test

Deployment Example: Single Sign-On, Load Balancing and Failover Using Sun OpenSSO Enterprise 8.0

Chapter 6 Configuring OpenSSO Enterprise Realms for User Authentication

This chapter contains instructions on configuring OpenSSO Enterprise,to use an external user data store for authentication. (The external user data store and test users were set up in Chapter 4, Installing Sun Java System Directory Server and Creating Instances for Sun OpenSSO Enterprise User Data). This is done by modifying the top-level realm or, alternately, configuring a sub realm for the external users and creating an authentication chain. Choose either of the sections listed to configure OpenSSO Enterprise for user authentication.

Caution – Caution –

Do not do both procedures.

6.1 Modifying the Top-Level Realm for Test Users

At this point in the deployment, the OpenSSO Enterprise root realm (by default, / (Top Level Realm)) is configured to authenticate special OpenSSO Enterprise accounts (for example, amadmin and agents) against the embedded configuration data store. Since the external user data store is an instance of Directory Server (and not part of the embedded configuration data store), we now modify the external user data store configuration details using the OpenSSO Enterprise console to map the user data stores schema to the test user entries previously imported. Use the following list of procedures as a checklist for completing this task.

  1. To Modify the Top-Level Realm for User Authentication

  2. To Verify that a User Can Successfully Authenticate

ProcedureTo Modify the Top-Level Realm for User Authentication

  1. Access https://osso-1.example.com:1081/opensso/console in a web browser.

  2. Log in to the OpenSSO Enterprise console as the administrator.

    User Name:

    amadmin

    Password:

    ossoadmin

  3. Click the Access Control tab.

  4. Click / (Top Level Realm), the root realm, under the Access Control tab.

  5. Click the Data Stores tab.

    The GenericLDAPv3 data store link is displayed.

  6. Click GenericLDAPv3.

  7. On the GenericLDAPv3 data store properties page, set the following attribute values and click Save.

    LDAP People Container Naming Attribute

    Enter ou.

    LDAP Groups Container Value

    Enter Groups.

    LDAP Groups Container Naming Attribute

    Enter ou.

    LDAP People Container Value

    Enter users.

    Note –

    If this field is empty, the search for user entries will start from the root suffix.

  8. Click Back to Data Stores.

  9. (Optional) Click the Subjects tab to verify that the test users are now displayed.

    testuser1 and testuser2 are displayed under Users (as well as others created during OpenSSO Enterprise configuration.

  10. Click the Authentication tab.

  11. Click the Advanced Properties link under General.

    The Core Realm Attributes page is displayed.

  12. Change the value of User Profile to Ignored.

    This new value specifies that a user profile is not required by the Authentication Service in order to issue a token after successful authentication. This modification is specific to this deployment example because the OpenSSO Enterprise schema and the Directory Server schema have not been mapped.

  13. Click Save.

  14. Click Back to Authentication.

  15. Click Back to Access Control.

  16. Log out of the OpenSSO Enterprise console.

ProcedureTo Verify that a User Can Successfully Authenticate

You should be able to log in successfully as a test user.

  1. Access https://osso-1.example.com:1081/opensso/UI/Login in a web browser.

  2. Log in to the OpenSSO Enterprise console as the administrator.

    User Name:

    testuser1

    Password:

    password

    You should be able to log in successfully and see a page with a message that reads You're logged in. Since the User Profile attribute was set to Ignored, the user's profile is not displayed after a successful login. If the login is not successful, watch the Directory Server access log to troubleshoot the problem.

6.2 Creating and Configuring a Sub Realm for Test Users

At this point in the deployment, / (Top Level Realm), the root realm, is configured to authenticate special OpenSSO Enterprise accounts (for example, amadmin and agents) against the embedded configuration data store. Create a sub realm to authenticate external users against the Directory Server user data store instances. This creates a demarcation between OpenSSO Enterprise configuration and administrative data and the user data. Use the following list of procedures as a checklist for completing this task.

