13.4 Establishing Trust Between Communicating Entities

The following procedures will establish trust relationships between the communicating entities (in this case, the included JSP).

• To Establish Trust Between OpenSSO Enterprise and the Application on the Identity Provider Side

• To Establish Trust Between OpenSSO Enterprise and the Application on the Service Provider Side

To Establish Trust Between OpenSSO Enterprise and the Application on the Identity Provider Side

Set up a trust relationship between saeIDPApp.jsp, the identity provider application, and OpenSSO Enterprise on the identity provider side.

Before You Begin

Choose a shared secret for use between the identity provider application and the instance of OpenSSO Enterprise on the identity provider side; in this procedure, secret12.

1. Make the following modifications to saeIDPApp.jsp and save the file.

   saeIDPApp.jsp is found in the OpenSSO-Deploy-Base/samples/saml2/sae directory.

   • Change the value of saeServiceURL to https://lb2.idp-example.com:1081/opensso/idpsaehandler/metaAlias/idp.

   • Change the value of secret to secret12.

     ---

     Note –

     In a real deployment the application would store this shared secret in an encrypted file.

     ---

   • Change the value of spapp to https://sae.sp-example.com:8181/opensso/saml2/sae/saeSPApp.jsp.

2. Log in to the OpenSSO Enterprise console at https://lb2.idp-example.com:1081/opensso as the administrator.

   User Name:

   amadmin

   Password:

   ossoadmin

3. Access https://lb2.idp-example.com:1081/opensso/encode.jsp in a different browser window.

   This JSP encodes the shared secret.

4. Enter secret12 in the test field and click Encode.

   A string representing the identity provider's encoded password is displayed.

5. Save the string for later use and close the browser window.

   In this case, AQICrLO+CuXkZFna8uAS0/GiUUtwyQltVdw2.

6. From the OpenSSO Enterprise console, click the Federation tab.

7. Under Entity Providers, click https://lb2.idp-example.com:1081/opensso, the hosted identity provider.

8. Click the Advanced tab.

9. Under SAE Configuration, type the following in the New Value text box of the Per Application Security Configuration property and click Add.

   url=https://sae.idp-example.com:8181/opensso/saml2/sae/
   saeIDPApp.jsp|type=symmetric|secret=AQICrLO+CuXkZFna8uAS0/GiUUtwyQltVdw2

10. Click Save to save the profile.

11. Click the Assertion Processing tab.

12. Click the Attribute Mapper link.

13. Under the Attribute Map property, type the following New Values and click Add.

    • mail=mail

    • branch=branch

    These attributes will be sent as part of the SAML v2 assertion.

14. Click Save to save the profile.

15. Click Back to return to the Federation tab.

16. Under Entity Providers, click https://lb4.sp-example.com:1081/opensso, the remote service provider.

17. Click the Advanced tab.

18. Under SAE Configuration, enter https://lb4.sp-example.com:1081/opensso/spsaehandler/metaAlias/sp in the SP URL field.

19. Under SAE Configuration again, enter https://sae.sp-example.com:8181/opensso/saml2/sae/saeSPApp.jsp in the SP Logout URL field.

20. Click Save to save the profile.

21. Click Back to return to the Federation tab.

22. Click the Access Control tab.

23. Under the Access Control tab, click / (Top Level Realm).

24. Click the Authentication tab.

25. Under General, click Advanced Properties.

    The Core profile page is displayed.

26. Under User Profile, select the Ignored radio button and click Save.

    ---

    Note –

    This modification is specific to this deployment example only.

    ---

27. Click Save to save the profile.

28. Click Back to Authentication.

29. Log out of the OpenSSO Enterprise console.

To Establish Trust Between OpenSSO Enterprise and the Application on the Service Provider Side

Set up a trust relationship between OpenSSO Enterprise on the service provider side and saeSPApp.jsp, the service provider application.

Before You Begin

Choose a shared secret for use between the service provider application and the instance of OpenSSO Enterprise on the service provider side; in this procedure, secret12.

1. Log in to the OpenSSO Enterprise console at https://lb4.sp-example.com:1081/opensso as the administrator.

   User Name:

   amadmin

   Password:

   ossoadmin

2. Access https://lb4.sp-example.com:1081/opensso/encode.jsp in a different browser window.

   This JSP encodes the shared secret.

3. Enter secret12 and click Encode.

   A string representing the identity provider's encoded password is displayed.

4. Save the string for later use and close the browser window.

   In this case, AQICIbz4afzilWzbmo6QD9lQ9U4kEBrMlvZy.

5. From the OpenSSO Enterprise console, click the Federation tab.

6. Under Entity Providers, click https://lb4.sp-example.com:1081/opensso, the hosted service provider.

7. Click the Assertion Processing tab.

8. Under Attribute Mapper, add the following new values to the Attribute Map property.

   • mail=mail

   • branch=branch

9. Under Auto-Federation, check the Enabled box.

10. Also under Auto-Federation, enter mail in the Attribute field.

    The value of the Attribute property is the attribute previously mapped between the identity provider and the service provider allowing Auto-Federation to work.

11. Click Save.

12. Click the Advanced tab.

13. Under SAE Configuration, type https://lb4.sp-example.com:1081/opensso/spsaehandler/metaAlias/sp as the value for the SP URL.

14. Type https://sae.sp-example.com:8181/opensso/saml2/sae/saeSPApp.jsp as the value for the SP Logout URL.

15. Type the following in the New Value field of the Per Application Security Configuration property and click Add.

    url=https://sae.sp-example.com:8181/opensso/saml2/sae/
    saeSPApp.jsp|type=symmetric|secret=AQICIbz4afzilWzbmo6QD9lQ9U4kEBrMlvZy

16. Click Save to save the profile.

17. Click Back to return to the Federation tab.

18. Click the Access Control tab.

19. Under the Access Control tab, click / (Top Level Realm).

20. Click the Authentication tab.

21. Under General, click Advanced Properties.

    The Core profile page is displayed.

22. Under User Profile, select the Ignored radio button and click Save.

    ---

    Note –

    This modification is specific to this deployment example only.

    ---

23. Click Save to save the profile.

24. Click Back to Authentication.

25. Log out of the OpenSSO Enterprise console.