5 Using the Oracle OpenSSO Fedlet

The Oracle OpenSSO Fedlet is a lightweight service provider (SP) implementation that can be deployed with a Java or .NET service provider application, enabling the application to communicate with an identity provider (IDP) such as Oracle OpenSSO 8.0 Update 2 using the SAMLv2 protocol.

This chapter includes the following sections:

About the Oracle OpenSSO Fedlet
New Features for the Fedlet in OpenSSO 8.0 Update 2
Documentation Errata

5.1 About the Oracle OpenSSO Fedlet

The Oracle OpenSSO Fedlet has two versions, depending on your platform:

The Java Fedlet was first released in OpenSSO 8.0. For information, see Chapter 5, Using the OpenSSO Enterprise Fedlet to Enable Identity Federation, in the Sun OpenSSO Enterprise 8.0 Deployment Planning Guide.
The .NET Fedlet was released in OpenSSO 8.0 Update 1. For information, see Chapter 10, Using the ASP.NET Fedlet with OpenSSO Enterprise 8.0 Update 1, in the Sun OpenSSO Enterprise 8.0 Update 1 Release Notes.

In Oracle OpenSSO 8.0 Update 2, the Fedlet is available as follows:

After you unzip the OpenSSO 8.0 Update 2 ZIP file, both the Java Fedlet and .NET Fedlet are available in the following file:

zip-root/opensso/fedlet/fedlet-unconfigured.zip, where zip-root is where you unzipped the Oracle OpenSSO 8.0 Update 2 ZIP file.
After you install Oracle OpenSSO 8.0 Update 2, you can create the Java Fedlet in the OpenSSO 8.0 Administration Console using the Create Fedlet work flow under Common Tasks.

5.1.1 Requirements for the Oracle OpenSSO Fedlet

The Fedlet has the following requirements:

Oracle OpenSSO 8.0 Update 2 supported web container, if you plan to deploy the fedlet.war, or a Java service provider application that is integrated with the Fedlet. See the Hardware and Software Requirements For OpenSSO 8.0 Update 2.
Microsoft Internet Information Server (IIS) 7.0 and later, if you plan to deploy the .NET Fedlet
JDK 1.6.x and later

5.1.2 Oracle OpenSSO Fedlet Configuration

This section describes how to initially configure the Fedlet with a service provider application:

To Configure the Java Fedlet
To Configure the .NET Fedlet

After you finish the initial configuration for the Fedlet, continue with any additional configuration you want to perform. Several considerations are:

If you modify the Fedlet sp.xml file, you must re-import this file into your identity provider.
If you make other Fedlet configuration changes on the service provider side, convey this information to the identity provider administrator, so that the required configuration changes can be made on the identity provider side.

5.1.2.1 To Configure the Java Fedlet

On the identity provider side, generate the XML metadata for the identity provider and save the metadata in a file named idp.xml.

For Oracle OpenSSO 8.0 Update 2, use exportmetadata.jsp. For example:
```
http://opensso-idp.example.com:8080/opensso/saml2/jsp/exportmetadata.jsp
```
On the service provider side, unzip the Fedlet ZIP file (if necessary).
Create the Fedlet home directory, which is the directory where the Fedlet reads its metadata, circle of trust, and configuration properties files.

The default location is the fedlet subdirectory under the home directory of the user running the Fedlet web container (indicated by the user.home JVM property). For example, if this home directory is /home/webservd, the Fedlet home directory is:
```
/home/webservd/fedlet
```
To change the Fedlet default home directory, set the value of the JVM run-time com.sun.identity.fedlet.home property to the desired location. For example:
```
-Dcom.sun.identity.fedlet.home=/export/fedlet/conf
```
The Fedlet then reads its metadata, circle of trust, and configuration files from the /export/fedlet/conf directory.
Copy the following files from the Java Fedlet java/conf directory to the Fedlet home directory:
- sp.xml-template
- sp-extended.xml-template
- idp-extended.xml-template
- fedlet.cot-template
In the Fedlet home directory, rename the files you copied and drop -template from each name.

