This chapter provides instructions for making Service Provider metadata available to the Identity Provider, and for making Identity Provider metadata available to the Service Provider.
Use the following as your checklist for enabling the exchange of metadata between the Service Provider and Identity Provider:
Load the Service Provider metadata into the Identity Provider servers.
Load the Identity Provider metadata into the Service Provider servers.
As a root user, log into the Access Manager 1 host.
Copy the following Service Provider configuration files from the Federation Manager 1 host to the Access Manager 1 host:
/etc/opt/SUNWam/config/saml2-sp-template.xml /etc/opt/SUNWam/config/saml2-sp-extended-template.xml |
In this deployment example, the files are copied to the following directory on the Access Manager host:
/etc/opt/SUNWam/config/ |
Customize the saml2-sp-extended-template.xml file.
Go to the following directory:
/etc/opt/SUNWam/config/ |
Open the file saml2-sp-extended-template.xml.
Set the following parameter value:
<EntityConfig xmlns="urn:sun:fm:SAML:2.0:entityconfig" xmlns:fm="urn:sun:fm:SAML:2.0:entityconfig" hosted="0" |
This indicates that you are using the a configuration from a remote host. A 1 value indicates that the configuration is provided by the local host.
Save the file.
Load the customized Service Provider configuration files.
# /opt/SUNWam/saml2/bin/saml2meta import -u amadmin -w 4m4dmin1 -r /users -m /etc/opt/SUNWam/config/saml2-sp-template.xml -x /etc/opt/SUNWam/config/saml2-sp-extended-template.xml |
Restart the Access Manager Servers
Verify that both Service Provider and Identity Provider belong to the same circle of trust.
Run the cotmember command to display a list of entities in the circle of trust.
# /opt/SUNWam/saml2/bin/saml2meta cotmember -u amadmin -w 4m4dmin1 -r /users -t saml2_circle_of_trust Entity ID:LoadBalancer-9.siroe.com Entity ID:LoadBalancer-3.example.com Circle of trust "saml2_circle_of_trust" is listed successfully. |
As a root user, log into the Federation Manager 1 host.
Copy the following Identity Provider configuration files from the Access Manager host to the Federation Manager host:
/etc/opt/SUNWam/config/saml2-idp-template.xml /etc/opt/SUNWam/config/saml2-idp-extended-template.xml |
In this deployment example, the files are copied to the following directory on the Federation Manager host:
/etc/opt/SUNWam/config/ |
Customize the saml2-idp-extended-template.xml file.
# cd /etc/opt/SUNWam/config/ # vi saml2-idp-extended-template.xml |
Go to the following directory:
|
Open the saml2-idp-extended-template.xml file.
Set the following parameter value:
<EntityConfig xmlns="urn:sun:fm:SAML:2.0:entityconfig" xmlns:fm="urn:sun:fm:SAML:2.0:entityconfig" hosted="0" |
This indicates that you are using the a configuration from a remote host. A 1 value indicates that the configuration is provided by the local host.
Save the file.
Load the customized Identity Provider configuration files.
# /opt/SUNWam/saml2/bin/saml2meta -i /var/opt/SUNWam/fm/war_staging import -u amadmin -w 11111111 -m /etc/opt/SUNWam/config/saml2-idp-template.xml -x /etc/opt/SUNWam/config/saml2-idp-extended-template.xml File "/etc/opt/SUNWam/config/idp/saml2-idp-template.xml" was imported successfully. File "/etc/opt/SUNWam/config/idp/saml2-idp-extended-template.xml" was imported successfully. |
Restart the Federation Manager Servers.
Verify that both Service Provider and Identity Provider belong to the same circle of trust.
Run the cotmember command to display a list of entities in the circle of trust.
# /opt/SUNWam/saml2/bin/saml2meta -i /var/opt/SUNWam/fn/war_staging cotmember -u amadmin -w 11111111 -t saml2_circle_of_trust Entity ID:loadbalancer-9.siroe.com Entity ID:loadbalancer-3.example.com Circle of trust "saml2_circle_of_trust" is listed successfully. |
You can perform simple tests to verify that Single Sign-On is working properly and that accounts are federated properly. This chapter provides detailed information about the following groups of tasks:
Use the following as your checklist for creating test users:
Using a browser, go to the following URL:
https://LoadBalancer-3.example.com:9443/amserver |
Log into the Access Manager 1 console:
amadmin
4m4din1
On the Realms page, click the realm name users.
On the “Edit Realm-users” page, click the Subjects tab, and then click the Users subtab.
On the New User pager, provide the following information:
idpuser
idp
user
idp user
idpuser
idpuser
Click Create, and then log out.
Log into Directory Server 3SP console:
cn=Directory Manager
11111111
Open the DirectoryServer-3SP console, and click the Directory tab.
Expand the o=siroeusers.com node.
Right-click the People object, and then choose New > User.
In the Create New User page, provide the following information:
sp
user
sp user
spuser
spuser
spuser
Click OK.
The user spuser is now listed in the list of users.
Use the following as your checklist for testing basic SAMLv2 protocols are working properly:
Go to the following Federation Manager URL:
https://LoadBalancer-9.siroe.com:3443/federation/UI/Login |
Log in to the Federation Manager console using the following information:
spuser
spuser
The following message is displayed:
Information: Welcome to Federation Manager. You have successfully authenticated.
Close the Browser.
This test verifies that Federation is configured properly and that basic login and logout operations work properly through the Federation Manager load balancer.
Before proceeding with SSO testing, be sure that the cookie that contains session information is deleted. You can do this in one of two ways. You can clear the browser of all cookies (see your browser documentation for detailed instructions). Or you can close the browser and reopen it.
In the browser location field, enter the following URL:
https://LoadBalancer-9.siroe.com:3443/federation/saml2/jsp/ spSSOInit.jsp?metaAlias=/sp&idpEntityID=loadbalancer-3.example.com |
The Access Manager login page is displayed.
Log in to the Access Manager console using the following information:
idpuser
idpuser
The Service Provider (Federation Manager) login page is displayed.
Log in to the Federation Manager console using the following information:
spuser
spuser
An HTML page is displayed and contains the following message, “Single Sign-on succeeded.” Notice that the user signs in to both Access Manager and Federation Manager only on the first login.
Do not log out or close the browser at this time. Proceed to the next task, “To Verify that Single Logout Works Properly.”
In the browser location field, enter the following URL:
https://LoadBalancer-9.siroe.com:3443/federation/saml2/jsp/ spSingleLogoutInit.jsp?metaAlias=/sp&idpEntityID=loadbalancer-3.example.com |
An HTML page is displayed and contains the following message, “SP initiated Single Logout succeeded.”
Do not log out at this time. Proceed to the next task, “To Verify that Single Sign-On Works Properly on Subsequent Login.”
In the browser location field, enter the following URL:
https://LoadBalancer-9.siroe.com:3443/federation/saml2/jsp/ spSSOinit.jsp?metaAlias=/sp&idpEntityID=loadbalancer-3.example.com |
The Access Manager login page is displayed.
Log in to the Access Manager console using the following information:
idpuser
idpuser
An HTML page is displayed and contains the following message, “Single Sign-on succeeded.” Note that the user logs in to only Access Manager and is not prompted to log into Federation Manager. This verifies that SSO is working properly.