The three primary SAMLv2 protocols are Persistent Federation with SSO, Single Logout, and Federation Termination. SAMLv2 protocols can be initiated from the Service Provider site or from the Identity Provider site. Multiple variations exist. For example, the SSO protocol has two profiles, the browser artifact profile and browser POST profile. The profiles are among the many mechanisms described in the SAML specification.
Use Case 1 provides instructions for constructing and accessing URLs that use these profiles. Single logout uses two versions, SOAP and HTTP direct. Federation Termination uses two variations, HTTP data rate and SOAP.
A sample JSP file is provided at the end of this chapter to help you run the four groups of test cases described in this chapter. Before you can begin running these test cases, you must complete the following tasks:
The following table summarizes the SAMLv2 profiles you can test in the Federation environment described in previous chapters of this document.
Table 15–1 SAMLv2 Profiles Illustrated in Use Case 1
Initiated by Service Provider |
Initiated by Identity Provider |
||
---|---|---|---|
Use Case 1A |
1. Persistent Federation (Browser Artifact) 2. Logout (SOAP) 3. Single Sign-On (Browser Artifact) 4. Federation Termination Browser (SOAP) |
Use Case 1C |
1. Persistent Federation (Browser Artifact) 2. Logout (SOAP) 3. Single Sign-On (Browser Artifact) 4. Federation Termination Browser (SOAP) |
Use Case 1B |
1. Persistent Federation (Browser POST) 2. Logout (HTTP) 3. Single Sign-On (Browser POST) 4. Federation (Termination HTTP) |
Use Case 1D |
1. Persistent Federation (Browser POST) 2. Logout (HTTP) 3. Single Sign-On (POST) 4. Federation Termination (HTTP) |
As a root user, log into the Federation Manager 1 host.
Create a text file named index.jsp based on the sample below.
Copy the index.jsp file to the following directory:
/opt/SUNWwbsver/https-FederationManager-1.siroe.com/webapps/ https-FederationManager-1.siroe.com/federation/saml2/jsp |
As a root user, log into the Federation Manager 2 host.
Create a text file named index.jsp based on the sample below.
Copy the index.jsp file to the following directory:
/opt/SUNWwbsver/https-FederationManager-2.siroe.com/webapps/ https-FederationManager-1.siroe.com/federation/saml2/jsp |
Go to the Access Manager URL:
https://Loadbalancer-3.example.com:9443/amserver/UI/Login |
Log in to the Access Manager console using the following information:
amadmin
4m4dmin1
On the Realms page, click the users realm name.
On the users-Properties page, click the Subjects tab and then click New.
On the New User page, provide the following information:
idp
idp
idp
idp
idp
idp
Click Save.
Use the following as your checklist for testing this use case:
Conduct the four tests using the same browser window instance. The tests must be conducted in consecutive order to satisfy Use Case 1A.
Access the Federation Manager server using one of the following alternatives:
Go to the index.jsp URL:
https://LoadBalancer-9-siroe.com:3443/federation/saml2/jsp/index.jsp |
On the SAML2 Use Cases page, in the SP Initiated Profiles section, click the following link:
Persistent Federation (Browser Artifact) |
Go to the following URL:
https://loadbalancer-9.siroe.com:3443/federation/saml2/jsp/ spSSOInit.jsp?metaAlias=/sp&idpEntityID= loadbalancer-3.example.com |
The login request is redirected to Access Manager.
Log in to the Access Manager console using the following information:
idp
idp
The login request is redirected to Federation Manager.
Log in to the Federation Manager console using the following information:
spuser
spuser
The message “Single Sign-On succeeded” is displayed. You can view the debug file to see the actual assertion that was sent over the wire.
