New Features for the Fedlet in OpenSSO 8.0 Update 2

Oracle OpenSSO 8.0 Update 2 includes the following new features for the Fedlet:

• Fedlet Version Information (CR 6941387)

• Java Fedlet Password Encryption and Decryption (CR 6930477)

• Java Fedlet Support for Signing and Encryption

• Java Fedlet Support for Attribute Query (CR 6930476)

• .NET Fedlet Encryption and Decryption of Requests and Responses (CR 6939005)

• .NET Fedlet Signing of Requests and Responses (CR 6928530)

• .NET Fedlet Single Logout (CR 6928528 and CR 6930472)

• .NET Fedlet Service Provider Initiated Single Sign-on (CR 6928525)

• .NET Fedlet Support for Multiple Identity Providers and Discovery Service (CR 6928524)

• .NET Fedlet Support for the Identity Provider Discovery Service (CR 6928524)

Fedlet Version Information (CR 6941387)

The Oracle OpenSSO Fedlet includes version information. After you extract the files in the Fedlet package (ZIP file), determine the Fedlet version by viewing one of the following files:

• Java Fedlet: java/conf/FederationConfig.properties

• .NET Fedlet: asp.net/bin/Fedlet.dll.config

Java Fedlet Password Encryption and Decryption (CR 6930477)

The Java Fedlet provides the fedletEncode.jsp in the fedlet.war file to encrypt the storepass and keypass passwords. By default, a different encryption key is generated for each Fedlet. To change this encryption key, set the am.encryption.pwd property in the Fedlet FederationConfig.properties file.

Java Fedlet Support for Signing and Encryption

The Java Fedlet supports XML signature verification and decryption of encrypted assertion and NameID elements and their corresponding attributes.

To Configure the Java Fedlet for Signing and Encryption

1. Create a keystore file named keystore.jks using the keytool utility.
2. Add the private key (and public certificate if applicable) used for signing and the private key (and public certificate if applicable) used for encryption to the keystore.jks file.
3. Create a .storepass file.
4. Add the password to the .storepass file. To encrypt the password, use fedletEncode.jsp.
5. Create a .keypass file.
6. Add the password to the .keypass file. To encrypt the password, use fedletEncode.jsp.
7. If you are using clear text passwords, comment out the following line in the FederationConfig.properties file:

   com.sun.identity.saml.xmlsig.passwordDecoder=
       com.sun.identity.fedlet.FedletEncodeDecode

8. Set the complete path for the following attributes in the FederationConfig.properties file, where path is the complete path to the respective file:

   com.sun.identity.saml.xmlsig.keystore=path/keystore.jks
   com.sun.identity.saml.xmlsig.storepass=path/.storepass
   com.sun.identity.saml.xmlsig.keypass=path/.keypass

9. Use keytool to export the signing certificate. For example:

   keytool -export -keystore keystore.jks -rfc -alias test

   The tool prompts you to enter the password used to access keystore.jks and then generates the certificate.

10. If you need an encryption certificate, use keytool to export it, as shown in the previous step. (Or use the same certificate for both signing and encryption.)
11. Create a KeyDescriptor XML block and add the encryption certificate to it. For example, note the use="signing" tag of the KeyDescriptor element:

    <KeyDescriptor use="signing">
          <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:X509Data>
              <ds:X509Certificate>
    MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh
    bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w
    ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw
    CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK
    BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B
    AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of\+
    RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY
    Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U
    QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA
    cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC
    /FfwWigmrW0Y0Q==
              </ds:X509Certificate>
            </ds:X509Data>
          </ds:KeyInfo>
    </KeyDescriptor>

12. Create another KeyDescriptor XML block and add the encryption certificate to it. For example, note the use="encryption" tag of the KeyDescriptor element:

    <KeyDescriptor use="encryption">
          <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
            <X509Data>
              <X509Certificate>
    MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh
    bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w
    ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw
    CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK
    BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B
    AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of\+
    RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY
    Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U
    QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA
    cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC
    /FfwWigmrW0Y0Q==
              </X509Certificate>
            </X509Data>
          </KeyInfo>
    <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc">
      <KeySize xmlns="http://www.w3.org/2001/04/xmlenc#">128</KeySize>
    </EncryptionMethod>
    </KeyDescriptor>

13. In the Java Fedlet sp.xml file, add the XML blocks with the signing and encryption certificates under the SPSSODescriptor element. For a sample SPSSODescriptor element, see Example 5-1.

