11.1 Configuring OpenSSO Enterprise as the Hosted Identity Provider

This section provides the procedures for configuring OpenSSO Enterprise on the identity provider side as a hosted identity provider using the Common Tasks wizard. Use the following list of procedures as a checklist for completing the task.

1. To Configure the Hosted Identity Provider

2. To View the Hosted Identity Provider Metadata in XML Format

To Configure the Hosted Identity Provider

Configure the instance of OpenSSO Enterprise deployed in Part II, Building the Identity Provider Environment and situated behind Load Balancer 2, as a hosted identity provider. This procedure creates the idpcot circle of trust.

1. Access https://lb2.idp-example.com:1081/opensso/console from a web browser.

2. Log in to the OpenSSO Enterprise console as the administrator.

   Username

   amadmin

   Password

   ossoadmin

   The Common Tasks tab is displayed.

3. Click Create Hosted Identity Provider under Create SAML v2 Providers.

   The Create a SAML v2 Identity Provider on this Server page is displayed.

4. Make the following changes on the Create a SAML v2 Identity Provider on this Server page.

   • Select the No radio button for Do you have metadata for this provider?

   • Under metadata properties, type https://lb2.idp-example.com:1081/opensso as the value for Name.

   • Under metadata properties, select test as the value for Signing Key.

   • Under Circle of Trust properties, type idpcot as the value for the New Circle of Trust.

   • Accept the default values for any remaining properties.

5. Click Configure.

6. Select Finish to end the task.

   This instance of OpenSSO Enterprise is now configured as a SAML v2 identity provider.

7. Click the Federation tab to verify the hosted identity provider configurations.

   • Confirm that idpcot was created under the Circle of Trust table with one entity: https://lb2.idp-example.com:1081/opensso|saml2.

   • Confirm that https://lb2.idp-example.com:1081/opensso|saml2 was created under the Entity Providers table.

To View the Hosted Identity Provider Metadata in XML Format

This optional procedure displays, in a browser window, the standard and extended metadata for the hosted identity provider in XML format. The XML can be viewed as displayed or copied into a text file and saved.

Before You Begin

This procedure assumes that you have just completed To Configure the Hosted Identity Provider and are still logged in to the OpenSSO Enterprise console.

1. Access https://lb2.idp-example.com:1081/opensso/ssoadm.jsp from the web browser.

   ssoadm.jsp is a Java Server Page (JSP) version of the ssoadm command line interface. In this procedure it is used to display the hosted identity provider metadata.

2. Click export-entity.

   The export-entity page is displayed.

3. Enter the following values for each option and click Submit.

   entityid

   The EntityID is the unique uniform resource identifier (URI) used to identify a particular provider. In this deployment, type https://lb2.idp-example.com:1081/opensso.

   realm

   The OpenSSO Enterprise realm in which the data resides. In this deployment as all data resides in the top-level realm, type /.

   sign

   Leave this unchecked.

   meta-data-file

   Set this flag to export the standard metadata for the provider.

   extended-data-file

   Set this flag to export the extended metadata for the provider.

   spec

   Type saml2.

4. View the XML-formatted metadata in the browser window.

   <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
   <EntityDescriptor entityID="https://lb2.idp-example.com:1081/opensso" 
    xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
     <IDPSSODescriptor WantAuthnRequestsSigned="false" 
      protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
     <KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
       <ds:X509Data>
       <ds:X509Certificate>
   MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh
   bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w
   ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw
   CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK
   BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B
   AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of+
   RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY
   Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U
   QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA
   cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC
   /FfwWigmrW0Y0Q==
       </ds:X509Certificate>
       </ds:X509Data>
       </ds:KeyInfo>
     </KeyDescriptor>
     <ArtifactResolutionService index="0" isDefault="true" Binding=
      "urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location=
      "https://lb2.idp-example.com:1081/opensso/ArtifactResolver/metaAlias/idp"/>
     <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:
      HTTP-Redirect" Location="https://lb2.idp-example.com:1081/opensso/
      IDPSloRedirect/metaAlias/idp" ResponseLocation="
      https://lb2.idp-example.com:1081/opensso/IDPSloRedirect/metaAlias/idp"/>
     <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:
      HTTP-POST" Location="https://lb2.idp-example.com:1081/opensso/IDPSloPOST/
      metaAlias/idp" ResponseLocation="https://lb2.idp-example.com:1081/opensso/
      IDPSloPOST/metaAlias/idp"/>
     <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" 
      Location="https://lb2.idp-example.com:1081/opensso/IDPSloSoap/metaAlias/idp"/>
     <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:
      HTTP-Redirect" Location="https://lb2.idp-example.com:1081/opensso/
      IDPMniRedirect/metaAlias/idp" ResponseLocation=
      "https://lb2.idp-example.com:1081/opensso/IDPMniRedirect/metaAlias/idp"/>
     <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
      Location="https://lb2.idp-example.com:1081/opensso/IDPMniPOST/metaAlias/idp" 
      ResponseLocation="https://lb2.idp-example.com:1081/opensso/
      IDPMniPOST/metaAlias/idp"/>
     <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" 
      Location="https://lb2.idp-example.com:1081/opensso/IDPMniSoap/metaAlias/idp"/>
     <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
     <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
     <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
     <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
     <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" 
      Location="https://lb2.idp-example.com:1081/opensso/SSORedirect/metaAlias/idp"/>
     <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
      Location="https://lb2.idp-example.com:1081/opensso/SSOPOST/metaAlias/idp"/>
     <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" 
      Location="https://lb2.idp-example.com:1081/opensso/SSOSoap/metaAlias/idp"/>
     <NameIDMappingService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" 
      Location="https://lb2.idp-example.com:1081/opensso/NIMSoap/metaAlias/idp"/>
      <AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" 
       Location="https://lb2.idp-example.com:1081/opensso/AIDReqSoap/
       IDPRole/metaAlias/idp"/>
      <AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:2.0:bindings:URI" 
       Location="https://lb2.idp-example.com:1081/opensso/AIDReqUri/
       IDPRole/metaAlias/idp"/>
     </IDPSSODescriptor>
   </EntityDescriptor>
   
