users -e loadbalancer3.example.com Descriptor and config fore entity "loadbalancer-3.example" was deleted successfully.
-
Load the modified metadata file into the Directory Server.
#/opt/SUNWam/saml2/bin/saml2meta import -u amadmin -w 4m4dmin1 -r /users -m saml2-idp-metadata.xml -x saml2-idp-extended-metadata.xml File "saml2-idp-metadata.xml" was imported successfully. File "saml2-idp-extended-metadata.xml" was imported sucessfully.
When you map the attributes on one Access Manager server, the mapping is also made available to the second Access Manager. So you do not have to modify metadata on the Access Manager 2 server. The metadata will also be made available to the Federation Manager servers.
To Modify the Service Provider Metadata
-
As a root user, log into the Federation Manager 1 host .
-
In the Service Provider extended metadata file, map the Email Address and Telephone Number attributes.
# cd /etc/opt/SUNWam/config # vi saml2-sp-extended-metadata.xml ... <Attribute name="attributeMap"> <Value>EmailAddress=EmailAddress</Value> <Value>Telephone=Telephone</Value> ...
Notice that the value mail in the EmailAddress attribute—value pair does not have to be identical to the value EmailAddress specified in the Identity Provider metadata.
-
Add anonymous to the transient user list.
<Attribute name="transientUser"> <Value>anonymous</Value>
Save the file.
-
Delete the existing metadata.
# /opt/SUNWam/saml2/bin/saml2meta -i /var/opt/SUNWam/fm/war_staging delete -u amadmin -w 11111111 -e loadbalancer-9.siroe.com
-
Load the modified metadata file into the Directory Server.
#/opt/SUNWam/saml2/bin/saml2meta -i /var/opt/SUNWam/fn/war_staging import -u amadmin -w 11111111 -m saml2-sp-metadata.xml -x saml2-sp-extended-metadata.xml File "saml2-sp-metadata.xml" was imported successfully. File "saml2-sp-extended-metadata.xml" was imported sucessfully.
Save the file.
-
Restart Federation Manager 1.
# cd /opt/SUNWwbsvr/https-FederationManager-1.siroe.com # ./stop; ./start
-
Restart Federation Manager 2.
# cd /opt/SUNWwbsvr/https-FederationManager-2.siroe.com # ./stop; ./start
To Modify the Agents Properties
-
Modify the Web Policy Agents properties.
-
As a root user, log into the Protected Resource 3 host.
-
Add the transient attribute to the property com.sun.am.policy.am.login.url.
# cd /etc/opt/SUNWam/agents/es6/config/ _opt_SUNWwbsvr_https-ProtectedResource-3.siroe.com # vi AMAgent.properties com.sun.am.policy.am.login.url = https://LoadBalancer-9.siroe.com:3443/federation/ saml2/jsp/spSSOInit.jsp?metaAlias=sp&idpEntityID= loadbalancer-3.example.com&NameIDFormat=transient
-
Modify the following properties:
com.sun.am.policy.agents.config.session.attribute.fetch.mode=HTTP_HEADER com.sun.am.policy.agents.config.session.attribute.map= EmailAddress|EmailAddress,Telephone|Telephone
Save the file.
-
Restart the Protected Resource 3 host.
# cd /opt/SUNWwbsvr/https-ProtectedResource-3.siroe.com # ./stop; ./start
-
As a root user, log into the Protected Resource 4 host.
-
Add the transient NameID format to the property com.sun.am.policy.am.login.url.
# cd /etc/opt/SUNWam/agents/e6/config/ _opt_SUNWwbsvr_https-ProtectedResource-4.siroe.com # vi AMAgent.properties com.sun.am.policy.am.login.url = https://LoadBalancer-9.siroe.com:3443/federation/ saml2/jsp/spSSOInit.jsp?metaAlias=sp&idpEntityID= loadbalancer-4.example.com&NameIDFormat=transient
-
Modify the following properties:
com.sun.am.policy.agents.config.session.attribute.fetch.mode=HTTP_HEADER com.sun.am.policy.agents.config.session.attribute.map= EmailAddress|EmailAddress,Telephone|Telephone
Save the file.
-
Restart the Protected Resource 4 host.
# cd /opt/SUNWwbsvr/https-ProtectedResource-4.siroe.com # ./stop; ./start
To Verify that Attribute Mapping is Working
Properly
The file snoop.jsp is provided at the end of this chapter for you to use with this deployment example. The snoop.jsp file reads each of the HTTP headers and reads a number of query parameters in the SAMLv2 metadata. In this use case, the JSP determines which headers are being passed from the Service Provider to the agent. When you will initiate SAMLv2 for Federation, the user attribute mapping from the Identity Provider to the Service Provider takes place using the SAMLv2 protocol. The mapping from the Service Provider to the Identity Provider takes places using LDAP attribute mapping from Federation Manager to the Web Policy Agent.
-
As a root user, log into the Protected Resource 3 host.