ProcedureTo Create a Sub Realm

When a sub realm is created it inherits configuration data (including which user data store) from / (Top Level Realm) (the default root realm) and uses it to authenticate users. The user data store can be modified per sub realm. In this deployment, we use the inherited GenericLDAPv3 data store.

  1. Access https://osso-1.example.com:1081/opensso/console from a web browser.

  2. Log in to the OpenSSO Enterprise console as the administrator.

    User Name:

    amadmin

    Password:

    ossoadmin

  3. Click the Access Control tab.

  4. Click New to create a new realm.

    The New Realm page is displayed.

  5. Set the following attribute values on the New Realm page.

    Name

    Enter users.

    Realm/DNS Aliases

    Enter users in the New Value field and click Add.

  6. Click OK.

    The users realm is listed as a sub realm of / (Top Level Realm), the root realm.

ProcedureTo Change the User Profile Configuration for the Sub Realm

Before You Begin

This procedure assumes you have just completed To Create a Sub Realm and are still logged in to the OpenSSO Enterprise console.

  1. Under the Access Control tab, click the users realm.

  2. Click the Authentication tab.

  3. Click the Advanced Properties link under General.

    The Core Realm Attributes page is displayed.

  4. Change the value of User Profile to Ignored.

    This new value specifies that a user profile is not required by the Authentication Service in order to issue a token after successful authentication.

  5. Click Save.

  6. Log out of the OpenSSO Enterprise console.

ProcedureTo Modify the Sub Realm for User Authentication

  1. Access https://osso-1.example.com:1081/opensso/console in a web browser.

  2. Log in to the OpenSSO Enterprise console as the administrator.

    User Name:

    amadmin

    Password:

    ossoadmin

  3. Click the Access Control tab.

  4. Click users, the sub realm, under the Access Control tab.

  5. Click the Data Stores tab.

    The GenericLDAPv3 data store link is displayed.

  6. Click GenericLDAPv3.

  7. On the GenericLDAPv3 data store properties page, set the following attribute values and click Save.

    LDAP People Container Naming Attribute

    Enter ou.

    LDAP Groups Container Value

    Enter Groups.

    LDAP Groups Container Naming Attribute

    Enter ou.

    LDAP People Container Value

    Enter users.

    Note –

    If this field is empty, the search for user entries will start from the root suffix.

  8. Click Back to Data Stores.

  9. (Optional) Click the Subjects tab to verify that the test users are now displayed.

    testuser1 and testuser2 are displayed under Users (as well as others created during OpenSSO Enterprise configuration).

  10. Log out of the OpenSSO Enterprise console.

ProcedureTo Verify That the Sub Realm Can Access the External User Data Store

This optional procedure is to verify the modifications made in To Create a Sub Realm and To Change the User Profile Configuration for the Sub Realm.

  1. Access https://osso-1.example.com:1081/opensso/console from a web browser.

  2. Log in to the OpenSSO Enterprise console as the administrator.

    User Name:

    amadmin

    Password:

    ossoadmin

  3. Click on the Access Control tab

  4. Click on the users sub realm.

  5. Click on the Subjects tab.

    testuser1 and testuser2 are displayed under Users.

  6. Log out of the OpenSSO Enterprise console.

ProcedureTo Verify That the Sub Realm Subjects Can Successfully Authenticate

  1. Access https://osso-1.example.com:1081/opensso/UI/Login?realm=users from a web browser.

    The parameter realm=users specifies the realm to use for authentication. At this point, a user can log in against Directory Server only if the realm parameter is defined in the URL.

  2. Log in to OpenSSO Enterprise with a user name and password from the am-users directory.

    User Name

    testuser1

    Password

    password

    You should be able to log in successfully and see a page with a message that reads You're logged in. Since the User Profile attribute was set to Ignored, the user's profile is not displayed after a successful login. If the login is not successful, watch the Directory Server access log to troubleshoot the problem.