# vi /var/opt/SUNWam/fm/federation/debug/fmSAML2 |
Access the Federation Manager server using one of the following alternatives:
Go to the index.jsp URL:
https://LoadBalancer-9-siroe.com:3443/federation/saml2/jsp/index.jsp |
On the SAML2 Use Cases page, in the SP Initiated Profiles section, click the following link:
Logout (SOAP) |
Go to the following URL:
https://loadbalancer-9.siroe.com:3443/federation/saml2/jsp/ spSingleLogoutInit.jsp?metaAlias=/sp&binding= urn:oasis:names:tc:SAML:2.0:bindings: SOAP&idpEntityID=loadbalancer-3.example.com |
The message “SP initiated single logout succeeded” is displayed. You can view the debug file to see the actual assertion that was sent over the wire.
# vi /var/opt/SUNWam/fm/federation/debug/fmSAML2 |
Access the Federation Manager server using one of the following options:
Go to the index.jsp URL:
https://LoadBalancer-9-siroe.com:3443/federation/saml2/jsp/index.jsp |
On the SAML2 Use Cases page, in the SP Initiated Profiles section, click the following link:
Single Sign-On (Browser Artifact) |
Go to the following URL:
https://loadbalancer-9.siroe.com:3443/federation/saml2/jsp/ spSSOInit.jsp?metaAlias=/sp&idpEntityID= loadbalancer-3.example.com |
The login request is redirected to Access Manager.
Log in to the Access Manager console using the following information:
idp
idp
The message “Single Sign-On succeeded” is displayed. You can view the debug file to see the actual assertion that was sent over the wire.
# vi /var/opt/SUNWam/fm/federation/debug/fmSAML2 |
Access the Federation Manager server using one of the following alternatives:
Go to the index.jsp URL:
https://LoadBalancer-9-siroe.com:3443/federation/saml2/jsp/index.jsp |
On the SAML2 Use Cases page, in the SP Initiated Profiles section, click the following link:
Federation Termination (SOAP) |
Go to the following URL:
https://loadbalancer-9.siroe.com:3443/federation/saml2/jsp/ spMNIRequestInit.jsp?metaAlias=/sp&idpEntityID= loadbalancer-3.example.com&requestType= Terminate&binding=urn:oasis:names:tc:SAML:2.0:bindings:SOAP |
The message “ManageNameID Request succeeded” is displayed. You can view the debug file to see the actual assertion that was sent over the wire.
# vi /var/opt/SUNWam/fm/federation/debug/fmSAML2 |
Use the following as your checklist for testing:
Conduct the four tests using the same browser window instance. The tests must be conducted in consecutive order to satisfy Use Case 1B.
Access the Federation Manager server using one of the following alternatives:
Go to the index.jsp URL:
https://LoadBalancer-9-siroe.com:3443/federation/saml2/jsp/index.jsp |
On the SAML2 Use Cases page, in the SP Initiated Profiles section, click the following link:
Persistent Federation (Browser POST) |
Go to the following URL:
https://loadbalancer-9.siroe.com:3443/federation/saml2/jsp/ spSSOInit.jsp?metaAlias=/sp&idpEntityID= loadbalancer-3.example.com&binding=HTTP-POST |
The login request is redirected to Access Manager.
Log in to the Access Manager console using the following information:
idp
idp
The login request is redirected to Federation Manager.
Log in to the Federation Manager console using the following information:
spuser
spuser
The message “Single Sign-On succeeded” is displayed. You can view the debug file to see the actual assertion that was sent over the wire.
# vi /var/opt/SUNWam/fm/federation/debug/fmSAML2 |
Access the Federation Manager server using one of the following alternatives:
Go to the index.jsp URL:
https://LoadBalancer-9-siroe.com:3443/federation/saml2/jsp/index.jsp |
On the SAML2 Use Cases page, in the SP Initiated Profiles section, click the following link:
Logout (HTTP) |
Go to the following URL:
https://loadbalancer-9.siroe.com:3443/federation/saml2/jsp/ spSingleLogoutInit.jsp?metaAlias=/sp&idpEntityID= loadbalancer-3.example.com |
The message “SP initiated single logout succeeded” is displayed. You can view the debug file to see the actual assertion that was sent over the wire.
