11.2 Configuring OpenSSO Enterprise as the Hosted Service Provider
This section provides the procedures for configuring OpenSSO Enterprise on the service provider side as a hosted service provider using the Common Tasks wizard. Use the following list of procedures as a checklist for completing the task.
To Configure the Hosted Service Provider
Configure the instance of OpenSSO Enterprise deployed in Part III, Building the Service Provider Environment, situated behind Load Balancer 2 on the service provider side, as a hosted service provider. This procedure creates the spcot circle of trust.
-
Access https://lb4.sp-example.com:1081/opensso/console from a web browser.
-
Log in to the OpenSSO Enterprise console as the administrator.
- Username
-
amadmin
- Password
-
ossoadmin
The Common Tasks tab is displayed.
-
Click Create Hosted Service Provider under Create SAML v2 Providers.
The Create a SAML v2 Service Provider on this Server page is displayed.
-
Make the following changes on the Create a SAML v2 Service Provider on this Server page.
-
Select the No radio button for Do you have metadata for this provider?
-
Under metadata properties, type https://lb4.sp-example.com:1081/opensso as the value for Name.
-
Under metadata properties, select test as the value for Signing Key.
-
Under Circle of Trust properties, select the Add to New radio button and type spcot as the value for the New Circle of Trust.
-
Accept the default values for any remaining properties.
-
-
Click Configure.
A pop up screen is displayed that reads:
Service provider is configured. You can modify the provider's profile under the Federation tab. Do you want to create a remote identity provider?
-
Click No on the pop up screen.
The OpenSSO Enterprise console is displayed and this instance is now configured as a SAML v2 service provider.
To View the Hosted Service Provider Metadata
in XML Format
This optional procedure displays, in a browser window, the standard and extended metadata for the hosted service provider in XML format. The XML can be viewed as displayed or copied into a text file and saved.
Before You Begin
This procedure assumes that you have just completed To Configure the Hosted Service Provider and are still logged in to the OpenSSO Enterprise console.
-
Access https://lb4.sp-example.com:1081/opensso/ssoadm.jsp from the web browser.
ssoadm.jsp is a Java Server Page (JSP) version of the ssoadm command line interface. In this procedure it is used to display the hosted service provider metadata.
-
Click export-entity.
The export-entity page is displayed.
-
Enter the following values for each option and click Submit.
- entityid
-
The EntityID is the unique uniform resource identifier (URI) used to identify a particular provider. In this deployment, type https://lb4.sp-example.com:1081/opensso.
- realm
-
The OpenSSO Enterprise realm in which the data resides. In this deployment as all data resides in the top-level realm, type /.
- sign
-
Leave this box unchecked.
- meta-data-file
-
Set this flag to export the standard metadata for the provider.
- extended-data-file
-
Set this flag to export the extended metadata for the provider.
- spec
-
Type saml2.
-
View the XML-formatted metadata in the browser window.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <EntityDescriptor entityID="https://lb4.sp-example.com:1081/opensso" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"> <SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned= "false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://lb4.sp-example.com:1081/opensso/SPSloRedirect/metaAlias/sp" ResponseLocation="https://lb4.sp-example.com:1081/opensso/ SPSloRedirect/metaAlias/sp"/> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://lb4.sp-example.com:1081/opensso/SPSloPOST/metaAlias/sp" ResponseLocation="https://lb4.sp-example.com:1081/opensso/SPSloPOST/metaAlias/sp"/> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://lb4.sp-example.com:1081/opensso/SPSloSoap/metaAlias/sp"/> <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings: HTTP-Redirect" Location="https://lb4.sp-example.com:1081/opensso/SPMniRedirect/ metaAlias/sp" ResponseLocation="https://lb4.sp-example.com:1081/opensso/ SPMniRedirect/metaAlias/sp"/> <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings: HTTP-POST" Location="https://lb4.sp-example.com:1081/opensso/SPMniPOST/ metaAlias/sp" ResponseLocation="https://lb4.sp-example.com:1081/opensso/ SPMniPOST/metaAlias/sp"/> <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://lb4.sp-example.com:1081/opensso/SPMniSoap/metaAlias/sp" ResponseLocation="https://lb4.sp-example.com:1081/opensso/SPMniSoap/metaAlias/sp"/> <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat> <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat> <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat> <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat> <AssertionConsumerService