Sun ONE Identity Server Getting Started |
Getting Started
This Getting Started guide provides instructions for an administrator installing and configuring the Sun One Identity Server software for the first time. This document contains the following sections:
About This Guide
About This Guide
The Getting Started guide contains instructions to walk an administrator through the installation and deployment of Sun ONE Identity Server. This guide is not meant to provide a comprehensive review of all Identity Server features or even the Identity Server architecture. This use case is for illustrative purposes only, and is one of many possible applications of the technology.
Case Overview
The following Identity Server functionality will be featured in this use case.
Installation of Identity Server 6.0 on an UltraSparc machine running the Solaris 8 operating environment with the latest patch set against a fresh installation of Sun ONE Directory Server 5.1sp1.
Use of the Identity Server console.
Identity management including creating and modifying groups and users.
Policy management including creating referral and normal policies.
Delegated administration including applying default roles and ACIs.
Self-registration and management of user profiles.
Case Entries
To illustrate the configuration of the Identity Server, the following directory tree will be used. The top-level organization is MadisonParc which contains two sales offices, one in the east and one in the west. These offices will be configured as sub-organizations, o=salesofficeeast and o=salesofficewest. Each office has two sales persons.
Installing Identity Server
Before beginning the installation process, ensure that root permissions is enabled on the machine where Identity Server will be installed. This installation assumes the availability of an UltraSparc® server running the Solaris 8 operating environment with the latest patch set. Identity Server 6.0, Directory Server 5.1sp1 and Sun ONE Web Server 6.0sp5 will be installed and deployed on this one machine.
Ensure that the DNS domain name for the machine is set and all currently running applications are closed for the installation.
Allow the machine on which Identity Server is being installed to display a remote application (in this case, the installer itself) by opening a terminal window and typing xhost <cdservername>.
If x-hosting is not an option the comand line install should be used.
Set the DISPLAY variable for the shell that is running using one of the following commands:
Installation Procedures
The following instructions will install Identity Server 6.0, Directory Server 5.1sp1 and Web Server 6.0sp5 on a server named sparcserver.example.com. Ensure that the information in these instructions is replaced with information particular to your deployment. More in-depth installation instructions can be found in the Sun ONE Identity Server Installation and Configuration Guide.
Insert the Identity Server CD into the disc drive of the system on which the Identity Server and Directory Server will be installed.
Open a terminal window and change to the directory where the Setup program is located.
cd /cdrom/is60/solaris
Type ./setup to run the installation program.
The installation program opens with a Welcome panel.
Click Next to proceed to the Software License Agreement.
To continue with the installation process, the Software License Agreement must be accepted by clicking Yes (Accept License). Declining the Software License Agreement by clicking No will close the installation program.
Assuming acceptance of the Software License Agreement, in the next panel, specify the directory into which Identity Server will be installed and click Next.
The default directory is /opt. Identity Server automatically installs in a directory named SUNWam. Plan to install the Identity Server and Directory Server products in different directories.
Select Sun ONE Identity Server Management and Policy Services and click Next.
This option includes installation of Identity Server 6.0, Directory Server 5.1sp1, Web Server 6.0sp5, the Identity Server console, Common Domain Services, and JDK 1.3.1_06.
Select No to using a custom Java SDK and click Next.
Configure the Web Server by accepting the default information and/or providing custom information and click Next.
Administrator: admin
Port: 58888
Password: password
Confirm Password: password
Enter user to run server as: nobody
Enter group to run this server as: nobody
Provide additional configuration information for the Web Server by accepting the default information and/or providing custom information and click Next.
Host: This field should contain the correct fully qualified domain name of the computer where the Identity Server components and a dedicated Web Server will be installed.
Port: 58080
Services Deployment URI: amserver
Common Domain Deployment URI: common
Deploy console with this service? Check this box.
Console Deployment URI: amconsole
Choose to install a new Directory Server and click Next.
Type dc=madisonparc,dc=com as the root for the new Directory Server tree and click Next.
Configure the Directory Server by accepting the default information and/or providing custom information and click Next.
