In this deployment there is no user data on the service provider side so, because of this, we map all identity provider users to an anonymous user which represents all users in the identity provider user data store when it presents itself to the service provider. This use case illustrates how you can pass user profile attributes from the identity provider to the service provider, and from the service provider site to its agent-protected applications. Communication from the identity provider to the service provider takes place using SAML v2 protocols. Communication from the service provider to its agent-protected applications uses agent-to-LDAP attribute mapping. This chapter contains the following sections.
Create a test user and modify the user profile for attribute mapping. Use the following as a checklist to complete this procedure.
Access https://lb2.idp-example.com:1081/opensso/console from a web browser.
Log in to the OpenSSO Enterprise console as the administrator.
amadmin
ossoadmin
The Common Tasks tab is displayed.
Click the Access Control tab.
Click the / (Top Level Realm) realm.
Under the Subjects tab, click User.
Under User, click New.
The New User page is displayed.
Enter the following values and click OK.
jsmith
John
Smith
John Smith
jsmith
jsmith.
Click Active.
Log out of the OpenSSO Enterprise console.
This procedure assumes you have completed To Create a Test User for Attribute Mapping.
Access https://lb2.idp-example.com:1081/opensso/console from a web browser.
Log in to the OpenSSO Enterprise console as the administrator.
amadmin
ossoadmin
The Common Tasks tab is displayed.
Click the Access Control tab.
Click the / (Top Level Realm) realm.
Under the Subjects tab, click User.
Under User, click John Smith.
The Edit User — John Smith page is displayed.
Enter the following values and click Save.
jsmith@jsmith.com
408-555-5454
The profile is updated.
Log out of the OpenSSO Enterprise console.
This section contains the instructions to configure OpenSSO Enterprise for attribute mapping. Use the following as a checklist to complete the configurations.
Map the appropriate LDAP attributes in the user data store to the attributes passed using SAML v2 using the OpenSSO Enterprise console on the identity provider side. When attributes on one OpenSSO Enterprise instance on the identity provider side are mapped, the mapping is made available to the second OpenSSO Enterprise instance on the identity provider side through the previous configuration of the two instances as a site in 5.4 Configuring the OpenSSO Enterprise Platform Service
Access https://lb2.idp-example.com:1081/opensso/console from a web browser.
Log in to the OpenSSO Enterprise console as the administrator.
amadmin
ossoadmin
The Common Tasks tab is displayed.
Click the Federation tab.
Under Entity Providers, click https://lb2.idp-example.com:1081/opensso.
The IDP profile page is displayed.
Click the Assertion Processing tab.
Under Attribute Mapping, enter the following values and click Add.
EmailAddress=EmailAddress Telephone=Telephone |
Click Save.
The profile is updated.
Log out of the OpenSSO Enterprise console.
Enable the Anonymous authentication module and confirm the creation of the anonymous user account on the service provider side.
This procedure assumes you have completed To Create a Test User for Attribute Mapping.
Access https://lb4.sp-example.com:1081/opensso/console from a web browser.
Log in to the OpenSSO Enterprise console as the administrator.
amadmin
ossoadmin
The Common Tasks tab is displayed.
Click the Access Control tab.
Click the / (Top Level Realm) realm.
Click the Authentication tab.
Click the Modules Instances link.
Under Modules Instances, click New.
The New Module Instance page is displayed.
Enter the following values and click Save.
Anonymous
Select Anonymous
The profile is updated.
Under Modules Instances, click Anonymous.
The Anonymous module instance profile is displayed.
Confirm the default values for the following attributes.
If the values in your instance are different, change them and save the profile.
anonymous
0
Log out of the OpenSSO Enterprise console.
A transient name identifier is a temporary user identifier. In this use case, there is no user account on the service provider side so single sign-on is accomplished using a transient name identifier. All users passed from the identity provider to the service provider will be mapped to the anonymous user created in To Enable Anonymous Authentication. In this procedure, we modify the agent profile to use the transient name identifier format.
Access https://lb4.sp-example.com:1081/opensso/console from a web browser.
Log in to the OpenSSO Enterprise console as the administrator.
amadmin
ossoadmin
The Common Tasks tab is displayed.
Click the Access Control tab.
Click the / (Top Level Realm) realm.
Click the Agents tab.
Click the Web tab.
The Web profile page is displayed.
Click webagent-1 in the Agent table.
The webagent-1 profile page is displayed.
Click the OpenSSO Services tab.