index="0" isDefault="true" Binding="urn:oasis:names:tc: SAML:2.0:bindings:HTTP-Artifact" Location="https://lb4.sp-example.com:1081/opensso/ Consumer/metaAlias/sp"/> <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings: HTTP-POST" Location="https://lb4.sp-example.com:1081/opensso/ Consumer/metaAlias/sp"/> <AssertionConsumerService index="2" Binding="urn:oasis:names:tc:SAML:2.0: bindings:PAOS" Location="https://lb4.sp-example.com:1081/opensso/Consumer/ ECP/metaAlias/sp"/> </SPSSODescriptor> <IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration= "urn:oasis:names:tc:SAML:2.0:protocol"> <KeyDescriptor use="signing"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate> MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of+ RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC /FfwWigmrW0Y0Q== </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </KeyDescriptor> <ArtifactResolutionService index="0" isDefault="true" Binding="urn:oasis: names:tc:SAML:2.0:bindings:SOAP" Location="https://lb4.sp-example.com:1081/ opensso/ArtifactResolver/metaAlias/idp"/> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://lb4.sp-example.com:1081/opensso/IDPSloRedirect/metaAlias/idp" ResponseLocation="https://lb4.sp-example.com:1081/opensso/IDPSloRedirect/ metaAlias/idp"/> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://lb4.sp-example.com:1081/opensso/IDPSloPOST/metaAlias/idp" ResponseLocation="https://lb4.sp-example.com:1081/opensso/IDPSloPOST/ metaAlias/idp"/> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://lb4.sp-example.com:1081/opensso/IDPSloSoap/metaAlias/idp"/> <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://lb4.sp-example.com:1081/opensso/IDPMniRedirect/metaAlias/idp" ResponseLocation="https://lb4.sp-example.com:1081/opensso/IDPMniRedirect/ metaAlias/idp"/> <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://lb4.sp-example.com:1081/opensso/IDPMniPOST/metaAlias/idp" ResponseLocation="https://lb4.sp-example.com:1081/opensso/IDPMniPOST/ metaAlias/idp"/> <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://lb4.sp-example.com:1081/opensso/IDPMniSoap/metaAlias/idp"/> <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format: persistent</NameIDFormat> <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format: transient</NameIDFormat> <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format: emailAddress</NameIDFormat> <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format: unspecified</NameIDFormat> <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings: HTTP-Redirect" Location="https://lb4.sp-example.com:1081/opensso/ SSORedirect/metaAlias/idp"/> <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://lb4.sp-example.com:1081/opensso/SSOPOST/metaAlias/idp"/> <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://lb4.sp-example.com:1081/opensso/SSOSoap/metaAlias/idp"/> <NameIDMappingService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://lb4.sp-example.com:1081/opensso/NIMSoap/metaAlias/idp"/> <AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://lb4.sp-example.com:1081/opensso/AIDReqSoap/IDPRole/ metaAlias/idp"/> <AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:2.0:bindings:URI" Location="https://lb4.sp-example.com:1081/opensso/AIDReqUri/IDPRole/ metaAlias/idp"/> </IDPSSODescriptor> </EntityDescriptor> Entity descriptor was exported to file, web. <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <EntityConfig entityID="https://lb4.sp-example.com:1081/opensso" hosted="true" xmlns="urn:sun:fm:SAML:2.0:entityconfig"> <SPSSOConfig metaAlias="/sp"> <Attribute name="wantNameIDEncrypted"> <Value/> </Attribute> <Attribute name="idpProxyList"/> <Attribute name="spAccountMapper"> <Value>com.sun.identity.saml2.plugins.DefaultSPAccountMapper</Value> </Attribute> <Attribute name="enableIDPProxy"> <Value>false</Value> </Attribute> <Attribute name="ECPRequestIDPListGetComplete"> <Value/> </Attribute> <Attribute name="cotlist"> <Value>spcot</Value> </Attribute> <Attribute name="transientUser"> <Value>anonymous</Value> </Attribute> <Attribute name="spAuthncontextComparisonType"> <Value>exact</Value> </Attribute> <Attribute name="wantAssertionEncrypted"> <Value/> </Attribute> <Attribute name="spAdapter"> <Value/> </Attribute> <Attribute name="spAuthncontextClassrefMapping"> <Value>urn:oasis:names:tc:SAML:2.0:ac:classes: PasswordProtectedTransport|0|default</Value> </Attribute> <Attribute name="appLogoutUrl"> <Value/> </Attribute> <Attribute name="saml2AuthModuleName"> <Value/> </Attribute> <Attribute name="autofedEnabled"> <Value>true</Value> </Attribute> <Attribute name="localAuthURL"> <Value/> </Attribute> <Attribute name="spAttributeMapper"> <Value>com.sun.identity.saml2.plugins.DefaultSPAttributeMapper</Value> </Attribute> <Attribute name="signingCertAlias"> <Value/> </Attribute> <Attribute name="wantMNIResponseSigned"> <Value/> </Attribute> <Attribute name="wantMNIRequestSigned"> <Value/> </Attribute> <Attribute