Host: This field should contain the correct fully qualified domain name of the computer where the Directory Server will be installed.
Port: 389
Installation Directory: The default directory /usr/iplanet/servers. The directory used should be empty of other products, directories and/or files.
Directory Manager: cn=Directory Manager
Password: password
Confirm Password: password
Configure the Administration Server by accepting the default information and/or providing custom information and click Next.
Administrator: admin
Port: 58900
Password: password
Confirm Password: password
Provide a password for the LDAP Auththentication User (amldapuser).
This password (a minimum of eight characters in length) must be different from the one chosen for amAdmin in Step 15.
Provide a password for the Top Level Administrator (amAdmin), choose to start the server after installation and click Next.
This password (also a minimum of eight characters in length) must be different from the one chosen for amldapuser in Step 14.
Review the configuration information and click Next to proceed.
Changes can be made by clicking Back until the desired panel is reached.
Review the information and click Install Now to begin the installation.
Changes can still be made by clicking Back until the desired panel is reached.
Click Details for a detailed summary of the configuration information processed during installation and/or click Exit to end the program.
Logging Into Identity Server Console
The Authentication Service's graphical user interface (GUI) is the entry point for the Identity Server console. In order to log in to the Identity Server console, type the configured URI (http://sparcserver.example.com:58080/amconsole) in a web browser location window and authenticate to the Identity Server using amadmin, the top-level administrator user name and corresponding password specified during installation.
Configuring Identity Server Entries
Now that the Identity Server is installed and the top-level administrator is logged in, the case entries must be configured. The top-level organization of the directory tree was configured as dc=madisonparc,dc=com during the installation process; each of the other entries will be created on a sub-level of dc=madisonparc,dc=com.
Creating The Sales Sub-Organizations
Using the Identity Management module, this procedure will create two sub-organizations of the top-level MadisonParc, SalesOfficeEast and SalesOfficeWest.
Select Organizations from the View drop down menu in the left frame of the console and click New....
Enter the following information in the right frame of the console and click Create.
Name: SalesOfficeEast
Organization Status: Active
Repeat these steps to configure the sub-organization SalesOfficeWest using the following information.
Name: SalesOfficeWest
Organization Status: Active
Adding Employees To The Sub-Organizations
Using the Identity Management module, this procedure will create sales people in the SalesOfficeEast and SalesOfficeWest sub-organizations.
If not already there, click on the hyperlinked name MadisonParc in the left frame of the console and select Organizations from the View drop down menu.
Click on the hyperlinked name of the new sub-organization SalesOfficeEast.
Select Users from the View drop down menu and click New....
Enter the following information in the right frame of the console and click Create.
UserId: eastsalesperson1
First Name: Jim
Last Name: Deer
Full Name: Jim Deer
Password: 11111111
Confirm Password: 11111111
User Status: Active
Click New... in the left frame to configure a second sales person for SalesOfficeEast using the following information and click Create.
UserId: eastsalesperson2
First Name: Jane
Last Name: Doe
Full Name: Jane Doe
Password: 11111111
Confirm Password: 11111111
User Status: Active
Repeat these steps to create sales people in the SalesOfficeWest sub-organization using the following user profiles:
User Profile One
UserId: westsalesperson2
First Name: John
Last Name: Hand
Full Name: John Hand
Password: 11111111
Confirm Password: 11111111
User Status: Active
User Profile Two
UserId: westsalesperson2
First Name: Joanne
Last Name: Head
Full Name: Joanne Head
Password: 11111111
Confirm Password: 11111111
User Status: Active
Creating Managers For The Sub-Organizations
Using the Identity Management module, this procedure creates users that will serve as managers for the configured sales sub-organizations.
If not already there, click on the hyperlinked name MadisonParc in the left frame of the console.
Select Users from the View drop down menu in the left frame and click New....
Enter the following information in the right frame and click Create.
UserId: eastsalesmanager
First Name: Jim
Last Name: Lake
Full Name: Jim Lake
Password: 11111111
Confirm Password: 11111111
User Status: Active
Repeat these steps to create a second sales manager for SalesOfficeWest using the following information.