In the files you copied and renamed in the Fedlet home directory, replace the tags as shown in the next table:

Note:

If the Fedlet service provider or identity provider entity ID contains a percent sign (%) or comma (,), you must escape the character before replacing it in the fedlet.cot file. For example, change "%" to "%25" and "," to "%2C".

Tag	Replace With
`FEDLET_COT`	Name of the circle of trust (COT) of which the remote identity provider and the Java Fedlet service provider application are members.
`FEDLET_ENTITY_ID`	ID (name) of the Java Fedlet service provider application. For example: `fedletsp`
`FEDLET_PROTOCOL`	Protocol of the web container for the Java Fedlet service provider application (such as `fedlet.war`). For example: `https`
`FEDLET_HOST`	Host name of the web container for the Java Fedlet service provider application (such as `fedlet.war`). For example: `fedlet-host.example.com`
`FEDLET_PORT`	Port number of the web container for the Java Fedlet service provider application (such as `fedlet.war`). For example: `80`
`FEDLET_DEPLOY_URI`	URL of the Java Fedlet service provider application. For example: `http://fedletsp.example.com/myFedletApp`
`IDP_ENTITY_ID`	ID (name) of the remote identity provider. For example: `openssoidp`

Copy the FedletConfiguration.properties file from the Java Fedlet java/conf directory to the Fedlet home directory.
Copy the identity provider standard metadata XML file (from Step 1) to the Fedlet home directory. This file must be named idp.xml.
Import the Java Fedlet XML metadata file (sp.xml) into the identity provider.

For Oracle OpenSSO 8.0 Update 2, use the Register Remote Service Provider work flow under Common Tasks in the OpenSSO 8.0 Administration Console to import the Java Fedlet service provider metadata and to add the Java Fedlet service provider to a circle of trust.

Next Steps

Depending on your requirements, continue with any additional configuration for the Java Fedlet.

5.1.2.2 To Configure the .NET Fedlet

On the identity provider side, generate the XML metadata for the identity provider and save the metadata in a file named idp.xml.

For Oracle OpenSSO 8.0 Update 2, use exportmetadata.jsp. For example:
```
http://opensso-idp.example.com:8080/opensso/saml2/jsp/exportmetadata.jsp
```
On the service provider side, unzip the Fedlet ZIP file (if necessary).
Copy the following files from the .NET Fedlet asp.net/conf folder to your application's App_Data folder:
- sp.xml-template
- sp-extended.xml-template
- idp-extended.xml-template
- fedlet.cot-template
In the App_Data folder, rename the files you copied and drop -template from each name.

In the files you copied and renamed in the App_Data folder, replace the tags as shown in the next table:

Tag	Replace With
`FEDLET_COT`	Name of the circle of trust (COT) of which the remote identity provider and the .NET Fedlet service provider application are members.
`FEDLET_ENTITY_ID`	ID (name) of the .NET Fedlet service provider application. For example: `fedletsp`
`FEDLET_DEPLOY_URI`	URL of the .NET Fedlet service provider application. For example: `http://fedletsp.example.com/myFedletApp`
`IDP_ENTITY_ID`	ID (name) of the remote identity provider. For example: `openssoidp`

Copy the identity provider standard metadata XML file (from Step 1) to your application's App_Data folder. This file must be named idp.xml.
Copy the Fedlet.dll and the Fedlet.dll.config files from the .NET Fedlet asp.net/bin folder to the application's bin folder.
Import the .NET Fedlet XML metadata file (sp.xml) into the identity provider.

For Oracle OpenSSO 8.0 Update 2, use the Register Remote Service Provider work flow under Common Tasks in the OpenSSO 8.0 Administration Console to import the .NET Fedlet service provider metadata and to add the .NET Fedlet service provider to a circle of trust.

Next Steps

Depending on your requirements, continue with any additional configuration for the .NET Fedlet.

