Part IV Exchanging Metadata Between Identity Provider and Service Provider

Chapter 11 Loading Identity Provider and Service Provider Metadata

This chapter provides instructions for making Service Provider metadata available to the Identity Provider, and for making Identity Provider metadata available to the Service Provider.

11.1 Loading Service Provider Metadata into the Access Manager Servers

Use the following as your checklist for enabling the exchange of metadata between the Service Provider and Identity Provider:

1. Load the Service Provider metadata into the Identity Provider servers.

2. Load the Identity Provider metadata into the Service Provider servers.

To Load the Service Provider Metadata into the Identity Provider Servers

1. As a root user, log into the Access Manager 1 host.

2. Copy the following Service Provider configuration files from the Federation Manager 1 host to the Access Manager 1 host:

   /etc/opt/SUNWam/config/saml2-sp-template.xml /etc/opt/SUNWam/config/saml2-sp-extended-template.xml

   In this deployment example, the files are copied to the following directory on the Access Manager host:

   /etc/opt/SUNWam/config/

3. Customize the saml2-sp-extended-template.xml file.

   1. Go to the following directory:

      /etc/opt/SUNWam/config/

   2. Open the file saml2-sp-extended-template.xml.

   3. Set the following parameter value:

      <EntityConfig xmlns="urn:sun:fm:SAML:2.0:entityconfig" xmlns:fm="urn:sun:fm:SAML:2.0:entityconfig" hosted="0"

      This indicates that you are using the a configuration from a remote host. A 1 value indicates that the configuration is provided by the local host.

      Save the file.

4. Load the customized Service Provider configuration files.

   # /opt/SUNWam/saml2/bin/saml2meta import -u amadmin -w 4m4dmin1 -r /users -m /etc/opt/SUNWam/config/saml2-sp-template.xml -x /etc/opt/SUNWam/config/saml2-sp-extended-template.xml

5. Restart the Access Manager Servers

   1. As a root user, log into the Access Manager 1 host.

      # cd /opt/SUNWwbsvr/https-AccessManager-1.example.com # ./stop;./start

   2. As a root user, log into the Access Manager 2 host.

      # cd /opt/SUNWwbsvr/https-AccessManager-2.example.com # ./stop;./start

6. Verify that both Service Provider and Identity Provider belong to the same circle of trust.

   Run the cotmember command to display a list of entities in the circle of trust.

   # /opt/SUNWam/saml2/bin/saml2meta cotmember -u amadmin -w 4m4dmin1 -r /users -t saml2_circle_of_trust Entity ID:LoadBalancer-9.siroe.com Entity ID:LoadBalancer-3.example.com Circle of trust "saml2_circle_of_trust" is listed successfully.

To Load the Identity Provider Metadata into the Service Provider Servers

1. As a root user, log into the Federation Manager 1 host.

2. Copy the following Identity Provider configuration files from the Access Manager host to the Federation Manager host:

   /etc/opt/SUNWam/config/saml2-idp-template.xml /etc/opt/SUNWam/config/saml2-idp-extended-template.xml

   In this deployment example, the files are copied to the following directory on the Federation Manager host:

   /etc/opt/SUNWam/config/

3. Customize the saml2-idp-extended-template.xml file.

   # cd /etc/opt/SUNWam/config/ # vi saml2-idp-extended-template.xml

   1. Go to the following directory:

   2. Open the saml2-idp-extended-template.xml file.

   3. Set the following parameter value:

      <EntityConfig xmlns="urn:sun:fm:SAML:2.0:entityconfig" xmlns:fm="urn:sun:fm:SAML:2.0:entityconfig" hosted="0"

      This indicates that you are using the a configuration from a remote host. A 1 value indicates that the configuration is provided by the local host.

      Save the file.

4. Load the customized Identity Provider configuration files.

   # /opt/SUNWam/saml2/bin/saml2meta -i /var/opt/SUNWam/fm/war_staging import -u amadmin -w 11111111 -m /etc/opt/SUNWam/config/saml2-idp-template.xml -x /etc/opt/SUNWam/config/saml2-idp-extended-template.xml File "/etc/opt/SUNWam/config/idp/saml2-idp-template.xml" was imported successfully. File "/etc/opt/SUNWam/config/idp/saml2-idp-extended-template.xml" was imported successfully.

5. Restart the Federation Manager Servers.

   1. As a root user, log into the Federation Manager 1 host.

      # cd /opt/SUNWwbsvr/https-FederationManager-1.siroe.com # ./stop; ./start

   2. As a root user, log into the Federation Manager 2 host.

      # cd /opt/SUNWwbsvr/https-FederationManager-2.siroe.com # ./stop; ./start

6. Verify that both Service Provider and Identity Provider belong to the same circle of trust.

   Run the cotmember command to display a list of entities in the circle of trust.