UserId: westsalesmanager
First Name: Joan
Last Name: River
Full Name: Joan River
Password: 11111111
Confirm Password: 11111111
User Status: Active
Creating Groups
Identities can be grouped in two different group types. Using the Identity Management module, the following procedures will create a group of each type, one dynamic and one static.
Creating A Membership By Filter Group
This procedure creates a group with membership determined by a filter. The configured filter selects the member entries and dynamically assigns them to the group. Group members are determined each time the filter is run. The filter below will determine all identities with a User ID that includes the word manager. It can be used to assign access rights to managers only.
If not already there, click on the hyperlinked name MadisonParc in the left frame of the console and select Groups from the View drop down menu.
Click New..., define the New Group in the right frame by entering the following information and click Next.
Type Of Group: Membership By Filter
Group Name: SalesManagerGroup
Configure the filter that determines group membership using the following information and click Create.
Creating A Membership By Subscription Group
This procedure creates a group with membership determined by subscription. The configured filter selects the member entries and assigns them to the group at the time the filter is run. Any new member must subscribe to the group after the filter is run. The filter below will determine all identities with a first name Jim. This type of group can be used to configure an email alias for sales persons interested in trading general sales information.
If not already there, click on the hyperlinked name MadisonParc in the left frame of the console and select Organizations from the View drop down menu.
Click on the hyperlinked name SalesOfficeEast and select Groups from the View drop down menu.
Click New..., define the New Group in the right frame using the following information and click Next.
Type Of Group: Membership By Subscription
Group Name: SalesInfoGroup
Click Add under the Member List field, configure the filter using the following information and click Filter to search for users that meet the filter's criteria.
Logical Operator: And
User Status: Active
First Name: Jim
Select eastsalesperson1 from the list of Available Users and click Submit.
Check Users Can Subscribe To This Group and click Create to create the group.
Note
Future members of the group will need to subscribe themselves. Information on how to do this can be found in the Sun ONE Identity Server Administration Guide.
Assigning The Groups' Administrator Roles
Group administrator roles with read and write access to all members of the groups are automatically created when a group is created. Thus, in "Creating Groups", two group administrator roles were created. These roles can now be assigned to the users chosen as each group's administrator.
If not already there, click on the hyperlinked name MadisonParc in the left frame of the console and select Roles from the View drop down menu.
Click the properties arrow icon next to SalesManagerGroup Admin.
Select Users from the View drop down menu in the right frame and click Add.
Configure the filter using the following information and click Filter to search for users that meet the filter's criteria.
Logical Operator: And
UserId: *manager
Select eastsalesmanager from the list of Available Users and click Submit to assign the SalesManagerGroup Admin role to Jim Lake.
Select Organizations from the View drop down menu, click on the hyperlinked name SalesOfficeEast and select Roles from the View drop down menu.
Click the properties arrow icon next to SalesInfoGroup Admin.
Configure the filter using the following information and click Filter to search for users that meet the filter's criteria.
Logical Operator: And
First Name: Jim
Select eastsalesperson1 from the list of Available Users and click Submit to assign the SalesInfoGroup Admin role to Jim Deer.
Creating An Access Policy
Privileges defined in normal policies can be assigned to users. To create a normal policy for a sub-organization, a referral policy must first be created in the top-level organization. Referral policies, in effect, allow the sub-organization to create a normal policy. Once a referral policy is configured, the normal policy can be created in the sub-organization to which the referral points. The following procedures will create a policy to allow access to http://sparcserver.example.com: <port>/test.html if the user is a registered member of the SalesInfoGroup and if the user successfully authenticates via LDAP between Monday and Friday from the domain, <example.com>.
Note
In order for this policy to work, sparcserver.example.com:<port> in the resource URL must be modified to reflect a live resource.
