Deployment Example 2: Federation Using SAML v2

5.5 Configuring the Federation Manager Authentication Service to Work with the Directory Servers

Use the following as your checklist for configuring the Federation Manager authentication service:

To Migrate the Federation Manager User Data to the Directory Server User Data Store

Go to the Federation Manager 1 URL:

http://FederationManager-1.siroe.com:8080/federation/UI/Login

Notice that above the User Name field, the text says “This server uses flat file authentication scheme.”

Add a new authentication service.
1. Click the Organization tab.
2. Click the Authentication subtab, and then click Add.
3. In the list of Authentication Modules, select LDAP, and then click Next.
4. On the LDAP page, provide the following information:
  
  Primary LDAP Server List:
  
  Add LoadBalancer-8.siroe.com:1389.
  
  DN to Start User Search List:
  
  Add o=siroeusers.com.
  
  DN for Root User Bind:
  
  cn=fmldapuser,ou=People,o=siroeusers.com
  
  This root DN is used by the authentication module to create a connection to the Directory Server. This eliminates the need to authenticate each user by individual uid.
  
  Password for Root User Bind:
  
  00000000
  
  Password for Root User Bind (confirm):
  
  00000000
  
  Attribute used to Retrieve User Profile:
  
  uid
  
  Attribute User do Search for a User to be Authenticated:
  
  uid
5. Click Assign.

On the Authentication page, locate the module named Core, and click its Edit link.

On the Core page, provide the following information:

Organization Authentication Modules:

Choose Flatfile, LDAP and SAMLv2.

People Container for All Users:

Add to the list ou=People,o=sirousers.com.

Click Save.

Verify that LDAP is included as an Organizational Attribute.

Click the Configuration tab. On the Configuration tab, under Authentication, click Core.

On the Core page, under Organization Attributes, verify that Flatfile, LDAP, and SAMLv2 are included in the list of Organization Authentication Modules.

In the Directory Server, create a user named fmldapuser.

This user is the Federation Manager user that can access the Directory Server. This user and has read, write, and search permissions in o=siroeusers.com branch of the Directory Server.

Create an LDIF file named fmldapuser.ldif with the following entries:

dn: cn=fmldapuser,ou=People,o=siroeusers.com
changetype: add
objectclass: inetuser
objectclass: organizationalperson
objectclass: person
objectclass: top
cn: fmldapuser
sn: fmldapuser
userPassword: 00000000
 
dn:o=siroeusers.com
changetype:modify
add:aci
aci: (target="ldap:///o=siroeusers.com")(targetattr="*")
(version 3.0; acl "FM special ldap auth user rights"; 
allow (read,search) userdn = 
"ldap:///cn=fmldapuser,ou=People,o=siroeusers.com"; )

Load ./fmldapuser.ldif into Directory Server 1.

# ldapmodify -D "cn=Directory Manager" -w d1rm4ngr 
-h LoadBalancer-8.siroe.com -p 1389 -f ./fmldapuser.ldif

Change the default authentication module from Flat File to LDAP.

Go to the following directory:
/opt/SUNWam/fm/bin

Create a file named ldap.xml file that contains the following entries:

				<?xml version="1.0" encoding="ISO-8859-1"?>
				<!--
    				Copyright (c) 2005 Sun Microsystems, Inc. All rights reserved
    				Use is subject to license terms.
				-->
                                                                                
				<!DOCTYPE Requests
    				PUBLIC "-//iPlanet//Sun Java System Access Manager 2005Q4 Admin 
							CLI DTD//EN" "jar://com/iplanet/am/admin/cli/amAdmin.dtd">
                                                                                
			<!--  CREATE REQUESTS -->
                                                                                
				<Requests>
				<OrganizationRequests DN="o=siroe.com">
   				<ModifyServiceTemplate serviceName="iPlanetAMAuthService"
    				schemaType="Organization">
     				<AttributeValuePair>
                 Attribute name="iplanet-am-auth-org-config" />
                 <Value>&lt;AttributeValuePair&gt;&lt;Value&gt;
                 com.sun.identity.authentication.modules.ldap.LDAP REQUIRED&lt;
                 /Value&gt;&lt;/AttributeValuePair&gt;</Value>
             </AttributeValuePair>
   				</ModifyServiceTemplate>
				</OrganizationRequests>
				</Requests>

The attributes and AttributeValuePair in bold are the significant changes made to the configuration.

Load ldap.xml.

# ./amadmin -i /var/opt/SUNWam/fm/war-staging -u amadmin -w 11111111 -t ldap.xml

To Verify that LDAP Authentication Works Properly

Go to the following Federation Manager URL:

http://FederationManager-1.siroe.com:8080/federation/UI/Login

The Federation Manger login page displays the following message: “This server uses LDAP Authentication.”

Log in to the Federation Manager console:

User Name:

amadmin

Password:

11111111

If you can log in successfully, then the LDAP Authentication module was able to successfully bind to the root user to the fm—config instance of Directory Server 3SP.

Create a test user in the fm-users instance of Directory Server 3SP.
1. Start the Directory Server 3SP console.
  # cd /var/opt/mps/serverroot/ # ./startconsole &
2. In Directory Server 3SP, expand the Server Group, and open the fm-users instance.
3. Open the fm-users console, and click the Directory Tab.
4. On the Directory Tab, under the o=siroeusers.com suffix, right-click the People container.
  
  Choose New>User.
5. In the Create New User dialog, provide the following information:
  
  First Name:
  
  Test
  
  Last Name:
  
  User
  
  User ID:
  
  testuser1
  
  Password:
  
  11111111
  
  Click OK.

Go to the following Federation Manager URL:

http://FederationManager-1.siroe.com:8080/federation/UI/Login

Log in to the Federation Manager console:

User Name:

testuser1

Password:

11111111

If you can log in successfully, then the LDAP Authentication module was able to successfully bind the new user to the fm-users instance of Directory Server 3SP.