    The AuthnRequestsSigned attribute is set to true, configuring the Java Fedlet to sign all authentication requests.

14. In the Java Fedlet sp-extended.xml file, set values for the following elements:

    • signingCertAlias contains the alias of the XML signing certificate in the keystore.

    • encryptionCertAlias contains the alias of the XML encryption certificate in the keystore.

15. To enforce what the Java Fedlet service provider encrypts, set the following attributes in the sp-extended.xml file to true:

    • wantAssertionEncrypted

    • wantNameIDEncrypted

    • wantAttributeEncrypted

16. To enforce what the Java Fedlet service provider signs and wants signed, set the following attributes to true:

    • wantAuthnRequestsSigned in the idp.xml file tells the Fedlet what to sign.

    • AuthnRequestsSigned and WantAssertionsSigned in the sp.xml file tells the identity provider what the Fedlet plans to sign.

    • wantArtifactResponseSigned in the sp-extended.xml file tells the Fedlet what to sign.

    • wantPOSTResponseSigned in the sp-extended.xml file

    • wantLogoutRequestSigned in the sp-extended.xml file

    • wantLogoutResponseSigned in the sp-extended.xml file

    If the identity provider requires signing for specific messages, set the respective attributes to true in the idp-extended.xml file. For example, wantLogoutRequestSigned and wantLogoutResponseSigned.

    ---

    Note - If you set attributes in the sp-extended.xml file, convey this information to the identity provider administrator, so that the necessary configuration changes can be made in the identity provider.

    ---

17. Restart the Java Fedlet web container.
18. Import the Java Fedlet sp.xml file into the identity provider.

Example 5-1 Java Fedlet Sample SPSSODescriptor Element

<EntityDescriptor entityID="fedlet"
xmlns="urn:oasis:names:tc:SAML:2.0:metadata">

<SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="false"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<b><KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>
MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh
bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w
ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw
CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK
BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of\+
RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY
Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U
QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA
cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC
/FfwWigmrW0Y0Q==
          </ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>

</KeyDescriptor></b>
<b><KeyDescriptor use="encryption">
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
        <X509Data>
          <X509Certificate>
MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh
bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w
ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw
CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK
BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of\+
RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY
Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U
QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA
cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC
/FfwWigmrW0Y0Q==
          </X509Certificate>
        </X509Data>
      </KeyInfo>

<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc">
<KeySize xmlns="http://www.w3.org/2001/04/xmlenc#">128</KeySize>
</EncryptionMethod>
</KeyDescriptor></b>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat
><AssertionConsumerService index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="http://server.sun.com:7070/fedlet/fedletapplication"/>
</SPSSODescriptor>
</EntityDescriptor>

Java Fedlet Support for Attribute Query (CR 6930476)

The Java Fedlet supports the SAMLv2 Attribute Query to query an identity provider such as Oracle OpenSSO 8.0 Update 2 for specific identity attribute values. You can configure the Fedlet to sign the query and encrypt the query. Signing is required for issuing a Fedlet query, but encryption is optional.

To Configure the Java Fedlet for Attribute Query

1. Enable XML signing to sign the Attribute Query, as described in Java Fedlet Support for Signing and Encryption.
2. Add the certificate generated in the previous step to the RoleDescriptor element in the Fedlet sp.xml file. In the following example, there are two KeyDescriptor tags in which you paste the certificate. One is for signing and another is for encryption. If you are not enabling encryption, the KeyDescriptor use="encryption" tag is not required.