Registering The Policy Configuration Service
By default, the Policy Configuration service is registered and a template created for MadisonParc, the top-level organization, when Identity Server is installed. Because this policy will affect a group in the SalesOfficeEast sub-organization, the Policy Configuration service must also be registered to it. This procedure registers the service to SalesOfficeEast using the Identity Management module.
If not already there, click on the hyperlinked name MadisonParc in the left frame of the console and select Organizations from the View drop down menu.
Click on the hyperlinked name SalesOfficeEast, select Services from the View drop down menu and click Register....
In the right frame, select the Policy Configuration service and click Register.
In the left frame, click the Show Properties arrow icon icon next to Policy Configuration.
Click Create in the right frame to create the service template.
Click Save to save the template for SalesOfficeEast.
Note After completing these steps, enter and confirm the LDAP Bind Password created in Step 14 on page 8 in the Policy Configuration service template and click Save.
Registering The Authentication Configuration Service
The Authentication Configuration service must also be registered (and a service template created for the sub-organization) in order to define conditions for the normal policy. This procedure registers the service to both MadisonParc and SalesOfficeEast using the Identity Management module.
If not already there, click on the hyperlinked name MadisonParc in the left frame of the console, select Services from the View drop down menu and click Register.
In the right frame, select the Authentication Configuration service and click Register.
Select Organizations from the View drop down menu in the left frame of the console.
Click on the hyperlinked name SalesOfficeEast, select Services from the View drop down menu and click Register....
In the right frame, select the Authentication Configuration service and click Register.
In the left frame, click the Show Properties arrow icon icon next to Authentication Configuration.
Click New... in the right frame to create a new service instance.
Enter the following information and click Create to create a new service instance.
Instance Name: PolicyInstance
Registering The Core And LDAP Authentication Services
By default, the Core and LDAP Authentication services are registered and a template created (for the top-level organization only) when Identity Server is installed. Because this policy will affect a group in the SalesOfficeEast sub-organization, both services must also be registered to it. This procedure registers them to SalesOfficeEast using the Identity Management module.
If not already there, click on the hyperlinked name MadisonParc in the left frame of the console, select Organizations from the View drop down menu.
Click on the hyperlinked name SalesOfficeEast, select Services from the View drop down menu and click Register....
In the right frame, select LDAP and Core and click Register.
In the left frame, click the Show Properties arrow icon next to LDAP.
Click Create in the right frame to create a service template.
Click Save to save the template for SalesOfficeEast.
Note After completing these steps, enter and confirm the LDAP Bind Password created in Step 14 on page 8 in the LDAP Authentication service template and click Save.
Repeat these steps to create a template for the Core Authentication service.
Configuring The Referral Policy
Once all services have been registered, the referral policy can be configured in MadisonParc. This procedure creates the referral policy for SalesOfficeEast using the Identity Management module.
Click on the hyperlinked name MadisonParc in the left frame of the console, select Policies from the View drop down menu and click New....
Enter the following information in the right frame of the console and click Create.
Type Of Policy: Referral
Name: SalesReferralPolicy
Select Rules from the View drop down menu in the right frame and click Add....
Enter the following rule information in the right frame of the console and click Create.
Rule Name: Allow Rule
Resource Name: http://sparcserver.example.com:<port>
The Resource Name field contains only the prefix of the resource to be protected. Do not include the specific objects to be accessed.
Select Referrals from the View drop down menu and click Add....
Enter the following referral information in the right frame of the console and click Create.
Name: SalesOfficeEast Referral
Value: SalesOfficeEast
Click Save to configure the referral policy.
Configuring And Assigning The Normal Policy
With the referral policy defined at MadisonParc, a normal policy can be created for SalesOfficeEast. This procedure creates the normal policy using the Identity Management module.
If not already there, click on the hyperlinked name MadisonParc in the left frame of the console and select Organizations from the View drop down menu.
Click on the hyperlinked name SalesOfficeEast, select Policies from the View drop down menu and click New....
Enter the following information in the right frame and click Create.
Type Of Policy: Normal
Name: TestPolicy
Select Subjects from the View drop down menu in the right frame and click Add....
Select the subject Type in the right frame and click Next.