   # /opt/SUNWam/saml2/bin/saml2meta -i /var/opt/SUNWam/fn/war_staging cotmember -u amadmin -w 11111111 -t saml2_circle_of_trust Entity ID:loadbalancer-9.siroe.com Entity ID:loadbalancer-3.example.com Circle of trust "saml2_circle_of_trust" is listed successfully.

Chapter 12 Verifying that SAMLv2 Protocols are Working Properly

You can perform simple tests to verify that Single Sign-On is working properly and that accounts are federated properly. This chapter provides detailed information about the following groups of tasks:

• 12.1 Creating Test Users

• 12.2 Testing Basic SAMLv2 Protocols

12.1 Creating Test Users

Use the following as your checklist for creating test users:

1. Create a test Identity Provider user.

2. Create a test Service Provider user.

To Create a Test Identity Provider User

1. Using a browser, go to the following URL:

   https://LoadBalancer-3.example.com:9443/amserver

2. Log into the Access Manager 1 console:

   User Name:

   amadmin

   Password:

   4m4din1

3. On the Realms page, click the realm name users.

4. On the “Edit Realm-users” page, click the Subjects tab, and then click the Users subtab.

5. On the New User pager, provide the following information:

   ID:

   idpuser

   First Name:

   idp

   Last Name:

   user

   Full Name:

   idp user

   Password:

   idpuser

   Password confirm:

   idpuser

6. Click Create, and then log out.

To Create a Test Service Provider User

1. Log into Directory Server 3SP console:

   User Name:

   cn=Directory Manager

   Password:

   11111111

2. Open the DirectoryServer-3SP console, and click the Directory tab.

3. Expand the o=siroeusers.com node.

4. Right-click the People object, and then choose New > User.

5. In the Create New User page, provide the following information:

   First Name:

   sp

   Last Name:

   user

   Common Name:

   sp user

   User ID:

   spuser

   Password confirm:

   spuser

   Password confirm:

   spuser

6. Click OK.

   The user spuser is now listed in the list of users.

12.2 Testing Basic SAMLv2 Protocols

Use the following as your checklist for testing basic SAMLv2 protocols are working properly:

1. Verify that basic Login and Logout work properly.

2. Verify that Single Sign-On works properly.

3. Verify that Single Logout works properly.

To Verify that Basic Login and Logout Work Properly

1. Go to the following Federation Manager URL:

   https://LoadBalancer-9.siroe.com:3443/federation/UI/Login

2. Log in to the Federation Manager console using the following information:

   User Name:

   spuser

   Password:

   spuser

   The following message is displayed:

   Information: Welcome to Federation Manager. You have successfully authenticated.

3. Close the Browser.

   This test verifies that Federation is configured properly and that basic login and logout operations work properly through the Federation Manager load balancer.

   ---

   Note –

   Before proceeding with SSO testing, be sure that the cookie that contains session information is deleted. You can do this in one of two ways. You can clear the browser of all cookies (see your browser documentation for detailed instructions). Or you can close the browser and reopen it.

   ---

To Verify that Single Sign-On Works Properly on Initial Login

1. In the browser location field, enter the following URL:

   https://LoadBalancer-9.siroe.com:3443/federation/saml2/jsp/ spSSOInit.jsp?metaAlias=/sp&idpEntityID=loadbalancer-3.example.com

   The Access Manager login page is displayed.

2. Log in to the Access Manager console using the following information:

   User Name:

   idpuser

   Password:

   idpuser

   The Service Provider (Federation Manager) login page is displayed.

3. Log in to the Federation Manager console using the following information:

   User Name:

   spuser

   Password:

   spuser

   An HTML page is displayed and contains the following message, “Single Sign-on succeeded.” Notice that the user signs in to both Access Manager and Federation Manager only on the first login.

   Do not log out or close the browser at this time. Proceed to the next task, “To Verify that Single Logout Works Properly.”

To Verify that Single Logout Works Properly

In the browser location field, enter the following URL:

https://LoadBalancer-9.siroe.com:3443/federation/saml2/jsp/ spSingleLogoutInit.jsp?metaAlias=/sp&idpEntityID=loadbalancer-3.example.com

An HTML page is displayed and contains the following message, “SP initiated Single Logout succeeded.”

---

Note –

Do not log out at this time. Proceed to the next task, “To Verify that Single Sign-On Works Properly on Subsequent Login.”

---

To Verify that Single Sign-On Works Properly on Subsequent Login

1. In the browser location field, enter the following URL:

   https://LoadBalancer-9.siroe.com:3443/federation/saml2/jsp/ spSSOinit.jsp?metaAlias=/sp&idpEntityID=loadbalancer-3.example.com

   The Access Manager login page is displayed.

2. Log in to the Access Manager console using the following information:

   User Name:

   idpuser

   Password:

   idpuser

   An HTML page is displayed and contains the following message, “Single Sign-on succeeded.” Note that the user logs in to only Access Manager and is not prompted to log into Federation Manager. This verifies that SSO is working properly.