Select https://lb4.sp-example.com:1081/opensso/spssoinit?metaAlias=/sp&idpEntityID=https://lb2.idp-example.com:1081/opensso in the OpenSSO Login URL property box and click Delete.
Enter https://lb4.sp-example.com:1081/opensso/spssoinit?metaAlias=/sp&idpEntityID=https://lb2.idp-example.com:1081/opensso&NameIDFormat=transient in the OpenSSO Login URL text box and click Add.
Click Save.
The profile is updated.
Log out of the OpenSSO Enterprise console.
Map the attributes being sent from the identity provider to the attributes configured for the anonymous user on the service provider side.
Access https://lb4.sp-example.com:1081/opensso/console from a web browser.
Log in to the OpenSSO Enterprise console as the administrator.
amadmin
ossoadmin
The Common Tasks tab is displayed.
Click the Access Control tab.
Click the / (Top Level Realm) realm.
Click the Agents tab.
Click the Web tab.
The Web profile page is displayed.
Click webagent-1 in the Agent table.
The webagent-1 profile page is displayed.
Click the Application tab.
Click the Session Attribute Processing link.
Select HTTP_HEADER as the value for the Session Attribute Fetch Mode property.
Enter the following new values in the Session Attribute Map property text box and click Add.
Telephone
Telephone
Enter the following new values in the Session Attribute Map property text box and click Add.
EmailAddress
EmailAddress
Click Save.
The profile is updated.
Log out of the OpenSSO Enterprise console.
This test uses snoop.jsp to display the HTTP headers being passed in a browser window. Within the headers you see the attributes being passed to the service provider protected by the agent.
Log into the pr1.sp-example.com host machine as the root user.
Copy snoop.jsp to the /opt/SUNWwbsvr/https-pr1.sp-example.com/docs directory.
snoop.jsp is in Appendix F, The snoop.jsp File.
Access http://pr1.sp-example.com:1080/snoop.jsp from a web browser.
The Web Policy Agent redirects the request to the OpenSSO Enterprise console on the identity provider side.
Log in to the OpenSSO Enterprise console as the test user.
jsmith@jsmith.com
jsmith
JSP Snoop page is the header from the HTTP request in the browser. Note the following:
John Smith's telephone number and email address are included.
The Remote user is anonymous and serves as confirmation of the transient user previously configured.
JSP Snoop page Request information Requested URL: http://pr1.sp-example.com:1080/snoop.jsp Request method: GET Request URI: /snoop.jsp Request protocol: HTTP/1.1 Servlet path: /snoop.jsp Path info: null Path translated: null Query string: null Content length: -1 Content type: null Server name: pr1.sp-example.com Server port: 1080 Remote user: anonymous Remote address: 192.18.120.83 Remote host: 192.18.120.83 Authorization scheme: DSAME Request headers Header: Value: cookie JSESSIONID=A7092AD436027D5B18DFCC8C65D7B580; iPlanetDirectoryPro=AQIC5wM2LY4SfcxahJE41EKzHCTvKn lulj6F8sTjtxvBpA8=@AAJTSQACMDMAAlMxAAIwMQ==#; amlbcookie=01 host pr1.sp-example.com:1080 user-agent Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.8.1.15) Gecko/20080703 Firefox/2.0.0.15 accept text/xml,application/xml,application/xhtml+xml, text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 accept-language en-us,en;q=0.5 accept-encoding gzip,deflate accept-charset ISO-8859-1,utf-8;q=0.7,*;q=0.7 keep-alive 300 connection keep-alive emailaddress jsmith@jsmith.com telephone 408-555-5454 Init parameters Parameter: Value: fork false mappedfile false logVerbosityLevel warning com.sun.appserv.jsp.classpath /opt/SUNWwbsvr/lib/webserv-rt.jar: /opt/SUNWwbsvr/lib/pwc.jar:/opt/SUNWwbsvr/lib/ant.jar: /opt/SUNWwbsvr/jdk/lib/tools.jar:/opt/SUNWwbsvr/lib/ktsearch.jar: /opt/SUNWwbsvr/lib/webserv-jstl.jar:/opt/SUNWwbsvr/lib/jsf-impl.jar: /opt/SUNWwbsvr/lib/jsf-api.jar:/opt/SUNWwbsvr/lib/webserv-jwsdp.jar: /opt/SUNWwbsvr/lib/container-auth.jar:/opt/SUNWwbsvr/lib/mail.jar: /opt/SUNWwbsvr/lib/activation.jar: httpMethods GET,HEAD,POST |