-
Copy the snoop.jsp file to the following directory on both the Protected Resource 3 host and the Protected Resource 4 host:
/opt/SUNWwbsvr/docs
-
Access snoop.jsp through the Web Policy Agents URL:
https://LoadBalancer-11.siroe.com:6443/snoop.jsp
The Web Policy Agent redirects the request, and the Access Manager login page is displayed.
-
Log in to the Access Manager console using the following information:
- User Name:
-
jsmith
- Password:
-
jsmith
The JSP Snoop Page is displayed. John Smith's telephone number and email address are included in the request headers section of the file. Also notice that the Remote user is anonymous. This is the user that serves as confirmation of the transientUser you configured in the saml2-sp-extended-metadata.xmlfile on the Service Provider.
Figure 16–1 Output from snoop.jsp
Example 16–1 snoop.jsp
sr1-usca-43 7 > view snoop.jsp
"snoop.jsp" [Read only] 171 lines, 3825 characters
<HTML>
<HEAD>
<TITLE>JSP snoop page</TITLE>
<%@ page import="javax.servlet.http.
HttpUtils,java.util.Enumeration" %>
</HEAD>
<BODY>
<H1>JSP Snoop page</H1>
<H2>Request information</H2>
<TABLE>
<TR>
<TH align=right>Requested URL:</TH>
<TD><%= HttpUtils.getRequestURL(request) %></TD>
</TR>
<TR>
<TH align=right>Request method:</TH>
<TD><%= request.getMethod() %></TD>
</TR>
<TR>
<TH align=right>Request URI:</TH>
<TD><%= request.getRequestURI() %></TD>
</TR>
<TR>
<TH align=right>Request protocol:</TH>
<TD><%= request.getProtocol() %></TD>
</TR>
<TR>
<TH align=right>Servlet path:</TH>
<TD><%= request.getServletPath() %></TD>
</TR>
<TR>
<TH align=right>Path info:</TH>
<TD><%= request.getPathInfo() %></TD>
</TR>
<TR>
<TH align=right>Path translated:</TH>
<TD><%= request.getPathTranslated() %></TD>
</TR>
<TR>
<TH align=right>Query string:</TH>
<TD><%= request.getQueryString() %></TD>
</TR>
<TR>
<TH align=right>Content length:</TH>
<TD><%= request.getContentLength() %></TD>
</TR>
<TR>
<TH align=right>Content type:</TH>
<TD><%= request.getContentType() %></TD>
<TR>
<TR>
<TH align=right>Server name:</TH>
<TD><%= request.getServerName() %></TD>
<TR>
<TR>
<TH align=right>Server port:</TH>
<TD><%= request.getServerPort() %></TD>
<TR>
<TR>
<TH align=right>Remote user:</TH>
<TD><%= request.getRemoteUser() %></TD>
<TR>
<TR>
<TH align=right>Remote address:</TH>
<TD><%= request.getRemoteAddr() %></TD>
<TR>
<TR>
<TH align=right>Remote host:</TH>
<TD><%= request.getRemoteHost() %></TD>
<TR>
<TR>
<TH align=right>Authorization scheme:</TH>
<TD><%= request.getAuthType() %></TD>
<TR>
</TABLE>
<%
Enumeration e = request.getHeaderNames();
if(e != null && e.hasMoreElements()) {
%>
<H2>Request headers</H2>
<TABLE>
<TR>
<TH align=left>Header:</TH>
<TH align=left>Value:</TH>
</TR>
<%
while(e.hasMoreElements()) {
String k = (String) e.nextElement();
%>
<TR>
<TD><%= k %></TD>
<TD><%= request.getHeader(k) %></TD>
</TR>
<%
}
%>
</TABLE>
<%
}
%>
<%
e = request.getParameterNames();
if(e != null && e.hasMoreElements()) {
%>
<H2>Request parameters</H2>
<TABLE>
<TR valign=top>
<TH align=left>Parameter:</TH>
<TH align=left>Value:</TH>
<TH align=left>Multiple values:</TH>
</TR>
<%
while(e.hasMoreElements()) {
String k = (String) e.nextElement();
String val = request.getParameter(k);
String vals[] = request.getParameterValues(k);
%>
<TR valign=top>
<TD><%= k %></TD>
<TD><%= val %></TD>
<TD><%
for(int i = 0; i < vals.length; i++) {
if(i > 0)
out.print("<BR>");
out.print(vals[i]);
}
%></TD>
</TR>
<%
}
%>
</TABLE>
<%
}
%>
<%
e = getServletConfig().getInitParameterNames();
if(e != null && e.hasMoreElements()) {
%>
<H2>Init parameters</H2>
<TABLE>
<TR valign=top>
<TH align=left>Parameter:</TH>
<TH align=left>Value:</TH>
</TR>
<%
while(e.hasMoreElements()) {
String k = (String) e.nextElement();
String val = getServletConfig().getInitParameter(k);
%>
<TR valign=top>
<TD><%= k %></TD>
<TD><%= val %></TD>
</TR>
<%
}
%>
</TABLE>
<%
}
%>
</BODY>
</HTML>
|
- © 2010, Oracle Corporation and/or its affiliates