Documentation Home
> Sun OpenSSO Enterprise 8.0 Deployment Planning Guide
Sun OpenSSO Enterprise 8.0 Deployment Planning Guide
Book Information
Preface
Part I Planning the Overall Deployment
Chapter 1 Seeing the Big Picture
Understanding Identity and Access Management
Dealing with Widely Distributed Identity Information
Eliminating Ad Hoc Security Strategies
Reducing Operational Inefficiency
Enabling Effective Access Management
Leveraging Identity Federation
Why We Need It
How It Works
How Identity Federation Can Benefit Your Business
Securing Web Services
Web Services Security Industry Specifications
Security Infrastructure Requirements
Security Token Service
Web Service Client
Web Service Provider
Using Identity as a Service
Simplifying Deployment and System Administration
Chapter 2 Building the Deployment Architecture
Setting Deployment Goals
Security
High Availability
Scalability
Dedicated Data Stores
Configuration Data Store
User Data Store
Additional Information About Using IBM Tivoli Directory Server Configured as the IDRepo Data Store
Additional Information for Determining Which User Data Store to Use
Notification Support for the User Data Store
Examining a Single Sign-On Deployment Example
Identifying the Major Components
Designing the Single Sign-On Deployment Architecture
Examining a SAMLv2 Identity Federation Deployment Example
Identifying the Major Components
Identity Provider Deployment
Service Provider Deployment
Designing the SAMLv2 Identity Federation Architecture
Designing the Deployment Architecture
Chapter 3 Building the Implementation Plan
Contacting Sun
Part II Determining Which Features to Deploy
Chapter 4 Using a Policy Agent and the Client SDK to Integrate Applications with OpenSSO Enterprise
About the OpenSSO Enterprise Client SDK
About the Centralized Policy Agent Configuration
Analyzing the Deployment
Considering Assumptions, Dependencies, and Constraints
Understanding Typical Business Use Cases
Using Non-Intrusive, Policy Agent-Based Approaches to Web Resources
Leveraging Fat Clients, Custom Web Applications, and Enterprise JavaBeans
Complementing Policy Agent Functionality
Enabling Identity Federation
Enabling Web Services Security
Enabling Identity Services
Coexisting with Non-Sun Deployments
Setting Up and Configuring the Integrated Environment
Deployment Planning
Required Hardware and Software
Downloading the Client SDK
Downloading the OpenSSO Enterprise Policy Agent 3.0
Evaluating Benefits and Tradeoffs
Benefits of Using the Client SDK
Tradeoffs Using the Client SDK
Benefits of Using a Policy Agent
Finding More Information
Chapter 5 Using the OpenSSO Enterprise Fedlet to Enable Identity Federation
About the OpenSSO Enterprise Fedlet
Using The Fedlet with Multiple Identity Providers
Using an Identity Provider Discovery Service with Multiple Identity Providers
Analyzing the Deployment Architecture
Identity Provider-Initiated Single Sign-On
Fedlet Service Provider-Initiated Single Sign-On
Considering Deployment Assumptions, Dependencies, and Constraints
Assumptions and Dependencies
Constraints
Understanding Typical Business Use Cases
Saving Time and Reducing Overhead
Customizing Content Based on User Attributes
Setting Up and Configuring the Fedlet
Technical Requirements
Obtaining and Deploying the OpenSSO Fedlet Bundle
To Use the OpenSSO Enterprise Console to Create the Fedlet bundle
To Use the Pre-Built Fedlet
To Set Up the Workflow-based Fedlet
To Use the Pre-Built Fedlet
To Use the Fedlet with Multiple Identity Providers
To Use the Fedlet with an Identity Discovery Service
Embedding the Fedlet into Service Provider Applications
Evaluating Benefits and Tradeoffs
Benefits
Tradeoffs
Finding More Information
Chapter 6 Implementing a Virtual Federation Proxy (Secure Attributes Exchange)
About Virtual Federation Proxy (Secure Attributes Exchange)
Analyzing the Deployment
Considering Assumptions, Dependencies, and Constraints
Assumptions
Constraints
Secure Attributes Exchange Client APIs
Understanding Typical Business Use Cases
Authentication at Identity Provider
Secure Attribute Exchange at the Identity Provider
Secure Attribute Exchange at the Service Provider
Global Single Logout
Setting Up and Configuring Secure Attributes Exchange
About Cryptography Type
Overview of Setup Steps
Configuring Secure Attributes Exchange
About the Software Binaries
High-level Configuration Steps
Evaluating Benefits and Tradeoffs
Benefits
Tradeoffs
Chapter 7 Implementing a SAMLv2 Identity Provider Proxy
About the SAMLv2 Identity Provider Proxy Specification
About the OpenSSO Enterprise Identity Provider Proxy
Analyzing the Deployment Architecture
Considering Assumptions, Dependencies, and Constraints
Assumptions and Dependencies
Constraints
Understanding Typical Business Cases
Single Sign-On, Introduction Cookie is Not Enabled
Single Sign-On (SSO) with Introduction Cookie Enabled