# vi /var/opt/SUNWam/fm/federation/debug/fmSAML2 |
Access the Federation Manager using one of the following options:
Go to the index.jsp URL:
https://LoadBalancer-9-siroe.com:3443/federation/saml2/jsp/index.jsp |
On the SAML2 Use Cases page, in the SP Initiated Profiles section, click the following link:
Single Sign-On (Browser POST) |
Configure and go to the following URL:
https://loadbalancer-9.siroe.com:3443/federation/saml2/jsp/ spSSOInit.jsp?metaAlias=/sp&idpEntityID= loadbalancer-3.example.com&binding=HTTP-POST |
The login request is redirected to Access Manager.
Log in to the Access Manager console using the following information:
idp
idp
The message “Single Sign-On succeeded” is displayed. You can view the debug file to see the actual assertion that was sent over the wire.
# vi /var/opt/SUNWam/fm/federation/debug/fmSAML2 |
Access the Federation Manager server using one of the following alternatives:
Go to the index.jsp URL:
https://LoadBalancer-9-siroe.com:3443/federation/saml2/jsp/index.jsp |
On the SAML2 Use Cases page, in the SP Initiated Profiles section, click the following link:
Federation Termination (HTTP) |
Go to the following URL:
https://loadbalancer-9.siroe.com:3443/federation/saml2/jsp/ spMNIRequestInit.jsp?metaAlias=/sp&idpEntityID= loadbalancer-3.example.com&requestType=Terminate |
The message “ManageNameID Request succeeded” is displayed. You can view the debug file to see the actual assertion that was sent over the wire.
# vi /var/opt/SUNWam/fm/federation/debug/fmSAML2 |
Use the following as your checklist for testing:
Conduct the four tests using the same browser window instance. The tests must be conducted in consecutive order to satisfy Use Case 1C.
Access the Federation Manager server using one of the following alternatives:
Go to the index.jsp URL:
https://LoadBalancer-9-siroe.com:3443/federation/saml2/jsp/index.jsp |
On the SAML2 Use Cases page, in the IDP Initiated Profiles section, click the following link:
Persistent Federation (Browser Artifact) |
Go to the following URL:
https://loadbalancer-3.example.com:9443/amserver/saml2/jsp/ idpSSOInit.jsp?metaAlias=/users/idp&spEntityID= loadbalancer-9.siroe.com |
The login request is redirected to Access Manager.
Log in to the Access Manager console using the following information:
idp
idp
The login request is redirected to Federation Manager.
Log in to the Federation Manager console using the following information:
spuser
spuser
The message “Single Sign-On succeeded” is displayed. You can view the debug file to see the actual assertion that was sent over the wire.
# vi /var/opt/SUNWam/fm/federation/debug/fmSAML2 |
Access the Federation Manager server using one of the following alternatives:
Go to the index.jsp URL:
https://LoadBalancer-9-siroe.com:3443/federation/saml2/jsp/index.jsp |
On the SAML2 Use Cases page, in the IDP Initiated Profiles section, click the following link:
Logout (HTTP) |
Go to the following URL:
https://loadbalancer-3.example.com:9443/amserver/saml2/jsp/ idpSingleLogoutInit.jsp?metaAlias=/users/idp&spEntityID= loadbalancer-9.siroe.com&binding= urn:oasis:names:tc:SAML:2.0:bindings:SOAP |
The message “IDP initiated single logout succeeded” is displayed. You can view the debug file to see the actual assertion that was sent over the wire.
# vi /var/opt/SUNWam/fm/federation/debug/fmSAML2 |
Access the Federation Manager server using one of the following alternatives:
Go to the index.jsp URL:
https://LoadBalancer-9-siroe.com:3443/federation/saml2/jsp/index.jsp |
On the SAML2 Use Cases page, in the IDP Initiated Profiles section, click the following link:
Single Sign-On (Browser Artifact) |
Go to the following URL:
https://loadbalancer-3.example.com:9443/amserver/saml2/jsp/ idpSSOInit.jsp?metaAlias=/users/idp&spEntityID= loadbalancer-9.siroe.com |
The login request is redirected to Access Manager.