   <RoleDescriptor xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xmlns:query="urn:oasis:names:tc:SAML:metadata:ext:query"
         xsi:type="query:AttributeQueryDescriptorType"
         protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
     <KeyDescriptor use="signing">
         <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
           <ds:X509Data>
             <ds:X509Certificate>
               --certificate--
             </ds:X509Certificate>
           </ds:X509Data>
         </ds:KeyInfo>
     </KeyDescriptor>
     <KeyDescriptor use="encryption">
         <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
           <ds:X509Data>
             <ds:X509Certificate>
               --certificate--
             </ds:X509Certificate>
           </ds:X509Data>
         </ds:KeyInfo>
       <EncryptionMethod
   Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc">
   <xenc:KeySize
   xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">128</xenc:KeySize>
       </EncryptionMethod>
     </KeyDescriptor>
   </RoleDescriptor>

3. In the Java Fedlet sp-extended.xml file, specify the value for the signingCertAlias attribute and if configured, for the encryptionCertAlias attribute.

   If you plan to configure the identity provider to encrypt the assertion, also encrypt the NameID element. Thus, the value of the wantNameIDEncrypted attribute must be set to true. Add the XML code to the AttributeQueryConfig element. For example:

   <Attribute name="signingCertAlias">
         <Value>test</Value>
   </Attribute>
   <Attribute name="encryptionCertAlias">
         <Value>test</Value>
   </Attribute>
   <Attribute name="wantNameIDEncrypted">
         <Value>true</Value>
   </Attribute>

   In this example, test is the alias for the sample key.

4. Import the Java Fedlet metadata file (sp.xml) into the identity provider.

   Also, perform the additional configuration steps in the identity provider to support the Attribute Query for the Fedlet.

.NET Fedlet Encryption and Decryption of Requests and Responses (CR 6939005)

The .NET Fedlet can encrypt outgoing XML requests and decrypt incoming responses for the NameID, Attribute, and Assertion elements.

To Configure the .NET Fedlet for Encryption and Decryption of Requests and Responses

1. Import your X.509 certificate to the Personal folder within the Local Computer account using the Certificates Snap-in for the Microsoft Management Console. To use this snap-in, see the following Microsoft article:

   http://msdn.microsoft.com/en-us/library/ms788967.aspx

2. Specify a friendly name for this certificate by viewing the Properties dialog and entering a value. (Save this value for Step 4.)
3. Set the appropriate permissions to allow read access to the certificate for the user account used by Internet Information Server (IIS) as described at the Microsoft article. For example:
   1. In the Certificates Snap-in, navigate to Action, All Tasks, and then Manage Private Keys.
   2. Specify Allow Read permissions for the user account running IIS (usually NETWORK SERVICE).
4. In the .NET Fedlet's extended metadata file (sp-extended.xml), specify the friendly name specified in Step 2 as the value for the encryptionCertAlias attribute. For example:

   <Attribute name="encryptionCertAlias">
   <Value>MyFedlet</Value>

5. In the .NET Fedlet's service provider metadata file (sp.xml), add the KeyDescriptor for the encryption key.

   Use the Certificates Snap-in for the Microsoft Management Console used earlier to export the public key of your certificate in Base64 encoding to be included in the KeyDescriptor XML block. This KeyDescriptor must be the first child element within the SPSSODescriptor. For example:

   <KeyDescriptor use="encryption">
              <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:X509Data>
                  <ds:X509Certificate>
   MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh
   bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w
   ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw
   CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK
   BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B
   AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of\+
   RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY
   Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U
   QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA
   cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC
   /FfwWigmrW0Y0Q==
                  </ds:X509Certificate>
                </ds:X509Data>
              </ds:KeyInfo>
              <EncryptionMethod
   Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc">
              <KeySize
   xmlns="http://www.w3.org/2001/04/xmlenc#">128</KeySize>
              </EncryptionMethod>
   </KeyDescriptor>

6. Restart the Application Pool associated with your .NET application.

Next Steps

To test this configuration, use the sample application. Also, set the following attributes to encrypt requests and decrypt responses with the identity provider with the appropriate changes to the configured metadata:

• Assertion: Set the wantAssertionEncrypted attribute in the sp-extended.xml metadata file to true to have the .NET Fedlet decrypt the EncryptedAssertion element in incoming responses from the identity provider.

