Oracle® OpenSSO 8.0 Update 2 Release Notes Release 8.0 Part Number E28339-03 |
|
|
View PDF |
The Oracle OpenSSO Fedlet is a lightweight service provider (SP) implementation that can be deployed with a Java or .NET service provider application, enabling the application to communicate with an identity provider (IDP) such as Oracle OpenSSO 8.0 Update 2 using the SAMLv2 protocol.
This chapter includes the following sections:
The Oracle OpenSSO Fedlet has two versions, depending on your platform:
The Java Fedlet was first released in OpenSSO 8.0. For information, see Chapter 5, Using the OpenSSO Enterprise Fedlet to Enable Identity Federation, in the Sun OpenSSO Enterprise 8.0 Deployment Planning Guide.
The .NET Fedlet was released in OpenSSO 8.0 Update 1. For information, see Chapter 10, Using the ASP.NET Fedlet with OpenSSO Enterprise 8.0 Update 1, in the Sun OpenSSO Enterprise 8.0 Update 1 Release Notes.
In Oracle OpenSSO 8.0 Update 2, the Fedlet is available as follows:
After you unzip the OpenSSO 8.0 Update 2 ZIP file, both the Java Fedlet and .NET Fedlet are available in the following file:
zip-root
/opensso/fedlet/fedlet-unconfigured.zip
, where zip-root
is where you unzipped the Oracle OpenSSO 8.0 Update 2 ZIP file.
After you install Oracle OpenSSO 8.0 Update 2, you can create the Java Fedlet in the OpenSSO 8.0 Administration Console using the Create Fedlet work flow under Common Tasks.
The Fedlet has the following requirements:
Oracle OpenSSO 8.0 Update 2 supported web container, if you plan to deploy the fedlet.war
, or a Java service provider application that is integrated with the Fedlet. See the Hardware and Software Requirements For OpenSSO 8.0 Update 2.
Microsoft Internet Information Server (IIS) 7.0 and later, if you plan to deploy the .NET Fedlet
JDK 1.6.x and later
This section describes how to initially configure the Fedlet with a service provider application:
After you finish the initial configuration for the Fedlet, continue with any additional configuration you want to perform. Several considerations are:
If you modify the Fedlet sp.xml
file, you must re-import this file into your identity provider.
If you make other Fedlet configuration changes on the service provider side, convey this information to the identity provider administrator, so that the required configuration changes can be made on the identity provider side.
On the identity provider side, generate the XML metadata for the identity provider and save the metadata in a file named idp.xml
.
For Oracle OpenSSO 8.0 Update 2, use exportmetadata.jsp
. For example:
http://opensso-idp.example.com:8080/opensso/saml2/jsp/exportmetadata.jsp
On the service provider side, unzip the Fedlet ZIP file (if necessary).
Create the Fedlet home directory, which is the directory where the Fedlet reads its metadata, circle of trust, and configuration properties files.
The default location is the fedlet subdirectory under the home directory of the user running the Fedlet web container (indicated by the user.home
JVM property). For example, if this home directory is /home/webservd
, the Fedlet home directory is:
/home/webservd/fedlet
To change the Fedlet default home directory, set the value of the JVM run-time com.sun.identity.fedlet.home
property to the desired location. For example:
-Dcom.sun.identity.fedlet.home=/export/fedlet/conf
The Fedlet then reads its metadata, circle of trust, and configuration files from the /export/fedlet/conf
directory.
Copy the following files from the Java Fedlet java/conf
directory to the Fedlet home directory:
sp.xml-template
sp-extended.xml-template
idp-extended.xml-template
fedlet.cot-template
In the Fedlet home directory, rename the files you copied and drop -template
from each name.
In the files you copied and renamed in the Fedlet home directory, replace the tags as shown in the next table:
Note:
If the Fedlet service provider or identity provider entity ID contains a percent sign (%) or comma (,), you must escape the character before replacing it in the fedlet.cot
file. For example, change "%" to "%25" and "," to "%2C".