Log in to the Access Manager console using the following information:
idp
idp
The message “Single Sign-On succeeded” is displayed. You can view the debug file to see the actual assertion that was sent over the wire.
# vi /var/opt/SUNWam/fm/federation/debug/fmSAML2 |
Access the Federation Manager server using one of the following alternatives:
Go to the index.jsp URL:
https://LoadBalancer-9-siroe.com:3443/federation/saml2/jsp/index.jsp |
On the SAML2 Use Cases page, in the IDP Initiated Profiles section, click the following link:
Federation Termination (HTTP) |
Go to the following URL:
https://loadbalancer-3.example.com:9443/amserver/saml2/jsp/ idpMNIRequestInit.jsp?metaAlias=/users/idp&spEntityID= loadbalancer-9.siroe.com&binding= urn:oasis:names:tc:SAML:2.0:bindings:SOAP&requestType=Terminate |
The message “ManageNameID Request succeeded” is displayed. You can view the debug file to see the actual assertion that was sent over the wire.
# vi /var/opt/SUNWam/fm/federation/debug/fmSAML2 |
Use the following as your checklist for testing:
Conduct the four tests using the same browser window instance. The tests must be conducted in consecutive order to satisfy Use Case 1D.
Access the Federation Manager server using one of the following alternatives:
Go to the index.jsp URL:
https://LoadBalancer-9-siroe.com:3443/federation/saml2/jsp/index.jsp |
On the SAML2 Use Cases page, in the SP Initiated Profiles section, click the following link:
Persistent Federation (Browser POST) |
Go to the following URL:
https://loadbalancer-3.example.com:9443/amserver/saml2/jsp /idpSSOInit.jsp?metaAlias=/users/idp&spEntityID= loadbalancer-9.siroe.com&binding=HTTP-POST |
The login request is redirected to Access Manager.
Log in to the Access Manager console using the following information:
idp
idp
The login request is redirected to Federation Manager.
Log in to the Federation Manager console using the following information:
spuser
spuser
The message “Single Sign-On succeeded” is displayed. You can view the debug file to see the actual assertion that was sent over the wire.
# vi /var/opt/SUNWam/fm/federation/debug/fmSAML2 |
Access the Federation Manager server using one of the following alternatives:
Go to the index.jsp URL:
https://LoadBalancer-9-siroe.com:3443/federation/saml2/jsp/index.jsp |
On the SAML2 Use Cases page, in the SP Initiated Profiles section, click the following link:
Logout (HTTP) |
Go to the following URL:
https://loadbalancer-3.example.com:9443/amserver/saml2/jsp/ idpSingleLogoutInit.jsp?metaAlias=/users/idp&spEntityID= loadbalancer-9.siroe.com |
The message “SP initiated single logout succeeded” is displayed. You can view the debug file to see the actual assertion that was sent over the wire.
# vi /var/opt/SUNWam/fm/federation/debug/fmSAML2 |
Access the Federation Manager server using one of the following alternatives:
Go to the index.jsp URL:
https://LoadBalancer-9-siroe.com:3443/federation/saml2/jsp/index.jsp |
On the SAML2 Use Cases page, in the SP Initiated Profiles section, click the following link:
Single Sign-On (Browser POST) |
Configure the following URL:
https://loadbalancer-3.example.com:9443/amserver/saml2/jsp/ idpSSOInit.jsp?metaAlias=/users/idp&spEntityID= loadbalancer-9.siroe.com&binding=HTTP-POST |
The login request is redirected to Access Manager.
Log in to the Access Manager console using the following information:
idp
idp
The message “Single Sign-On succeeded” is displayed. You can view the debug file to see the actual assertion that was sent over the wire.