Single SAMLv2 Identity Provider Proxy Logout
Setting Up and Configuring SAMLv2 Identity Provider Proxy
Setting Up a SAMLv2 Identity Provider Proxy
Configuring the SAMLv2 Identity Provider Proxy with No Introduction Cookie
Configuring the SAMLv2 Identity Provider Proxy with the Introduction Cookie
Evaluating Benefits and Tradeoffs
Benefits
Tradeoffs
Chapter 8 Using a Multi-Federation Protocol Hub
About Identity and Web Services Federation Protocols
Analyzing the Deployment
Considering Assumptions, Dependencies, and Constraints
Constraints
Assumptions and Dependencies
Understanding Typical Business Use Cases
Setting Up and Configuring a Multi-Federation Protocol Hub
Using the Sample JSP
Evaluating Benefits and Tradeoffs
Chapter 9 Enabling Web Services Federation Between Active Directory Federation Service and OpenSSO Enterprise
Analyzing the Deployment Architecture
Considering Assumptions, Dependencies, and Constraints
Assumptions and Dependencies
Constraints
Understanding Typical Business Use Cases
OpenSSO Enterprise Acts as Service Provider
OpenSSO Enterprise Acts as Identity Provider
Setting up and Configuring Single Sign-On Among OpenSSO Enterprise and ADFS Environments
Configuring OpenSSO Enterprise to Act as a Service Provider
Configuring OpenSSO Enterprise to Act as an Identity Provider
Evaluating Benefits and Tradeoffs
Benefits
Using OpenSSO Enterprise as Service Provider
Using OpenSSO Enterprise as Identity Provider
Tradeoffs
Finding More Information
Specifications
Guides and Overviews
Case Study
Chapter 10 Securing Web Services Using ID-WSF (Liberty Alliance Specifications)
About the Identity Web Services Framework
Analyzing the Deployments
Browser-based ID-WSF Deployment
Desktop ID-WSF Deployment
Considering Assumptions, Dependencies and Constraints
Assumptions and Dependencies
Constraints
Understanding Typical Business Use Cases
Setting Up and Configuring ID-WSF
Evaluating Benefits and Tradeoffs
Benefits
Tradeoffs
Finding More Information
Chapter 11 Securing Web Services Using the Security Token Service (WS-* Specifications)
About Web Services Security Models
About OpenSSO Enterprise Web Services Security
Security Token Service
Web Service Security Provider
Analyzing the Deployment Architecture
Understanding Typical Business Use Cases
Use Case 1
Use Case 2
Use Case 3
Considering Assumptions, Dependencies, and Constraints
Assumptions and Dependencies
Constraints
Setting Up and Configuring Web Services Security Using Security Token Service
Evaluating Benefits and Tradeoffs
Benefits
Tradeoff
Chapter 12 Enabling Single Sign-On Between Sun Identity Manager and OpenSSO Enterprise
About Sun Identity Manager
Analyzing the Deployment Architecture
Considering the Deployment Assumptions, Dependencies, and Constraints
Assumptions
Dependencies
Constraints
Understanding Typical Business Use Cases
Setting Up and Configuring Single Sign-On Between Identity Manager and OpenSSO Enterprise
Evaluating Benefits and Tradeoffs
Benefits
Tradeoffs
Finding More Information
Chapter 13 Enabling Single Sign-On Using CA SiteMinder and OpenSSO Enterprise
About CA SiteMinder
Analyzing the Deployment Architecture Options
Considering Assumptions, Dependencies, and Constraints
Understanding Typical Business Use Cases
Simple Single Sign-On
Federated Single Sign-On
Federated Single Sign-On in an Identity Provider Environment
Federated Single Sign-On Use Case in the Service Provider Environment
Setting Up and Configuring Single Sign-On with SiteMinder and OpenSSO Enterprise
Evaluating Benefits and Tradeoffs
Benefits
Tradeoffs
Finding More Information
Chapter 14 Enabling Single Sign-On Using Oracle Access Manager and OpenSSO Enterprise
About Oracle Access Manager
Analyzing the Deployment Architecture Options
Considering Assumptions, Dependencies, and Constraints
Understanding Typical Business Use Cases
Simple Single Sign-On Use Case
Federated Single Sign-On Use Cases
Using OpenSSO Enterprise to Enable Oracle Federation in an Identity Provider Environment
Using OpenSSO Enterprise to Enable Oracle Federation in a Service Provider Environment
Setting Up and Configuring Single Sign-On Using Oracle Access Manager and OpenSSO Enterprise
Evaluating Benefits and Tradeoffs
Benefits
Tradeoffs
Chapter 15 Using the Embedded Configuration Data Store for OpenSSO Enterprise
Analyzing the Deployment Architecture
Single-Server and Multiple-Servers Modes
Replication Structure
Summary of Actual Replication Test Results
Understanding Typical Business Use Cases
Considering Assumptions, Dependencies, and Constraints
Assumptions
Dependencies and Constraints
Configuring the Embedded Configuration Data Store for OpenSSO Enterprise
Evaluating Benefits and Tradeoffs
Benefits
Tradeoffs
Finding More Information
Chapter 16 Implementing Cross-Domain Single Sign-On with Cookie Hijacking Prevention
About Cross-Domain Single Sign-On
The Policy Agent's Role in CDSSO