5.2 New Features for the Fedlet in OpenSSO 8.0 Update 2

Oracle OpenSSO 8.0 Update 2 includes the following new features for the Fedlet:

Fedlet Version Information (CR 6941387)
Java Fedlet Password Encryption and Decryption (CR 6930477)
Java Fedlet Support for Signing and Encryption
Java Fedlet Support for Attribute Query (CR 6930476)
.NET Fedlet Encryption and Decryption of Requests and Responses (CR 6939005)
.NET Fedlet Signing of Requests and Responses (CR 6928530)
.NET Fedlet Single Logout (CR 6928528 and CR 6930472)
.NET Fedlet Service Provider Initiated Single Sign-on (CR 6928525)
.NET Fedlet Support for Multiple Identity Providers and Discovery Service (CR 6928524)
.NET Fedlet Support for the Identity Provider Discovery Service (CR 6928524)

5.2.1 Fedlet Version Information (CR 6941387)

The Oracle OpenSSO Fedlet includes version information. After you extract the files in the Fedlet package (ZIP file), determine the Fedlet version by viewing one of the following files:

Java Fedlet: java/conf/FederationConfig.properties
.NET Fedlet: asp.net/bin/Fedlet.dll.config

5.2.2 Java Fedlet Password Encryption and Decryption (CR 6930477)

The Java Fedlet provides the fedletEncode.jsp in the fedlet.war file to encrypt the storepass and keypass passwords. By default, a different encryption key is generated for each Fedlet. To change this encryption key, set the am.encryption.pwd property in the Fedlet FederationConfig.properties file.

5.2.3 Java Fedlet Support for Signing and Encryption

The Java Fedlet supports XML signature verification and decryption of encrypted assertion and NameID elements and their corresponding attributes.

5.2.3.1 To Configure the Java Fedlet for Signing and Encryption

Create a keystore file named keystore.jks using the keytool utility.
Add the private key (and public certificate if applicable) used for signing and the private key (and public certificate if applicable) used for encryption to the keystore.jks file.
Create a .storepass file.
Add the password to the .storepass file. To encrypt the password, use fedletEncode.jsp.
Create a .keypass file.
Add the password to the .keypass file. To encrypt the password, use fedletEncode.jsp.
If you are using clear text passwords, comment out the following line in the FederationConfig.properties file:
```
com.sun.identity.saml.xmlsig.passwordDecoder=
    com.sun.identity.fedlet.FedletEncodeDecode
```

Set the complete path for the following attributes in the FederationConfig.properties file, where path is the complete path to the respective file:

com.sun.identity.saml.xmlsig.keystore=path/keystore.jks
com.sun.identity.saml.xmlsig.storepass=path/.storepass
com.sun.identity.saml.xmlsig.keypass=path/.keypass

Use keytool to export the signing certificate. For example:
```
keytool -export -keystore keystore.jks -rfc -alias test
```
The tool prompts you to enter the password used to access keystore.jks and then generates the certificate.
If you need an encryption certificate, use keytool to export it, as shown in the previous step. (Or use the same certificate for both signing and encryption.)

Create a KeyDescriptor XML block and add the encryption certificate to it. For example, note the use="signing" tag of the KeyDescriptor element:

<KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>
MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh
bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w
ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw
CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK
BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of\+
RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY
Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U
QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA
cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC
/FfwWigmrW0Y0Q==
          </ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
</KeyDescriptor>

Create another KeyDescriptor XML block and add the encryption certificate to it. For example, note the use="encryption" tag of the KeyDescriptor element:

<KeyDescriptor use="encryption">
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
        <X509Data>
          <X509Certificate>
MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh
bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w
ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw
CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK
BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of\+
RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY
Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U
QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA
cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC
/FfwWigmrW0Y0Q==
          </X509Certificate>
        </X509Data>
      </KeyInfo>
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc">
  <KeySize xmlns="http://www.w3.org/2001/04/xmlenc#">128</KeySize>
</EncryptionMethod>
</KeyDescriptor>

In the Java Fedlet sp.xml file, add the XML blocks with the signing and encryption certificates under the SPSSODescriptor element. For a sample SPSSODescriptor element, see Example 5-1.