• Attribute: Set the wantAttributeEncrypted attribute in the sp-extended.xml metadata file to true to have the .NET Fedlet decrypt the EncryptedAttribute element in incoming responses from the identity provider.

• NameID: Set the wantNameIDEncrypted attribute in the idp-extended.xml metadata file to true to have the .NET Fedlet encrypt the NameID element in outgoing requests. Set this same attribute in sp-extended.xml to have the .NET Fedlet decrypt the EncryptedID element in incoming responses from the identity provider.

.NET Fedlet Signing of Requests and Responses (CR 6928530)

The .NET Fedlet supports the signing of outgoing XML requests such as Authn requests and logout requests.

To Configure the .NET Fedlet for Signing of Requests and Responses:

1. Import your X.509 certificate to the Personal folder within the Local Computer account using the Certificates Snap-in for the Microsoft Management Console. To use this snap-in, see the following Microsoft article:

   http://msdn.microsoft.com/en-us/library/ms788967.aspx

2. Specify a friendly name for this certificate by viewing the Properties dialog and entering a value. (Save this value for Step 4.)
3. Set the appropriate permissions to allow read access to the certificate for the user account used by Internet Information Server (IIS) as described at the Microsoft article. For example:
   1. In the Certificates Snap-in, navigate to Action, All Tasks, and then Manage Private Keys.
   2. Specify Allow Read permissions for the user account running IIS (usually NETWORK SERVICE).
4. In the .NET Fedlet's extended metadata file (sp-extended.xml), specify the friendly name specified in Step 2 as the value for the signingCertAlias attribute. For example:

   <Attribute name="signingCertAlias">
   <Value>MyFedlet</Value>

5. In the .NET Fedlet's service provider metadata file (sp.xml), add the KeyDescriptor for the signing key.

   Use the Certificates Snap-in for the Microsoft Management Console used earlier to export the public key of your certificate in Base64 encoding to be included in the KeyDescriptor XML block. This KeyDescriptor must be the first child element within the SPSSODescriptor. For example:

   <KeyDescriptor use="signing">
                <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                   <ds:X509Data>
                      <ds:X509Certificate>
   MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh
   bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w
   ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw
   CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK
   BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B
   AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of\+
   RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY
   Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U
   QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA
   cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC
   /FfwWigmrW0Y0Q==
                      </ds:X509Certificate>
                   </ds:X509Data>
                </ds:KeyInfo>
   </KeyDescriptor>

6. Restart the Application Pool associated with your .NET application.

.NET Fedlet Single Logout (CR 6928528 and CR 6930472)

The .NET Fedlet supports both identity provider initiated and service provider initiated single logout. To implement single logout, the .NET Fedlet sample application includes the logout.aspx and spinitiatedslo.aspx files in the asp.net/SampleApp folder. To see how the Fedlet single logout feature works, deploy the .NET Fedlet sample application.

To Configure a .NET Fedlet Service Provider Application for Single Logout:

1. If you have not configured the .NET Fedlet, follow the steps in the Readme file.
2. Copy the logout.aspx and spinitiatedslo.aspx files within your .NET application's public content.
3. Make these changes to the configuration files for your application:

   • In the sp.xml file, make sure the path to the logout.aspx file points to the correct location of the file for your application.

   • In the idp.xml file (or during the identity provider configuration) make sure the path to the spinitiatedslo.aspx file points to the correct location of the file for your application.

4. If you want the logout request and logout response signed, set the following attributes to true in the sp-extended.xml and idp-extended.xml files:

   • wantLogoutRequestSigned

   • wantLogoutResponseSigned

5. Import the Fedlet service provider metadata file (sp.xml) into the identity provider.

   Also, inform the identity provider administrator that you configured single logout for the Fedlet service provider, so that any additional required changes can be made to the identity provider configuration.

.NET Fedlet Service Provider Initiated Single Sign-on (CR 6928525)

The .NET Fedlet supports the SAMLv2 service provider initiated single sign-on (SSO). In addition, artifact support is required to allow the .NET Fedlet to receive an artifact and then have it resolved through SOAP with the issuing identity provider's Artifact Resolution Service.