# vi /var/opt/SUNWam/fm/federation/debug/fmSAML2 |
Access the Federation Manager server using one of the following alternatives:
Access the index.jsp URL:
https://LoadBalancer-9-siroe.com:3443/federation/saml2/jsp/index.jsp |
On the SAML2 Use Cases page, in the SP Initiated Profiles section, click the following link:
Federation Termination (HTTP) |
Go to the following URL:
https://loadbalancer-3.example.com:9443/amserver/saml2/jsp/ idpMNIRequestInit.jsp?metaAlias=/users/idp&spEntityID= loadbalancer-9.siroe.com&requestType=Terminate |
The message “ManageNameID Request succeeded” is displayed. You can view the debug file to see the actual assertion that was sent over the wire.
# vi /var/opt/SUNWam/fm/federation/debug/fmSAML2 |
<%-- Copyright © 2004 Sun Microsystems, Inc. All rights reserved Use is subject to license terms. --%> <html> <head> <title>SAML2 Usecases (index)</title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <link rel="stylesheet" href="samples/liberty/sso/css/styles.css" type="text/css"> </head> <body bgcolor="#FFFFFF" text="#000000" leftmargin="9" marginwidth="9" topmargin="9" marginheight="9" > <br> <table width="30%" border="0" cellspacing="0" cellpadding="0" > <tr> <td colspan="2"> </td> <td width="100%"> <table border="0" cellspacing="0" cellpadding="0" align=center> <tr> <td> <P ALIGN=CENTER> <FONT FACE="Arial Narrow, sans-serif"> <FONT SIZE=2 STYLE="font-size: 11pt"> <B>SAML2 Usecases</B> </FONT> </FONT> </P> </td> </tr> <tr><td colspan="3"> </td></tr> <tr> <td> <p> <B>SP Initiated Profiles</B> </p> </td> </tr> <tr><td colspan="3"> </td></tr> <tr> <td> <p> <a href="https://loadbalancer-9.siroe.com:3443/federation/saml2/jsp /spSSOInit.jsp?metaAlias=/sp&idpEntityID=loadbalancer-3.example.com"> Persistent Federation (Browser Artifact) </a> </p> </td> </tr> <tr><td colspan="3"> </td></tr> <tr> <td> <p> <a href="https://loadbalancer-9.siroe.com:3443/federation/saml2/jsp/ spSingleLogoutInit.jsp?metaAlias=/sp&binding=urn:oasis:names:tc:SAML: 2.0:bindings:SOAP&idpEntityID=loadbalancer-3.example.com">Logout(SOAP)</a> </p> </td> </tr> <tr><td colspan="1"> </td></tr> <tr> <td> <p> <a href="https://loadbalancer-9.siroe.com:3443/federation/saml2/jsp/ spSSOInit.jsp?metaAlias=/sp&idpEntityID=loadbalancer-3.example.com"> Single Sign-On (Browser Artifact) </a> </p> </td> </tr> <tr><td colspan="1"> </td></tr> <tr> <td> <p> <a href="https://loadbalancer-9.siroe.com:3443/federation/saml2/jsp/ spMNIRequestInit.jsp?metaAlias=/sp&idpEntityID= loadbalancer-3.example.com&requestType=Terminate&binding= urn:oasis:names:tc:SAML:2.0:bindings:SOAP"> Federation Termination(SOAP)</a> </p> </td> </tr> <tr><td colspan="1"> </td></tr> <tr> <td> <p> <a href="https://loadbalancer-9.siroe.com:3443/federation/saml2/jsp /spSSOInit.jsp?metaAlias=/sp&idpEntityID= loadbalancer-3.example.com&binding= HTTP-POST">Persistent Federation (Browser POST) </a> </p> </td> </tr> <tr><td colspan="1"> </td></tr> <tr> <td> <p> <a