The AuthnRequestsSigned attribute is set to true, configuring the Java Fedlet to sign all authentication requests.
In the Java Fedlet sp-extended.xml file, set values for the following elements:
- signingCertAlias contains the alias of the XML signing certificate in the keystore.
- encryptionCertAlias contains the alias of the XML encryption certificate in the keystore.
To enforce what the Java Fedlet service provider encrypts, set the following attributes in the sp-extended.xml file to true:
- wantAssertionEncrypted
- wantNameIDEncrypted
- wantAttributeEncrypted
To enforce what the Java Fedlet service provider signs and wants signed, set the following attributes to true:
- wantAuthnRequestsSigned in the idp.xml file tells the Fedlet what to sign.
- AuthnRequestsSigned and WantAssertionsSigned in the sp.xml file tells the identity provider what the Fedlet plans to sign.
- wantArtifactResponseSigned in the sp-extended.xml file tells the Fedlet what to sign.
- wantPOSTResponseSigned in the sp-extended.xml file
- wantLogoutRequestSigned in the sp-extended.xml file
- wantLogoutResponseSigned in the sp-extended.xml file
If the identity provider requires signing for specific messages, set the respective attributes to true in the idp-extended.xml file. For example, wantLogoutRequestSigned and wantLogoutResponseSigned.

Note:

If you set attributes in the sp-extended.xml file, convey this information to the identity provider administrator, so that the necessary configuration changes can be made in the identity provider.
Restart the Java Fedlet web container.
Import the Java Fedlet sp.xml file into the identity provider.

Example 5-1 Java Fedlet Sample SPSSODescriptor Element

<EntityDescriptor entityID="fedlet"
xmlns="urn:oasis:names:tc:SAML:2.0:metadata">

<SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="false"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<b><KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>
MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh
bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w
ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw
CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK
BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of\+
RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY
Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U
QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA
cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC
/FfwWigmrW0Y0Q==
          </ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>

</KeyDescriptor></b>
<b><KeyDescriptor use="encryption">
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
        <X509Data>
          <X509Certificate>
MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh
bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w
ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw
CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK
BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of\+
RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY
Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U
QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA
cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC
/FfwWigmrW0Y0Q==
          </X509Certificate>
        </X509Data>
      </KeyInfo>

<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc">
<KeySize xmlns="http://www.w3.org/2001/04/xmlenc#">128</KeySize>
</EncryptionMethod>
</KeyDescriptor></b>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat><AssertionConsumerService index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="http://server.sun.com:7070/fedlet/fedletapplication"/>
</SPSSODescriptor>
</EntityDescriptor>

5.2.4 Java Fedlet Support for Attribute Query (CR 6930476)

The Java Fedlet supports the SAMLv2 Attribute Query to query an identity provider such as Oracle OpenSSO 8.0 Update 2 for specific identity attribute values. You can configure the Fedlet to sign the query and encrypt the query. Signing is required for issuing a Fedlet query, but encryption is optional.

5.2.4.1 To Configure the Java Fedlet for Attribute Query

Enable XML signing to sign the Attribute Query, as described in Java Fedlet Support for Signing and Encryption.

Add the certificate generated in the previous step to the RoleDescriptor element in the Fedlet sp.xml file. In the following example, there are two KeyDescriptor tags in which you paste the certificate. One is for signing and another is for encryption. If you are not enabling encryption, the KeyDescriptor use="encryption" tag is not required.

<RoleDescriptor xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xmlns:query="urn:oasis:names:tc:SAML:metadata:ext:query"
      xsi:type="query:AttributeQueryDescriptorType"
      protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
  <KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>
            --certificate--
          </ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
  </KeyDescriptor>
  <KeyDescriptor use="encryption">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>
            --certificate--
          </ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    <EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc">
<xenc:KeySize
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">128</xenc:KeySize>
    </EncryptionMethod>
  </KeyDescriptor>
</RoleDescriptor>

In the Java Fedlet sp-extended.xml file, specify the value for the signingCertAlias attribute and if configured, for the encryptionCertAlias attribute.