Tag | Replace With |
---|---|
|
Name of the circle of trust (COT) of which the remote identity provider and the Java Fedlet service provider application are members. |
|
ID (name) of the Java Fedlet service provider application. For example: |
|
Protocol of the web container for the Java Fedlet service provider application (such as |
|
Host name of the web container for the Java Fedlet service provider application (such as |
|
Port number of the web container for the Java Fedlet service provider application (such as |
|
URL of the Java Fedlet service provider application. For example: |
|
ID (name) of the remote identity provider. For example: |
Copy the FedletConfiguration.properties
file from the Java Fedlet java/conf
directory to the Fedlet home directory.
Copy the identity provider standard metadata XML file (from Step 1) to the Fedlet home directory. This file must be named idp.xml
.
Import the Java Fedlet XML metadata file (sp.xml
) into the identity provider.
For Oracle OpenSSO 8.0 Update 2, use the Register Remote Service Provider work flow under Common Tasks in the OpenSSO 8.0 Administration Console to import the Java Fedlet service provider metadata and to add the Java Fedlet service provider to a circle of trust.
Next Steps
Depending on your requirements, continue with any additional configuration for the Java Fedlet.
On the identity provider side, generate the XML metadata for the identity provider and save the metadata in a file named idp.xml
.
For Oracle OpenSSO 8.0 Update 2, use exportmetadata.jsp
. For example:
http://opensso-idp.example.com:8080/opensso/saml2/jsp/exportmetadata.jsp
On the service provider side, unzip the Fedlet ZIP file (if necessary).
Copy the following files from the .NET Fedlet asp.net/conf
folder to your application's App_Data
folder:
sp.xml-template
sp-extended.xml-template
idp-extended.xml-template
fedlet.cot-template
In the App_Data
folder, rename the files you copied and drop -template
from each name.
In the files you copied and renamed in the App_Data
folder, replace the tags as shown in the next table:
Tag | Replace With |
---|---|
|
Name of the circle of trust (COT) of which the remote identity provider and the .NET Fedlet service provider application are members. |
|
ID (name) of the .NET Fedlet service provider application. For example: |
|
URL of the .NET Fedlet service provider application. For example: |
|
ID (name) of the remote identity provider. For example: |
Copy the identity provider standard metadata XML file (from Step 1) to your application's App_Data
folder. This file must be named idp.xml
.
Copy the Fedlet.dll
and the Fedlet.dll.config
files from the .NET Fedlet asp.net/bin
folder to the application's bin
folder.
Import the .NET Fedlet XML metadata file (sp.xml
) into the identity provider.
For Oracle OpenSSO 8.0 Update 2, use the Register Remote Service Provider work flow under Common Tasks in the OpenSSO 8.0 Administration Console to import the .NET Fedlet service provider metadata and to add the .NET Fedlet service provider to a circle of trust.
Next Steps
Depending on your requirements, continue with any additional configuration for the .NET Fedlet.
Oracle OpenSSO 8.0 Update 2 includes the following new features for the Fedlet:
.NET Fedlet Encryption and Decryption of Requests and Responses (CR 6939005)
.NET Fedlet Service Provider Initiated Single Sign-on (CR 6928525)
.NET Fedlet Support for Multiple Identity Providers and Discovery Service (CR 6928524)
.NET Fedlet Support for the Identity Provider Discovery Service (CR 6928524)
The Oracle OpenSSO Fedlet includes version information. After you extract the files in the Fedlet package (ZIP file), determine the Fedlet version by viewing one of the following files:
Java Fedlet: java/conf/FederationConfig.properties
.NET Fedlet: asp.net/bin/Fedlet.dll.config
The Java Fedlet provides the fedletEncode.jsp
in the fedlet.war
file to encrypt the storepass
and keypass
passwords. By default, a different encryption key is generated for each Fedlet. To change this encryption key, set the am.encryption.pwd
property in the Fedlet FederationConfig.properties
file.
The Java Fedlet supports XML signature verification and decryption of encrypted assertion
and NameID
elements and their corresponding attributes.