Type: LDAP Groups
Enter the following information and click Search to find subjects that meet the search criteria.
Name: TestPolicySubjects
LDAP Groups: SalesInfoGroup
Select com > madisonparc > SalesOfficeEast > Groups > SalesInfoGroup from the available subjects and click Add.
Click Create to save the selected subjects.
Select Rules from the View drop down menu and click Add....
Enter the following rule information and click Create.
Rule Name: TestPolicyRules
Resource Name: http://sparcserver.example.com:80
The Resource Name can be chosen from the Super Resources.
Action: Get
Value: Allow
Select Conditions from the View drop down menu and click Add....
Three conditions will be configured for this policy.
Select Authentication Scheme for the Condition type and click Next.
Enter the following information and click Create.
Name: TestPolicyAuthScheme
Authentication Scheme: LDAP
Click Add... again, select IP Address for the Condition type and click Next.
Enter the following information and click Create.
Name: TestPolicyAuthScheme
DNS Name: *.example.com
Click Add... for a third time, select Time for the Condition type and click Next.
Enter the following information and click Create.
Name: TestPolicyTime
Day: From: Monday To: Friday
Click Save to complete the policy creation.
Configuring For User Self-Registration
This procedure configures Identity Server to allow a user to register and authenticate to the Identity Server on the fly.
Registering Membership Authentication
User self-registration is configured by registering the Membership authentication module to the top-level organization, MadisonParc. This procedure does just that using the Identity Management module
If not already there, click on the hyperlinked name MadisonParc in the left frame of the console, select Services from the View drop down menu and click Register....
In the right frame, select the Membership service and click Register.
In the left frame, click on the Show Properties arrow icon next to Membership.
Click Create in the right frame to create a service template.
Click Save to save the template for dc=madisonparc,dc=com.
Note After completing these steps, enter and confirm the LDAP Bind Password created in Step 14 on page 8 in the Membership Authentication service template and click Save.
Activating Membership Authentication
If not already there, click on the hyperlinked name MadisonParc in the left frame of the console and select Services from the View drop down menu.
Click on the Show Properties arrow icon next to the Core service.
In the right frame, select Membership in the Organization Authentication Modules field listing and click Save.
Do not de-select any highlighted authentication types.
Assigning A Service
This procedure registers the Session Service and assigns it to a user for management purposes.
Registering Session Service
This procedure registers the Session Service to the top-level organization using the Identity Management module.
If not already there, click on the hyperlinked name MadisonParc in the left frame of the console, select Services from the View drop down menu and click Register....
In the right frame, select the Session service and click Register.
In the left frame, click on the Show Properties arrow icon next to Session.
Click Create in the right frame to create a service template.
Assigning The Session Service
This procedure assigns the Session Service to a user for management purposes using the Identity Management module.
If not already there, click on the hyperlinked name MadisonParc in the left frame of the console and select Users from the View drop down menu.
Click on the Show Properties arrow icon next to eastsalesmanager.
Select Services from the View drop down menu in the right frame.
Testing The Configurations
The following steps can be used to test the configurations defined in the previous section.
To Test The Group Policy
From a browser, attempt to access http://<server>:<port>/test.html. When prompted for credentials, log in as one of the users from the SalesInfoGroup. The contents of test.html should be visible after a successful authentication.
To Test User Self-Management
This procedure allows a user to change their own information.
Access http://<server>:<port>/amserver from a web browser.
To Test User Self-Registration
This procedure allows a user to register themselves to the MadisonParc organization.
Access http://<server>:<port>/amserver/UI/Login?module=Membership from a web browser and select the New User option.
Enter the following required information and click Register.
User Name: ceo
Password: 11111111
Confirm Password: 11111111
First Name: Jim
Last Name: Creek
Full Name: Jim Creek
Click Agree at the sample disclaimer window to create the user in the top-level organization MadisonParc.
Additional Sample Configurations
There are a number of samples included with Identity Server that can be used to illustrate certain features as well as one of many possible applications of the Identity Server technology.