If you plan to configure the identity provider to encrypt the assertion, also encrypt the NameID element. Thus, the value of the wantNameIDEncrypted attribute must be set to true. Add the XML code to the AttributeQueryConfig element. For example:
```
<Attribute name="signingCertAlias">
      <Value>test</Value>
</Attribute>
<Attribute name="encryptionCertAlias">
      <Value>test</Value>
</Attribute>
<Attribute name="wantNameIDEncrypted">
      <Value>true</Value>
</Attribute>
```
In this example, test is the alias for the sample key.
Import the Java Fedlet metadata file (sp.xml) into the identity provider.

Also, perform the additional configuration steps in the identity provider to support the Attribute Query for the Fedlet.

5.2.5 .NET Fedlet Encryption and Decryption of Requests and Responses (CR 6939005)

The .NET Fedlet can encrypt outgoing XML requests and decrypt incoming responses for the NameID, Attribute, and Assertion elements.

5.2.5.1 To Configure the .NET Fedlet for Encryption and Decryption of Requests and Responses

Import your X.509 certificate to the Personal folder within the Local Computer account using the Certificates Snap-in for the Microsoft Management Console. To use this snap-in, see the following Microsoft article:

http://msdn.microsoft.com/en-us/library/ms788967.aspx
Specify a friendly name for this certificate by viewing the Properties dialog and entering a value. (Save this value for Step 4.)
Set the appropriate permissions to allow read access to the certificate for the user account used by Internet Information Server (IIS) as described at the Microsoft article. For example:
1. In the Certificates Snap-in, navigate to Action, All Tasks, and then Manage Private Keys.
2. Specify Allow Read permissions for the user account running IIS (usually NETWORK SERVICE).
In the .NET Fedlet's extended metadata file (sp-extended.xml), specify the friendly name specified in Step 2 as the value for the encryptionCertAlias attribute. For example:
```
<Attribute name="encryptionCertAlias">
<Value>MyFedlet</Value>
```

In the .NET Fedlet's service provider metadata file (sp.xml), add the KeyDescriptor for the encryption key.

Use the Certificates Snap-in for the Microsoft Management Console used earlier to export the public key of your certificate in Base64 encoding to be included in the KeyDescriptor XML block. This KeyDescriptor must be the first child element within the SPSSODescriptor. For example:

<KeyDescriptor use="encryption">
           <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
             <ds:X509Data>
               <ds:X509Certificate>
MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh
bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w
ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw
CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK
BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of\+
RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY
Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U
QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA
cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC
/FfwWigmrW0Y0Q==
               </ds:X509Certificate>
             </ds:X509Data>
           </ds:KeyInfo>
           <EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc">
           <KeySize
xmlns="http://www.w3.org/2001/04/xmlenc#">128</KeySize>
           </EncryptionMethod>
</KeyDescriptor>

Restart the Application Pool associated with your .NET application.

Next Steps

To test this configuration, use the sample application. Also, set the following attributes to encrypt requests and decrypt responses with the identity provider with the appropriate changes to the configured metadata:

Assertion: Set the wantAssertionEncrypted attribute in the sp-extended.xml metadata file to true to have the .NET Fedlet decrypt the EncryptedAssertion element in incoming responses from the identity provider.
Attribute: Set the wantAttributeEncrypted attribute in the sp-extended.xml metadata file to true to have the .NET Fedlet decrypt the EncryptedAttribute element in incoming responses from the identity provider.
NameID: Set the wantNameIDEncrypted attribute in the idp-extended.xml metadata file to true to have the .NET Fedlet encrypt the NameID element in outgoing requests. Set this same attribute in sp-extended.xml to have the .NET Fedlet decrypt the EncryptedID element in incoming responses from the identity provider.