Create a keystore file named keystore.jks
using the keytool
utility.
Add the private key (and public certificate if applicable) used for signing and the private key (and public certificate if applicable) used for encryption to the keystore.jks
file.
Create a .storepass
file.
Add the password to the .storepass
file. To encrypt the password, use fedletEncode.jsp
.
Create a .keypass
file.
Add the password to the .keypass
file. To encrypt the password, use fedletEncode.jsp
.
If you are using clear text passwords, comment out the following line in the FederationConfig.properties
file:
com.sun.identity.saml.xmlsig.passwordDecoder= com.sun.identity.fedlet.FedletEncodeDecode
Set the complete path for the following attributes in the FederationConfig.properties
file, where path
is the complete path to the respective file:
com.sun.identity.saml.xmlsig.keystore=path/keystore.jks com.sun.identity.saml.xmlsig.storepass=path/.storepass com.sun.identity.saml.xmlsig.keypass=path/.keypass
Use keytool
to export the signing certificate. For example:
keytool -export -keystore keystore.jks -rfc -alias test
The tool prompts you to enter the password used to access keystore.jks
and then generates the certificate.
If you need an encryption certificate, use keytool
to export it, as shown in the previous step. (Or use the same certificate for both signing and encryption.)
Create a KeyDescriptor
XML block and add the encryption certificate to it. For example, note the use="signing"
tag of the KeyDescriptor
element:
<KeyDescriptor use="signing"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate> MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of\+ RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC /FfwWigmrW0Y0Q== </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </KeyDescriptor>
Create another KeyDescriptor
XML block and add the encryption certificate to it. For example, note the use="encryption"
tag of the KeyDescriptor
element:
<KeyDescriptor use="encryption"> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <X509Data> <X509Certificate> MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of\+ RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC /FfwWigmrW0Y0Q== </X509Certificate> </X509Data> </KeyInfo> <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"> <KeySize xmlns="http://www.w3.org/2001/04/xmlenc#">128</KeySize> </EncryptionMethod> </KeyDescriptor>
In the Java Fedlet sp.xml
file, add the XML blocks with the signing and encryption certificates under the SPSSODescriptor
element. For a sample SPSSODescriptor
element, see Example 5-1.
The AuthnRequestsSigned
attribute is set to true
, configuring the Java Fedlet to sign all authentication requests.
In the Java Fedlet sp-extended.xml
file, set values for the following elements:
signingCertAlias
contains the alias of the XML signing certificate in the keystore.
encryptionCertAlias
contains the alias of the XML encryption certificate in the keystore.
To enforce what the Java Fedlet service provider encrypts, set the following attributes in the sp-extended.xml
file to true
:
wantAssertionEncrypted
wantNameIDEncrypted
wantAttributeEncrypted
To enforce what the Java Fedlet service provider signs and wants signed, set the following attributes to true
:
wantAuthnRequestsSigned
in the idp.xml
file tells the Fedlet what to sign.
AuthnRequestsSigned
and WantAssertionsSigned
in the sp.xml
file tells the identity provider what the Fedlet plans to sign.
wantArtifactResponseSigned
in the sp-extended.xml
file tells the Fedlet what to sign.
wantPOSTResponseSigned
in the sp-extended.xml
file
wantLogoutRequestSigned
in the sp-extended.xml
file
wantLogoutResponseSigned
in the sp-extended.xml
file
If the identity provider requires signing for specific messages, set the respective attributes to true
in the idp-extended.xml
file. For example, wantLogoutRequestSigned
and wantLogoutResponseSigned
.
Note:
If you set attributes in the sp-extended.xml
file, convey this information to the identity provider administrator, so that the necessary configuration changes can be made in the identity provider.
Restart the Java Fedlet web container.
Import the Java Fedlet sp.xml
file into the identity provider.
