The following procedures will establish trust relationships between the communicating entities (in this case, the included JSP).
To Establish Trust Between OpenSSO Enterprise and the Application on the Identity Provider Side
To Establish Trust Between OpenSSO Enterprise and the Application on the Service Provider Side
Set up a trust relationship between saeIDPApp.jsp, the identity provider application, and OpenSSO Enterprise on the identity provider side.
Choose a shared secret for use between the identity provider application and the instance of OpenSSO Enterprise on the identity provider side; in this procedure, secret12.
Make the following modifications to saeIDPApp.jsp and save the file.
saeIDPApp.jsp is found in the OpenSSO-Deploy-Base/samples/saml2/sae directory.
Change the value of saeServiceURL to https://lb2.idp-example.com:1081/opensso/idpsaehandler/metaAlias/idp.
Change the value of secret to secret12.
In a real deployment the application would store this shared secret in an encrypted file.
Change the value of spapp to https://sae.sp-example.com:8181/opensso/saml2/sae/saeSPApp.jsp.
Log in to the OpenSSO Enterprise console at https://lb2.idp-example.com:1081/opensso as the administrator.
amadmin
ossoadmin
Access https://lb2.idp-example.com:1081/opensso/encode.jsp in a different browser window.
This JSP encodes the shared secret.
Enter secret12 in the test field and click Encode.
A string representing the identity provider's encoded password is displayed.
Save the string for later use and close the browser window.
In this case, AQICrLO+CuXkZFna8uAS0/GiUUtwyQltVdw2.
From the OpenSSO Enterprise console, click the Federation tab.
Under Entity Providers, click https://lb2.idp-example.com:1081/opensso, the hosted identity provider.
Click the Advanced tab.
Under SAE Configuration, type the following in the New Value text box of the Per Application Security Configuration property and click Add.
url=https://sae.idp-example.com:8181/opensso/saml2/sae/ saeIDPApp.jsp|type=symmetric|secret=AQICrLO+CuXkZFna8uAS0/GiUUtwyQltVdw2
Click Save to save the profile.
Click the Assertion Processing tab.
Click the Attribute Mapper link.
Under the Attribute Map property, type the following New Values and click Add.
mail=mail
branch=branch
These attributes will be sent as part of the SAML v2 assertion.
Click Save to save the profile.
Click Back to return to the Federation tab.
Under Entity Providers, click https://lb4.sp-example.com:1081/opensso, the remote service provider.
Click the Advanced tab.
Under SAE Configuration, enter https://lb4.sp-example.com:1081/opensso/spsaehandler/metaAlias/sp in the SP URL field.
Under SAE Configuration again, enter https://sae.sp-example.com:8181/opensso/saml2/sae/saeSPApp.jsp in the SP Logout URL field.
Click Save to save the profile.
Click Back to return to the Federation tab.
Click the Access Control tab.
Under the Access Control tab, click / (Top Level Realm).
Click the Authentication tab.
Under General, click Advanced Properties.
The Core profile page is displayed.
Under User Profile, select the Ignored radio button and click Save.
This modification is specific to this deployment example only.
Click Save to save the profile.
Click Back to Authentication.
Log out of the OpenSSO Enterprise console.
Set up a trust relationship between OpenSSO Enterprise on the service provider side and saeSPApp.jsp, the service provider application.
Choose a shared secret for use between the service provider application and the instance of OpenSSO Enterprise on the service provider side; in this procedure, secret12.
Log in to the OpenSSO Enterprise console at https://lb4.sp-example.com:1081/opensso as the administrator.
amadmin
ossoadmin
Access https://lb4.sp-example.com:1081/opensso/encode.jsp in a different browser window.
This JSP encodes the shared secret.
Enter secret12 and click Encode.
A string representing the identity provider's encoded password is displayed.
Save the string for later use and close the browser window.
In this case, AQICIbz4afzilWzbmo6QD9lQ9U4kEBrMlvZy.
From the OpenSSO Enterprise console, click the Federation tab.
Under Entity Providers, click https://lb4.sp-example.com:1081/opensso, the hosted service provider.
Click the Assertion Processing tab.
Under Attribute Mapper, add the following new values to the Attribute Map property.
mail=mail
branch=branch
Under Auto-Federation, check the Enabled box.
Also under Auto-Federation, enter mail in the Attribute field.
The value of the Attribute property is the attribute previously mapped between the identity provider and the service provider allowing Auto-Federation to work.
Click Save.
Click the Advanced tab.
Under SAE Configuration, type https://lb4.sp-example.com:1081/opensso/spsaehandler/metaAlias/sp as the value for the SP URL.
Type https://sae.sp-example.com:8181/opensso/saml2/sae/saeSPApp.jsp as the value for the SP Logout URL.
Type the following in the New Value field of the Per Application Security Configuration property and click Add.
url=https://sae.sp-example.com:8181/opensso/saml2/sae/ saeSPApp.jsp|type=symmetric|secret=AQICIbz4afzilWzbmo6QD9lQ9U4kEBrMlvZy
Click Save to save the profile.
Click Back to return to the Federation tab.
Click the Access Control tab.
Under the Access Control tab, click / (Top Level Realm).
Click the Authentication tab.
Under General, click Advanced Properties.
The Core profile page is displayed.
Under User Profile, select the Ignored radio button and click Save.
This modification is specific to this deployment example only.
Click Save to save the profile.
Click Back to Authentication.
Log out of the OpenSSO Enterprise console.