5.2.6 .NET Fedlet Signing of Requests and Responses (CR 6928530)

The .NET Fedlet supports the signing of outgoing XML requests such as Authn requests and logout requests.

5.2.6.1 To Configure the .NET Fedlet for Signing of Requests and Responses:

Import your X.509 certificate to the Personal folder within the Local Computer account using the Certificates Snap-in for the Microsoft Management Console. To use this snap-in, see the following Microsoft article:

http://msdn.microsoft.com/en-us/library/ms788967.aspx
Specify a friendly name for this certificate by viewing the Properties dialog and entering a value. (Save this value for Step 4.)
Set the appropriate permissions to allow read access to the certificate for the user account used by Internet Information Server (IIS) as described at the Microsoft article. For example:
1. In the Certificates Snap-in, navigate to Action, All Tasks, and then Manage Private Keys.
2. Specify Allow Read permissions for the user account running IIS (usually NETWORK SERVICE).
In the .NET Fedlet's extended metadata file (sp-extended.xml), specify the friendly name specified in Step 2 as the value for the signingCertAlias attribute. For example:
```
<Attribute name="signingCertAlias">
<Value>MyFedlet</Value>
```

In the .NET Fedlet's service provider metadata file (sp.xml), add the KeyDescriptor for the signing key.

<KeyDescriptor use="signing">
             <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:X509Data>
                   <ds:X509Certificate>
MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh
bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w
ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw
CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK
BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of\+
RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY
Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U
QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA
cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC
/FfwWigmrW0Y0Q==
                   </ds:X509Certificate>
                </ds:X509Data>
             </ds:KeyInfo>
</KeyDescriptor>

Restart the Application Pool associated with your .NET application.

5.2.7 .NET Fedlet Single Logout (CR 6928528 and CR 6930472)

The .NET Fedlet supports both identity provider initiated and service provider initiated single logout. To implement single logout, the .NET Fedlet sample application includes the logout.aspx and spinitiatedslo.aspx files in the asp.net/SampleApp folder. To see how the Fedlet single logout feature works, deploy the .NET Fedlet sample application.

5.2.7.1 To Configure a .NET Fedlet Service Provider Application for Single Logout:

If you have not configured the .NET Fedlet, follow the steps in the Readme file.
Copy the logout.aspx and spinitiatedslo.aspx files within your .NET application's public content.
Make these changes to the configuration files for your application:
- In the sp.xml file, make sure the path to the logout.aspx file points to the correct location of the file for your application.
- In the idp.xml file (or during the identity provider configuration) make sure the path to the spinitiatedslo.aspx file points to the correct location of the file for your application.
If you want the logout request and logout response signed, set the following attributes to true in the sp-extended.xml and idp-extended.xml files:
- wantLogoutRequestSigned
- wantLogoutResponseSigned
Import the Fedlet service provider metadata file (sp.xml) into the identity provider.

Also, inform the identity provider administrator that you configured single logout for the Fedlet service provider, so that any additional required changes can be made to the identity provider configuration.

5.2.8 .NET Fedlet Service Provider Initiated Single Sign-on (CR 6928525)

The .NET Fedlet supports the SAMLv2 service provider initiated single sign-on (SSO). In addition, artifact support is required to allow the .NET Fedlet to receive an artifact and then have it resolved through SOAP with the issuing identity provider's Artifact Resolution Service.

The .NET Fedlet sample application shows how you can configure single sign-on. After your application has the necessary artifacts installed, a specific URI is required to receive the HTTP POST containing the SAMLv2 response after successful authentication by the identity provider. The following code example shows how you can retrieve this information in a .NET application:

Example 5-2 Code Example to Retrieve the AuthnResponse in a .NET Fedlet Application

AuthnResponse authnResponse = null;
try
{
      ServiceProviderUtility spu = new ServiceProviderUtility(Context);
      authnResponse = spu.GetAuthnResponse(Context);
}
catch (Saml2Exception se)
{
      // invalid AuthnResponse received
}
catch (ServiceProviderUtilityException spue)
{
      // issues with deployment (reading metadata)
}

If your application receives the SAMLv2 response, the authnResponse object will be populated with the assertion information. The sample application shows how to retrieve the attributes and subject information from this object.