Example 5-1 Java Fedlet Sample SPSSODescriptor
Element
<EntityDescriptor entityID="fedlet" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"> <SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <b><KeyDescriptor use="signing"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate> MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of\+ RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC /FfwWigmrW0Y0Q== </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </KeyDescriptor></b> <b><KeyDescriptor use="encryption"> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <X509Data> <X509Certificate> MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of\+ RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC /FfwWigmrW0Y0Q== </X509Certificate> </X509Data> </KeyInfo> <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"> <KeySize xmlns="http://www.w3.org/2001/04/xmlenc#">128</KeySize> </EncryptionMethod> </KeyDescriptor></b> <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat><AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://server.sun.com:7070/fedlet/fedletapplication"/> </SPSSODescriptor> </EntityDescriptor>
The Java Fedlet supports the SAMLv2 Attribute Query to query an identity provider such as Oracle OpenSSO 8.0 Update 2 for specific identity attribute values. You can configure the Fedlet to sign the query and encrypt the query. Signing is required for issuing a Fedlet query, but encryption is optional.
Enable XML signing to sign the Attribute Query, as described in Java Fedlet Support for Signing and Encryption.
Add the certificate generated in the previous step to the RoleDescriptor
element in the Fedlet sp.xml
file. In the following example, there are two KeyDescriptor
tags in which you paste the certificate. One is for signing and another is for encryption. If you are not enabling encryption, the KeyDescriptor use="encryption" tag
is not required.
<RoleDescriptor xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:query="urn:oasis:names:tc:SAML:metadata:ext:query" xsi:type="query:AttributeQueryDescriptorType" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <KeyDescriptor use="signing"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate> --certificate-- </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </KeyDescriptor> <KeyDescriptor use="encryption"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate> --certificate-- </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"> <xenc:KeySize xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">128</xenc:KeySize> </EncryptionMethod> </KeyDescriptor> </RoleDescriptor>
In the Java Fedlet sp-extended.xml
file, specify the value for the signingCertAlias
attribute and if configured, for the encryptionCertAlias
attribute.
If you plan to configure the identity provider to encrypt the assertion, also encrypt the NameID
element. Thus, the value of the wantNameIDEncrypted
attribute must be set to true
. Add the XML code to the AttributeQueryConfig
element. For example:
<Attribute name="signingCertAlias"> <Value>test</Value> </Attribute> <Attribute name="encryptionCertAlias"> <Value>test</Value> </Attribute> <Attribute name="wantNameIDEncrypted"> <Value>true</Value> </Attribute>
In this example, test
is the alias for the sample key.
Import the Java Fedlet metadata file (sp.xml
) into the identity provider.
Also, perform the additional configuration steps in the identity provider to support the Attribute Query for the Fedlet.
The .NET Fedlet can encrypt outgoing XML requests and decrypt incoming responses for the NameID, Attribute, and Assertion elements.
Import your X.509 certificate to the Personal folder within the Local Computer account using the Certificates Snap-in for the Microsoft Management Console. To use this snap-in, see the following Microsoft article:
Specify a friendly name for this certificate by viewing the Properties dialog and entering a value. (Save this value for Step 4.)
Set the appropriate permissions to allow read access to the certificate for the user account used by Internet Information Server (IIS) as described at the Microsoft article. For example:
In the Certificates Snap-in, navigate to Action, All Tasks, and then Manage Private Keys.
Specify Allow Read permissions for the user account running IIS (usually NETWORK SERVICE).
In the .NET Fedlet's extended metadata file (sp-extended.xml
), specify the friendly name specified in Step 2 as the value for the encryptionCertAlias
attribute. For example:
<Attribute name="encryptionCertAlias"> <Value>MyFedlet</Value>
In the .NET Fedlet's service provider metadata file (sp.xml
), add the KeyDescriptor
for the encryption key.
Use the Certificates Snap-in for the Microsoft Management Console used earlier to export the public key of your certificate in Base64 encoding to be included in the KeyDescriptor
XML block. This KeyDescriptor
must be the first child element within the SPSSODescriptor
. For example:
<KeyDescriptor use="encryption"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate> MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of\+ RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC /FfwWigmrW0Y0Q== </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"> <KeySize xmlns="http://www.w3.org/2001/04/xmlenc#">128</KeySize> </EncryptionMethod> </KeyDescriptor>
Restart the Application Pool associated with your .NET application.
