To Enable Access Control Using Agents

• You must configure the agent to enforce policy. For example, setting com.sun.am.policy.agents.config.do_sso_only=false.

• You must configure the attribute mapper on the identity provider side to include the required attributes in the AttributeStatment.

• You must configure the service provider to set the received attributes as key/value pairs in the user's single sign-on token. The agent will set those attributes in the HTTP header, passing them down to the application.

1. Create a SAMLv2 identity provider. For more information, see To Create a SAMLv2 Entity Provider.

2. Create a SAMLv2 service provider.

3. Install the Sun Policy Agents 3.0 to protect the service provider configured on the instance of OpenSSO Enterprise

   For more information, see the Sun OpenSSO Enterprise Policy Agent 3.0 User’s Guide for Web Agents.

4. In the OpenSSO Enterprise console, go to Access Control>Realms>Agents and select the web policy agent profile you wish to configure.

5. Go to the OpenSSO Services sub tab and edit the OpenSSO Login URL attribute .

   Its value is a URL (appended with the NameIDFormat=transient query parameter) that points to a single sign-on JSP on the service provider side.

   SP-protocol://SP-host:SP-port/service-deploy-uri/ saml2/jsp/spSSOInit.jsp?NameIDFormat=transient&metaAlias=SP-metaAlias& idpEntityID=IDP_EntityID

   For example:

   http://example1.com:58080/ opensso/saml2/jsp/spSSOInit.jsp?NameIDFormat=transient&metaAlias=/sp& idpEntityID=sample.com

6. (Required only if using Web Agent 2.1) Set the value of the com.sun.am.policy.am.library.loginURL property to the service provider's login URL so the agent can authenticate itself.

   If the login URL is a URL that initiates a SAML v2 single sign-on interaction, the value of this property will be used to authenticate the agent itself to your instances of OpenSSO Enterprise. An example value might be http://host:port/opensso/UI/Login.

7. Modify spSSOInit.jsp on the service provider side to use goto parameter as the value for RelayState.

   The differences are as follows:

   *************** *** 143,148 **** --- 143,154 ---- } idpEntityID = request.getParameter("idpEntityID"); paramsMap = SAML2Utils.getParamsMap(request); + String gotoURL = (String) request.getParameter("goto"); + if (gotoURL != null) { + List list = new ArrayList(); + list.add(gotoURL); + paramsMap.put(SAML2Constants.RELAY_STATE, list); + } if ((idpEntityID == null) || (idpEntityID.length() == 0)) { // get reader url

8. Set up single sign-on without requiring writes to the data store by following the procedure described in To Achieve Single Sign-on Without Data Store Writes.

   To test, assume the employeenumber attribute stores the user's role. In addition, the identity provider should have the following configured users:

   • User 1 has employeenumber set to manager (the manager's role).

   • User 2 has employeenumber set to employee (the employee's role).

9. Create a policy with the Session Property condition on the service provider instance of OpenSSO Enterprise.

   1. Log in to the OpenSSO Enterprise console as the top-level administrator, by default, amadmin.

   2. Under the Access Control tab, select the appropriate realm.

   3. Select the Policies tab.

   4. Click New Policy.

   5. Enter a name for the policy.

   6. Click New under Rules.

   7. Select URL Policy Agent (with resource name) and click Next.

   8. Enter a name for the rule.

   9. Enter the application's URL as the value for Resource Name.

   10. Select Allow under both GET and POST and click Finish.

   11. Click New under Conditions.

   12. Select Session Property and click Next.

   13. Enter a name for the condition.

   14. Click Add under Values.

   15. Enter the single sign-on token property name as the value for Property Name.

       To test, use employeenumber.

   16. Add the match value to the Values field and click Add.

       To test, use manager.

   17. Click Add to return to the New Condition page.

   18. Click Finish to save the condition.

   19. Click Create to create the policy.

   For more information on creating policy, see Creating Policies and Referrals.

10. Access the application using a web browser.

    You will be redirected to the service provider single sign-on JSP defined in the previous step. From there, you will be redirected to the identity provider to login. Single sign-on with the service provider will be accomplished using SAML v2 and, finally, you will be redirected back to the application for policy enforcement. If you logged in as User 1, you will be allowed to access the application as a manager which is allowed by the policy. If you logged in as User 2, an employee, you will be denied access to the application.