5.2.9 .NET Fedlet Support for Multiple Identity Providers and Discovery Service (CR 6928524)

The .NET Fedlet supports multiple identity providers and the identity provider discovery service.

In some deployments, you might want to configure the .NET Fedlet with multiple identity providers such as Oracle OpenSSO 8.0 Update 2. Perform the following task for each additional identity provider you wan to add.

5.2.9.1 To Configure the .NET Fedlet for Multiple Identity Providers

Get the XML metadata file from the additional identity provider.
Name the additional identity provider metadata file as idpn.xml, where n is the identity provider that you are adding. For example, name the second identity provider file as idp2.xml, the third as idp3.xml, and so on. This procedure uses idp2.xml as the file name.
Copy the idp2.xml file from Step 2 to your application's App_Data folder.
Add this new identity provider to the .NET Fedlet circle of trust.

To add the new identity provider to an existing circle of trust:

In the fedlet.cot file in your application's App_Data folder, append the new IDP entity ID (indicated by the entityID attribute in the idp2.xml metadata file) to the value of the sun-fm-trusted-providers attribute, using a comma (,) as a separator.

To add the new identity provider to a new circle of trust:
1. Create a new file named fedlet2.cot in your application's App_Data folder. Use the existing fedlet.cot as a template, but change the value of the cot-name attribute to the name of the new circle of trust (for example, cot2). Include both the new identity provider entity ID and the Fedlet entity ID as value for the sun-fm-trusted-providers attribute, with the two entity IDs separated by a comma (,).
2. In the sp-extended.xml file, add the new circle of trust name to the value of the cotlist attribute. For example, for a circle of trust named cot2:
```
<Attribute name="cotlist">
<Value>saml2cot</Value>
<Value>cot2</Value>
</Attribute>
```
In your application's App_Data folder, create a new idp2-extended.xml file as the extended metadata for the new identity provider. Use the existing idp-extended.xml file as a template, but change the entityID to the new identity provider entity ID. Change the value for the cotlist attribute to the circle of trust name, if a new circle of trust is created for the identity provider. Make sure that the additional identity provider is a remote identity.
Restart the Application Pool associated with your Fedlet .NET application.
The Fedlet metadata XML file (sp.xml) must be imported into the additional identity provider and added to the same circle of trust as the identity provider entity. Either import the sp.xml file into the identity provider, or give the file to your identity provider administrator to import.

5.2.10 .NET Fedlet Support for the Identity Provider Discovery Service (CR 6928524)

In this scenario, the .NET Fedlet is configured with multiple identity providers in a circle of trust and you want to configure the Fedlet to use the identity provider discovery service to determine the preferred identity provider.

The discovery service must be configured for the identity providers you are using with the .NET Fedlet. For information about configuring the identity provider discovery service in Oracle OpenSSO 8.0 Update 2, see the following documentation collection:

http://docs.oracle.com/cd/E19681-01/index.html

5.2.10.1 To Configure the .NET Fedlet to Use the Identity Provider Discovery Service:

In the .NET Fedlet fedlet.cot file, set the sun-fm-saml2-readerservice-url property to the SAMLv2 reader service URL. For example:
```
sun-fm-saml2-readerservice-url=http://discovery.common.com/opensso/saml2reader
```
Restart the Application Pool associated with your .NET Fedlet application.

5.3 Documentation Errata

The Fedlet Java API reference is available in the Oracle OpenSSO 8.0 Update 2 Java API Reference in the following documentation collection:

http://docs.oracle.com/cd/E19681-01/index.html

Note:

The getPolicyDecisionForFedlet method is not supported in the OpenSSO 8.0 Update 2 release.