Next Steps
To test this configuration, use the sample application. Also, set the following attributes to encrypt requests and decrypt responses with the identity provider with the appropriate changes to the configured metadata:
Assertion: Set the wantAssertionEncrypted
attribute in the sp-extended.xml
metadata file to true
to have the .NET Fedlet decrypt the EncryptedAssertion
element in incoming responses from the identity provider.
Attribute: Set the wantAttributeEncrypted
attribute in the sp-extended.xml
metadata file
to true to have the .NET Fedlet decrypt the EncryptedAttribute
element in incoming responses from the identity provider.
NameID: Set the wantNameIDEncrypted
attribute in the idp-extended.xml
metadata file to true
to have the .NET Fedlet encrypt the NameID
element in outgoing requests. Set this same attribute in sp-extended.xml
to have the .NET Fedlet decrypt the EncryptedID
element in incoming responses from the identity provider.
The .NET Fedlet supports the signing of outgoing XML requests such as Authn
requests and logout requests.
Import your X.509 certificate to the Personal folder within the Local Computer account using the Certificates Snap-in for the Microsoft Management Console. To use this snap-in, see the following Microsoft article:
Specify a friendly name for this certificate by viewing the Properties dialog and entering a value. (Save this value for Step 4.)
Set the appropriate permissions to allow read access to the certificate for the user account used by Internet Information Server (IIS) as described at the Microsoft article. For example:
In the Certificates Snap-in, navigate to Action, All Tasks, and then Manage Private Keys.
Specify Allow Read permissions for the user account running IIS (usually NETWORK SERVICE).
In the .NET Fedlet's extended metadata file (sp-extended.xml
), specify the friendly name specified in Step 2 as the value for the signingCertAlias
attribute. For example:
<Attribute name="signingCertAlias"> <Value>MyFedlet</Value>
In the .NET Fedlet's service provider metadata file (sp.xml
), add the KeyDescriptor
for the signing key.
Use the Certificates Snap-in for the Microsoft Management Console used earlier to export the public key of your certificate in Base64 encoding to be included in the KeyDescriptor
XML block. This KeyDescriptor
must be the first child element within the SPSSODescriptor
. For example:
<KeyDescriptor use="signing"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate> MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of\+ RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC /FfwWigmrW0Y0Q== </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </KeyDescriptor>
Restart the Application Pool associated with your .NET application.
The .NET Fedlet supports both identity provider initiated and service provider initiated single logout. To implement single logout, the .NET Fedlet sample application includes the logout.aspx
and spinitiatedslo.aspx
files in the asp.net/SampleApp
folder. To see how the Fedlet single logout feature works, deploy the .NET Fedlet sample application.
If you have not configured the .NET Fedlet, follow the steps in the Readme
file.
Copy the logout.aspx
and spinitiatedslo.aspx
files within your .NET application's public content.
Make these changes to the configuration files for your application:
In the sp.xml
file, make sure the path to the logout.aspx
file points to the correct location of the file for your application.
In the idp.xml
file (or during the identity provider configuration) make sure the path to the spinitiatedslo.aspx
file points to the correct location of the file for your application.
If you want the logout request and logout response signed, set the following attributes to true
in the sp-extended.xml
and idp-extended.xml
files:
wantLogoutRequestSigned
wantLogoutResponseSigned
Import the Fedlet service provider metadata file (sp.xml
) into the identity provider.
Also, inform the identity provider administrator that you configured single logout for the Fedlet service provider, so that any additional required changes can be made to the identity provider configuration.
The .NET Fedlet supports the SAMLv2 service provider initiated single sign-on (SSO). In addition, artifact support is required to allow the .NET Fedlet to receive an artifact and then have it resolved through SOAP with the issuing identity provider's Artifact Resolution Service.