href="https://loadbalancer-9.siroe.com:3443/federation/saml2/jsp/ spSingleLogoutInit.jsp?metaAlias=/sp&idpEntityID= loadbalancer-3.example.com"> Logout(HTTP)</a> </p> </td> </tr> <tr><td colspan="1"> </td></tr> <tr> <td> <p> <a href="https://loadbalancer-9.siroe.com:3443/federation/saml2/jsp /spSSOInit.jsp?metaAlias=/sp&idpEntityID= loadbalancer-3.example.com&binding= HTTP-POST">Single Sign-On (Browser POST) </a> </p> </td> </tr> <tr><td colspan="1"> </td></tr> <tr> <td> <p> <a href="https://loadbalancer-9.siroe.com:3443/federation/saml2/jsp /spMNIRequestInit.jsp?metaAlias=/sp&idpEntityID= loadbalancer-3.example.com&requestType=Terminate"> Federation Termination(HTTP)</a> </p> </td> </tr> <tr><td colspan="1"> </td></tr> <tr> <td> <p> <B>IDP Initiated Profiles </B> </p> </td> </tr> <tr><td colspan="1"> </td></tr> <tr> <td> <p> <a href="https://loadbalancer-3.example.com:9443/amserver/saml2/jsp /idpSSOInit.jsp?metaAlias=/users/idp&spEntityID= loadbalancer-9.siroe.com"> Persistent Federation (Browser Artifact)</a> </p> </td> </tr> <tr><td colspan="1"> </td></tr> <tr> <td> <p> <a href="https://loadbalancer-3.example.com:9443/amserver/saml2/jsp /idpSingleLogoutInit.jsp?metaAlias=/users/idp&spEntityID= loadbalancer-9.siroe.com&binding= urn:oasis:names:tc:SAML:2.0:bindings:SOAP">Logout(SOAP)</a> </p> </td> </tr> <tr><td colspan="1"> </td></tr> <tr> <td> <p> <a href="https://loadbalancer-3.example.com:9443/amserver/saml2/jsp /idpSSOInit.jsp?metaAlias=/users/idp&spEntityID= loadbalancer-9.siroe.com"> Single Sign-On (Browser Artifact)</a> </p> </td> </tr> <tr><td colspan="1"> </td></tr> <tr> <td> <p> <a href="https://loadbalancer-3.example.com:9443/amserver/saml2/jsp /idpMNIRequestInit.jsp?metaAlias=/users/idp&spEntityID= loadbalancer-9.siroe.com&binding= urn:oasis:names:tc:SAML:2.0: bindings:SOAP&requestType=Terminate">Federation Termination (SOAP)</a> </p> </td> </tr> <tr><td colspan="1"> </td></tr> <tr> <td> <p> <a href="https://loadbalancer-3.example.com:9443/amserver/saml2/jsp /idpSSOInit.jsp?metaAlias=/users/idp&spEntityID= loadbalancer-9.siroe.com&binding= HTTP-POST">Persistent Federation (Browser POST)</a> </p> </td> </tr> <tr><td colspan="1"> </td></tr> <tr> <td> <p> <a href="https://loadbalancer-3.example.com:9443/amserver/saml2/jsp /idpSingleLogoutInit.jsp?metaAlias=/users/idp&spEntityID= loadbalancer-9.siroe.com">Logout(HTTP)</a> </p> </td> </tr> <tr><td colspan="1"> </td></tr> <tr> <td> <p> <a href="https://loadbalancer-3.example.com:9443/amserver/saml2/jsp /idpSSOInit.jsp?metaAlias=/users/idp&spEntityID= loadbalancer-9.siroe.com&binding= HTTP-POST">Single Sign-On (Browser POST)</a> </p> </td> </tr> <tr><td colspan="1"> </td></tr> <tr> <td> <p> <a href="https://loadbalancer-3.example.com:9443/amserver/saml2/jsp /idpMNIRequestInit.jsp?metaAlias=/users/idp&spEntityID= loadbalancer-9.siroe.com&requestType=Terminate"> Federation Termination (HTTP)</a> </p> </td> </tr> <tr><td colspan="1"> </td></tr> </table> </td> </tr> </table> </body> </html> |