name="attributeMap"> <Value>EmailAddress=EmailAddress</Value> <Value>Telephone=Telephone</Value> </Attribute> <Attribute name="saeSPUrl"> <Value>https://lb4.sp-example.com:1081/opensso/spsaehandler/ metaAlias/sp</Value> </Attribute> <Attribute name="responseArtifactMessageEncoding"> <Value>URI</Value> </Attribute> <Attribute name="idpProxyCount"> <Value>0</Value> </Attribute> <Attribute name="basicAuthUser"> <Value/> </Attribute> <Attribute name="useIntroductionForIDPProxy"> <Value>false</Value> </Attribute> <Attribute name="wantArtifactResponseSigned"> <Value/> </Attribute> <Attribute name="intermediateUrl"> <Value/> </Attribute> <Attribute name="defaultRelayState"> <Value/> </Attribute> <Attribute name="basicAuthPassword"> <Value/> </Attribute> <Attribute name="wantPOSTResponseSigned"> <Value/> </Attribute> <Attribute name="wantAttributeEncrypted"> <Value/> </Attribute> <Attribute name="basicAuthOn"> <Value>false</Value> </Attribute> <Attribute name="spAdapterEnv"/> <Attribute name="saeSPLogoutUrl"> <Value>https://lb4.sp-example.com:1081/opensso/samples/ saml2/sae/saeSPApp.jsp</Value> </Attribute> <Attribute name="ECPRequestIDPListFinderImpl"> <Value>com.sun.identity.saml2.plugins.ECPIDPFinder</Value> </Attribute> <Attribute name="wantLogoutResponseSigned"> <Value/> </Attribute> <Attribute name="wantLogoutRequestSigned"> <Value/> </Attribute> <Attribute name="encryptionCertAlias"> <Value/> </Attribute> <Attribute name="spAuthncontextMapper"> <Value>com.sun.identity.saml2.plugins.DefaultSPAuthnContextMapper</Value> </Attribute> <Attribute name="assertionTimeSkew"> <Value>300</Value> </Attribute> <Attribute name="ECPRequestIDPList"/> <Attribute name="autofedAttribute"> <Value>mail</Value> </Attribute> <Attribute name="saeAppSecretList"> <Value>url=https://lb4.sp-example.com:1081/opensso/samples/saml2/sae/ saeSPApp.jsp|type=symmetric|secret=AQICIbz4afzilWzbmo6QD9lQ9 U4kEBrMlvZy</Value> </Attribute> </SPSSOConfig> <IDPSSOConfig metaAlias="/idp"> <Attribute name="description"> <Value/> </Attribute> <Attribute name="signingCertAlias"> <Value>test</Value> </Attribute> <Attribute name="encryptionCertAlias"> <Value/> </Attribute> <Attribute name="basicAuthOn"> <Value>false</Value> </Attribute> <Attribute name="basicAuthUser"> <Value/> </Attribute> <Attribute name="basicAuthPassword"> <Value/> </Attribute> <Attribute name="autofedEnabled"> <Value>false</Value> </Attribute> <Attribute name="autofedAttribute"> <Value/> </Attribute> <Attribute name="assertionEffectiveTime"> <Value>600</Value> </Attribute> <Attribute name="idpAuthncontextMapper"> <Value>com.sun.identity.saml2.plugins.DefaultIDPAuthnContextMapper</Value> </Attribute> <Attribute name="idpAuthncontextClassrefMapping"> <Value>urn:oasis:names:tc:SAML:2.0:ac:classes: PasswordProtectedTransport|0||default</Value> </Attribute> <Attribute name="idpAccountMapper"> <Value>com.sun.identity.saml2.plugins.DefaultIDPAccountMapper</Value> </Attribute> <Attribute name="idpAttributeMapper"> <Value>com.sun.identity.saml2.plugins.DefaultIDPAttributeMapper</Value> </Attribute> <Attribute name="assertionIDRequestMapper"> <Value>com.sun.identity.saml2.plugins.DefaultAssertionIDRequestMapper</Value> </Attribute> <Attribute name="nameIDFormatMap"> <Value>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress=mail</Value> <Value>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName=</Value> <Value>urn:oasis:names:tc:SAML:1.1:nameid-format: WindowsDomainQualifiedName=</Value> <Value>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos=</Value> <Value>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified=</Value> </Attribute> <Attribute name="idpECPSessionMapper"> <Value>com.sun.identity.saml2.plugins.DefaultIDPECPSessionMapper</Value> </Attribute> <Attribute name="attributeMap"/> <Attribute name="wantNameIDEncrypted"> <Value/> </Attribute> <Attribute name="wantArtifactResolveSigned"> <Value/> </Attribute> <Attribute name="wantLogoutRequestSigned"> <Value/> </Attribute> <Attribute name="wantLogoutResponseSigned"> <Value/> </Attribute> <Attribute name="wantMNIRequestSigned"> <Value/> </Attribute> <Attribute name="wantMNIResponseSigned"> <Value/> </Attribute> <Attribute name="cotlist"> <Value>spcot</Value> </Attribute> <Attribute name="discoveryBootstrappingEnabled"> <Value>false</Value> </Attribute> <Attribute name="assertionCacheEnabled"> <Value>false</Value> </Attribute> <Attribute name="assertionNotBeforeTimeSkew"> <Value>600</Value> </Attribute> <Attribute name="saeAppSecretList"/> <Attribute name="saeIDPUrl"> <Value>https://lb4.sp-example.com:1081/opensso/idpsaehandler/metaAlias/ idp</Value> </Attribute> <Attribute name="AuthUrl"> <Value/> </Attribute> <Attribute name="appLogoutUrl"> <Value/> </Attribute> </IDPSSOConfig> </EntityConfig> Entity configuration was exported to file, web. -
Log out of the OpenSSO Enterprise console.
- © 2010, Oracle Corporation and/or its affiliates