The .NET Fedlet sample application shows how you can configure single sign-on. After your application has the necessary artifacts installed, a specific URI is required to receive the HTTP POST containing the SAMLv2 response after successful authentication by the identity provider. The following code example shows how you can retrieve this information in a .NET application:
Example 5-2 Code Example to Retrieve the AuthnResponse
in a .NET Fedlet Application
AuthnResponse authnResponse = null; try { ServiceProviderUtility spu = new ServiceProviderUtility(Context); authnResponse = spu.GetAuthnResponse(Context); } catch (Saml2Exception se) { // invalid AuthnResponse received } catch (ServiceProviderUtilityException spue) { // issues with deployment (reading metadata) }
If your application receives the SAMLv2 response, the authnResponse
object will be populated with the assertion information. The sample application shows how to retrieve the attributes and subject information from this object.
The .NET Fedlet supports multiple identity providers and the identity provider discovery service.
In some deployments, you might want to configure the .NET Fedlet with multiple identity providers such as Oracle OpenSSO 8.0 Update 2. Perform the following task for each additional identity provider you wan to add.
Get the XML metadata file from the additional identity provider.
Name the additional identity provider metadata file as idp
n
.xml
, where n
is the identity provider that you are adding. For example, name the second identity provider file as idp2.xml
, the third as idp3.xml
, and so on. This procedure uses idp2.xml
as the file name.
Copy the idp2.xml
file from Step 2 to your application's App_Data
folder.
Add this new identity provider to the .NET Fedlet circle of trust.
To add the new identity provider to an existing circle of trust:
In the fedlet.cot
file in your application's App_Data
folder, append the new IDP entity ID (indicated by the entityID
attribute in the idp2.xml
metadata file) to the value of the sun-fm-trusted-providers
attribute, using a comma (,) as a separator.
To add the new identity provider to a new circle of trust:
Create a new file named fedlet2.cot
in your application's App_Data
folder. Use the existing fedlet.cot
as a template, but change the value of the cot-name
attribute to the name of the new circle of trust (for example, cot2
). Include both the new identity provider entity ID and the Fedlet entity ID as value for the sun-fm-trusted-providers
attribute, with the two entity IDs separated by a comma (,).
In the sp-extended.xml
file, add the new circle of trust name to the value of the cotlist
attribute. For example, for a circle of trust named cot2
:
<Attribute name="cotlist"> <Value>saml2cot</Value> <Value>cot2</Value> </Attribute>
In your application's App_Data
folder, create a new idp2-extended.xml
file as the extended metadata for the new identity provider. Use the existing idp-extended.xml
file as a template, but change the entityID
to the new identity provider entity ID. Change the value for the cotlist
attribute to the circle of trust name, if a new circle of trust is created for the identity provider. Make sure that the additional identity provider is a remote identity.
Restart the Application Pool associated with your Fedlet .NET application.
The Fedlet metadata XML file (sp.xml
) must be imported into the additional identity provider and added to the same circle of trust as the identity provider entity. Either import the sp.xml
file into the identity provider, or give the file to your identity provider administrator to import.
In this scenario, the .NET Fedlet is configured with multiple identity providers in a circle of trust and you want to configure the Fedlet to use the identity provider discovery service to determine the preferred identity provider.
The discovery service must be configured for the identity providers you are using with the .NET Fedlet. For information about configuring the identity provider discovery service in Oracle OpenSSO 8.0 Update 2, see the following documentation collection:
http://docs.oracle.com/cd/E19681-01/index.html
In the .NET Fedlet fedlet.cot
file, set the sun-fm-saml2-readerservice-url
property to the SAMLv2 reader service URL. For example:
sun-fm-saml2-readerservice-url=http://discovery.common.com/opensso/saml2reader
Restart the Application Pool associated with your .NET Fedlet application.
The Fedlet Java API reference is available in the Oracle OpenSSO 8.0 Update 2 Java API Reference in the following documentation collection:
http://docs.oracle.com/cd/E19681-01/index.html
Note:
The getPolicyDecisionForFedlet
method is not supported in the OpenSSO 8.0 Update 2 release.