Command Line Sample
This sample provides information on how to use the Identity Server command line tool amadmin. The sample is located in the directory <identity_server_root>/ SUNWam/samples/admin/cli/. Detailed instructions on how to implement this sample can be found in the Readme.html file.
Application Server Deployment
This sample provides information on how to deploy the Identity Server on the iPlanet Application Server. The sample is located in <identity_server_root>/ SUNWam/samples/appserver/. Detailed information can be found in the Readme.html file.
Authentication Samples
Authentication Service samples have been provided and can be found in the directory <identity_server_root>/SUNWam/samples/authentication. They include:
Remote Client API
Remote Client API
This sample program demonstrates how to integrate the Remote Client API for authenticating users with the Identity Server. It uses LDAP authentication although it can be modified to use other existing or customized authentication modules. The instruction file is the readme.html file found in the <identity_server_root>/SUNWam/samples/authentication/LDAP directory.
Login Module
This sample demonstrates the steps needed to integrate a custom login module into the Identity Server. All the files needed to compile, deploy and run the sample authentication module that is shipped with Identity Server can be found in the <identity_server_root>/SUNWam/samples/authetnication/providers directory. The instruction file is the Readme.html file in the same directory.
Console Sample
Sample files have been included to help understand how the Identity Server console can be customized. They help to explain the Java 2 Enterprise Edition (J2EE) web application framework used. In addition, Java classes are extended from the console APIs and new JSP files are created. Existing xml and properties files are also used. These files are located in <identity_server_root>/SUNWam/ samples/console. Open the README file in this directory for instructions on how to run the sample.
Federation Management Sample
There are three samples that provide information on how to use the Federation management module. The samples are located in <identity_server_root>/ SUNWam/samples/liberty/. Detailed instructions on what each sample illustrates and how to implement them can be found in the README file.
Policy Samples
Policy samples are provided to illustrate how to create policies and use the Policy Configuration Service. The samples are located in <identity_server_root>/ SUNWam/samples/policy/. Detailed instructions on what each sample illustrates and how to implement them can be found in the Readme.html file.
SAML Samples
There are several samples that illustrate how the SAML service can be used. They include:
A sample that serves as the basis for using the SAML client API. This sample is located in <identity_server_root>/SUNWam/samples/saml/client.
A sample that illustrates how to form a Query, and write an AttributeMapper as well as how to send and process a SOAP message using the SAML SDK. This sample is located in <identity_server_root>/SUNWam/samples/ saml/query.
A sample application for achieving SSO using the Web Artifact profile or the Web POST profile. This sample is located in <identity_server_root>/ SUNWam/samples/SAML/sso.
A sample that illustrates how to use the XMLSIG API . It is located in <identity_server_root>/SUNWam/samples/SAML/xmlsig.
Sample SSO Java Files
Identity Server provides three groups of sample Java files. With these samples, a developer can create an SSO token in several ways:
An SSO token can be created for an application that runs on the Identity Server server.
An SSO token can be created for an application that runs on a server other than the Identity Server server.
An SSO token can be created by a session ID string can be passed through the command line. The files are in the <identity_server_root>/SUNWam/samples/sso directory.
SSO Servlet Sample
This sample can be used to create a token for an application that resides on the same server as the Identity Server application. The files used for this sample are:
The instructions in Readme.html can be followed to run this code.
Remote SSO Sample
This sample can be used to create a token for an application that resides on a different server from the one on which the Identity Server application lives. The files used for this sample are:
The instructions in remote.html can be followed to run this code.
Command Line SSO Sample
This sample illustrates how to validate a user from the command line using a session ID string. The files used for this sample are:
The instructions in ssocli.txt can be followed to run this code.
User Management Samples
User management samples are provided to illustrate how to use the Identity Server SDK as well as how to add new attributes to a user profile. The samples are located in <identity_server_root>/SUNWam/samples/um/. Detailed instructions on what each sample illustrates and how to implement them can be found in the Readme.html file.
Copyright 2002 Sun Microsystems, Inc. All rights reserved.
Last Updated December 02, 2002