   Entity descriptor was exported to file, web.
   
   <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
   <EntityConfig entityID="https://lb2.idp-example.com:1081/opensso" hosted="true" 
    xmlns="urn:sun:fm:SAML:2.0:entityconfig">
       <IDPSSOConfig metaAlias="/idp">
         <Attribute name="wantNameIDEncrypted">
             <Value/>
         </Attribute>
         <Attribute name="AuthUrl">
             <Value/>
         </Attribute>
         <Attribute name="nameIDFormatMap">
           <Value>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified=</Value>
           <Value>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos=</Value>
           <Value>urn:oasis:names:tc:SAML:1.1:nameid-format:
            WindowsDomainQualifiedName=</Value>
            <Value>urn:oasis:names:tc:SAML:1.1:nameid-format:
             X509SubjectName=</Value>
            <Value>urn:oasis:names:tc:SAML:1.1:nameid-format:
             emailAddress=mail</Value>
          </Attribute>
          <Attribute name="cotlist">
            <Value>idpcot</Value>
          </Attribute>
          <Attribute name="saeIDPUrl">
            <Value>https://lb2.idp-example.com:1081/opensso/idpsaehandler/
             metaAlias/idp</Value>
          </Attribute>
          <Attribute name="idpAuthncontextClassrefMapping">
            <Value>urn:oasis:names:tc:SAML:2.0:ac:classes:
             PasswordProtectedTransport|0||default</Value>
          </Attribute>
          <Attribute name="appLogoutUrl">
            <Value/>
          </Attribute>
          <Attribute name="idpAccountMapper">
            <Value>com.sun.identity.saml2.plugins.
             DefaultIDPAccountMapper</Value>
          </Attribute>
          <Attribute name="autofedEnabled">
            <Value>false</Value>
          </Attribute>
           <Attribute name="signingCertAlias">
               <Value>test</Value>
           </Attribute>
           <Attribute name="assertionCacheEnabled">
               <Value>false</Value>
           </Attribute>
           <Attribute name="idpAuthncontextMapper">
               <Value>com.sun.identity.saml2.plugins.
                DefaultIDPAuthnContextMapper</Value>
           </Attribute>
           <Attribute name="assertionEffectiveTime">
               <Value>600</Value>
           </Attribute>
           <Attribute name="wantMNIResponseSigned">
               <Value/>
           </Attribute>
           <Attribute name="wantMNIRequestSigned">
               <Value/>
           </Attribute>
           <Attribute name="attributeMap">
               <Value>EmailAddress=mail</Value>
               <Value>Telephone=telephonenumber</Value>
           </Attribute>
           <Attribute name="discoveryBootstrappingEnabled">
               <Value>false</Value>
           </Attribute>
           <Attribute name="basicAuthUser">
               <Value/>
           </Attribute>
           <Attribute name="idpAttributeMapper">
               <Value>com.sun.identity.saml2.plugins.
                DefaultIDPAttributeMapper</Value>
           </Attribute>
           <Attribute name="idpECPSessionMapper">
               <Value>com.sun.identity.saml2.plugins.
                DefaultIDPECPSessionMapper</Value>
           </Attribute>
           <Attribute name="basicAuthPassword">
               <Value/>
           </Attribute>
           <Attribute name="basicAuthOn">
               <Value>false</Value>
           </Attribute>
           <Attribute name="wantLogoutResponseSigned">
               <Value/>
           </Attribute>
           <Attribute name="wantLogoutRequestSigned">
               <Value/>
           </Attribute>
           <Attribute name="encryptionCertAlias">
               <Value/>
           </Attribute>
           <Attribute name="wantArtifactResolveSigned">
               <Value/>
           </Attribute>
           <Attribute name="assertionNotBeforeTimeSkew">
               <Value>600</Value>
           </Attribute>
           <Attribute name="autofedAttribute">
               <Value/>
           </Attribute>
           <Attribute name="saeAppSecretList"/>
       </IDPSSOConfig>
   </EntityConfig>
   
   Entity configuration was exported to file, web.

5. Log out of the OpenSSO Enterprise console.