The .NET Fedlet sample application shows how you can configure single sign-on. After your application has the necessary artifacts installed, a specific URI is required to receive the HTTP POST containing the SAMLv2 response after successful authentication by the identity provider. The following code example shows how you can retrieve this information in a .NET application:

Example 5-2 Code Example to Retrieve the AuthnResponse in a .NET Fedlet Application

AuthnResponse authnResponse = null;
try
{
      ServiceProviderUtility spu = new ServiceProviderUtility(Context);
      authnResponse = spu.GetAuthnResponse(Context);
}
catch (Saml2Exception se)
{
      // invalid AuthnResponse received
}
catch (ServiceProviderUtilityException spue)
{
      // issues with deployment (reading metadata)
}

If your application receives the SAMLv2 response, the authnResponse object will be populated with the assertion information. The sample application shows how to retrieve the attributes and subject information from this object.

.NET Fedlet Support for Multiple Identity Providers and Discovery Service (CR 6928524)

The .NET Fedlet supports multiple identity providers and the identity provider discovery service.

In some deployments, you might want to configure the .NET Fedlet with multiple identity providers such as Oracle OpenSSO 8.0 Update 2. Perform the following task for each additional identity provider you wan to add.

To Configure the .NET Fedlet for Multiple Identity Providers

1. Get the XML metadata file from the additional identity provider.
2. Name the additional identity provider metadata file as idpn.xml, where n is the identity provider that you are adding. For example, name the second identity provider file as idp2.xml, the third as idp3.xml, and so on. This procedure uses idp2.xml as the file name.
3. Copy the idp2.xml file from Step 2 to your application's App_Data folder.
4. Add this new identity provider to the .NET Fedlet circle of trust.

   To add the new identity provider to an existing circle of trust:

   In the fedlet.cot file in your application's App_Data folder, append the new IDP entity ID (indicated by the entityID attribute in the idp2.xml metadata file) to the value of the sun-fm-trusted-providers attribute, using a comma (,) as a separator.

   To add the new identity provider to a new circle of trust:

   1. Create a new file named fedlet2.cot in your application's App_Data folder. Use the existing fedlet.cot as a template, but change the value of the cot-name attribute to the name of the new circle of trust (for example, cot2). Include both the new identity provider entity ID and the Fedlet entity ID as value for the sun-fm-trusted-providers attribute, with the two entity IDs separated by a comma (,).
   2. In the sp-extended.xml file, add the new circle of trust name to the value of the cotlist attribute. For example, for a circle of trust named cot2:

      <Attribute name="cotlist">
      <Value>saml2cot</Value>
      <Value>cot2</Value>
      </Attribute>

5. In your application's App_Data folder, create a new idp2-extended.xml file as the extended metadata for the new identity provider. Use the existing idp-extended.xml file as a template, but change the entityID to the new identity provider entity ID. Change the value for the cotlist attribute to the circle of trust name, if a new circle of trust is created for the identity provider. Make sure that the additional identity provider is a remote identity.
6. Restart the Application Pool associated with your Fedlet .NET application.
7. The Fedlet metadata XML file (sp.xml) must be imported into the additional identity provider and added to the same circle of trust as the identity provider entity. Either import the sp.xml file into the identity provider, or give the file to your identity provider administrator to import.

.NET Fedlet Support for the Identity Provider Discovery Service (CR 6928524)

In this scenario, the .NET Fedlet is configured with multiple identity providers in a circle of trust and you want to configure the Fedlet to use the identity provider discovery service to determine the preferred identity provider.

The discovery service must be configured for the identity providers you are using with the .NET Fedlet. For information about configuring the identity provider discovery service in Oracle OpenSSO 8.0 Update 2, see the following documentation collection:

http://download.oracle.com/docs/cd/E19681-01/index.html

To Configure the .NET Fedlet to Use the Identity Provider Discovery Service:

1. In the .NET Fedlet fedlet.cot file, set the sun-fm-saml2-readerservice-url property to the SAMLv2 reader service URL. For example:

   sun-fm-saml2-readerservice-url=http://discovery.common.com/opensso/saml2reader

2. Restart the Application Pool associated with your .NET Fedlet application.