The Java EE Policy Agent's Role
The Web Policy Agent's Role in CDSSO
About Cookie Hijacking Prevention
Key Cookie Hijacking Security Issues and Solutions
Shared Session Cookies Security Issue
OpenSSO Enterprise Solution
Access to User Profile Attributes Security Issue
OpenSSO Enterprise Solution
OpenSSO Enterprise Session Cookies Involved in Issuing Unique SSO Tokens
Analyzing the Deployment Architecture
Considering Assumptions, Dependencies, and Constraints
Assumptions and Dependencies
Constraints
Understanding Typical Business Use Cases
Java EE Policy Agent Use Case 1: Accessing a Protected Resource in the Primary Domain First
Java EE Policy Agent Use Case 2: Accessing a Protected Resource in a Non-Primary Domain First
Web Policy Agent Use Case 1: Accessing a Protected Resource in the Primary Domain First
Web Policy Agent Use Case 2: Accessing a Protected Resource in the Non-Primary Domain First
Configuring CDSSO and Cookie Hijacking Prevention
To Enable CDSSO and Cookie Hijacking Prevention in Java EE Policy Agent
To Enable CDSSO and Cookie Hijacking Prevention in the Web Policy Agent
Evaluating Benefits and Trade-offs
Chapter 17 Configuring System Failover and Session Failover for High Availability
About High Availability
System Failover
Session Failover
OpenSSO Enterprise Sites
Single-Site Configuration
Multiple-Site configuration
Analyzing the Deployment Architecture
Understanding a Typical High-Availability Transaction
Understanding High Availability Configuration Examples
Single OpenSSO Enterprise Server Load Balancer in Single Site, No Session Failover
Multiple OpenSSO Enterprise Server Load Balancers in a Single Site, No Session Failover
Multiple OpenSSO Enterprise Server Load Balancers in Multiple Sites, No Session Failover
Single OpenSSO Enterprise Server Load Balancer in a Single Site with Session Failover
Multiple OpenSSO Enterprise Server Load Balancers in a Single Site with Session Failover
Multiple OpenSSO Enterprise Server Load Balancers in Multiple Sites with Session Failover
Considering Assumptions and Dependencies
Assumptions
Using Java Message Queue Broker and Berkeley Database for Session Failover
Configuring OpenSSO Enterprise for High Availability
Evaluating Benefits and Trade-Offs
Benefits
Trade-Offs
Chapter 18 Using the Windows Desktop Single Sign-On Authentication Module
About Kerberos Authentication and the SPNEGO Protocol
About the OpenSSO Windows Desktop SSO Authentication Module
Analyzing the Deployment Architecture
Considering Dependencies and Constraints
Understanding Typical Business Use Cases
Evaluating Benefits and Tradeoffs
Configuring Basic Windows Desktop SSO Authentication
Configuring a Kerberos Domain Controller on Windows or UNIX
To Configure a UNIX Kerberos Domain Controller
To Configure Windows Active Directory and Domain Controller
To Synchronize the OpenSSO Enterprise and Kerberos Domain Controller Clocks
Configuring the Domain Controller
Configuring DNS Mapping on the Windows Domain Controller
Configuring a Windows XP Workstation to Join the Kerberos Domain Controller Realm
To Configure an Windows XP Workstation to Join an Active Directory Domain Controller During Installation
To Create the Windows XP User's Local Account
To Configure an Existing Windows XP Workstation to Join an Active Directory Controller
To Configure an Existing Window XP Workstation to Join a UNIX Kerberos Domain
Configuring the Browser
To Configure Microsoft Internet Explorer
To Configure Mozilla or FireFox
To Configure Apple Safari
To Configure the OpenSSO Enterprise Windows Desktop SSO Authentication Module
Complex Configurations
Chaining Multiple Authentication Modules
To Configure Authentication Chaining
To Test Authentication Chaining
To Use the Windows Desktop SSO Authentication Module with a Load Balancer
Using the Windows Desktop SSO Authentication Module with Multiple Kerberos Domain Controllers
To Locate the Trust Configuration Window
To Promote the Domain Controller Functional Level
Using the Debugging Tools
Network Identity Manager
kinit
klist
ktpass
ksetup
Troubleshooting Windows Desktop SSO Authentication Issues
Error Message: Unauthorized Access
Error Message: Service Login Error
LoginException: Clock skew too great
LoginException: kdc.example.com
LoginException: Client not found in Kerberos database
GSSException: Failure unspecified at GSS-API level
Exception: Pre-authentication information was invalid
Error Message: Cannot establish context
Error Message: Authentication failed
Error Message: User has no profile in this organization
Authentication Doesn't Work with Load Balancer
Chapter 19 Accessing OpenSSO from Outside a Secure Intranet
Using OpenSSO Distributed Authentication User Interface
Using a Reverse Proxy
Using Policy Agents with Reverse Proxy
Using a Single Policy Agent
Using Multiple Policy Agents
© 2010, Oracle Corporation and/or its affiliates