Sun ONE logo      Previous      Contents      Index      Next     

Installation Guide: Sun ONE Portal Server Communication Channels

Appendix A  
SSO Adapter Templates and Configurations

This appendix describes how to configure the single sign-on (SSO) adapter in order to adjust options available to end users.

This appendix contains the following sections:

Overview of the Single Sign-On Adapter

The single sign-on adapter service allows end users to use applications, such as a portal server provider or any other web application, to gain authenticated access to various resource servers after signing in once. The resource servers that can be accessed depend on the implementations of the SSO Adapter interface that are available in the system. Currently, Sun™ ONE Portal Server provides SSO Adapters for the following resource servers: Mail, Calendar, and Address Book. These three services are available through the products:

Resource servers are typically accessed by an application using a standard application programming interface (API), such as JavaMail for accessing a mail server. To create an authenticated connection using the API, the API must be provided the configuration data for the connection. The purpose of the SSO Adapter is to provide this configuration data, and the SSO Adapter service is used to store that data.

SSO Adapter Service

The SSO Adapter Service defines two levels of data, templates and configurations. An SSO Adapter template defines a class of connections that are going to be made available to users. A single template is used by many users. It defines data values that are the same for all users that use the template including default values and identification of what values can be edited by a user.Therefore, SSO Adapter templates are defined at a global service level.

An SSO Adapter configuration builds upon a template by providing data values that are specific to an organization, role, or user. A configuration references a template, and takes data values from the template for those properties that are not editable by the user. When a user changes the user-editable properties of an SSO Adapter configuration, that configuration would then apply only to that one user.

A Portal Server communication channel that uses the SSO Adapter service references either a template or a configuration to get data values needed to obtain a connection to a resource server. If the channel references a template, and the user saves configuration information, the reference is changed to refer to a configuration instead. The configuration then references the template.

SSO Adapter Template Format: Global

Accessing SSO Adapter Templates

To access the SSO Adapter Template from the Sun™ ONE Identity Server administration console:

  1. From an Internet browser, log on to the Identity Server administration console at http://hostname:port/amconsole, for example http://psserver.company22.siroe.com:80/amconsole
  2. Select Service Management in the View drop down list.
  3. Scroll down the lower left frame to Single Sign-on Adapter Configuration and and click the arrow next to SSO Adapter.

    4. An SSO Adapter page appears in the lower right frame. The SSO Adapter templates are at the top of the page under the section labeled Global.

About SSO Adapter Templates

SSO Adapter templates are created in order to handle server settings.The templates are represented as uniform resource locators (URLs) described in RFC 1738 at the following Web site:

http://www.w3.org/Addressing/rfc1738.txt

The template string is comprised of various properties that—when configured—provide required information to backend systems.

Template strings are editable in order to allow administrators to assign values to properties within the strings and to apply certain rules of use to those properties.

Each template string begins with a protocol. Strings that begin with the IMAP and POP3 protocols apply to Mail SSO Adapter implementations; strings that begin with the HTTP protocol are used by Calendar SSO Adapter implementations; and strings that begin with the LDAP protocol are used by Address Book SSO Adapter implementations.

Code Example 2-4 is an Address Book SSO Adapter template. This example uses LDAP port 489 instead of the LDAP default port, 389. Using a non-default LDAP port in this example demonstrates the use of two sub-strings of code that are not necessary when the default LDAP port is used: a colon paired with the LDAP port number—:489—and the following substring—&default=port.

Template strings appear in the field as one long string; however, for readability purposes, the following string has been divided here into separate lines where line breaks have been added preceding each ampersand (&).

Code Example 2-4  Address Book SSO Adapter Template

ldap://company22.siroe.com:489/?configName=pab

    &pabSearchBase=o=pab

    &userSearchBase=o=siroe.com

    &aid=uid=msg-admin,ou=People,o=company22.siroe.com,o=siroe.com

    &adminPassword=admin

    &imapHost=imserver.company22.siroe.com

    &imapPort=143

    &clientPort=1080

    &ssoClassName=com.sun.ssoadapter.impl.LDAPABSSOAdapter

    &encoded=password

    &default=ssoClassName

    &default=port

    &default=host

    &default=pabSearchBase

    &default=userSearchBase

    &default=aid

    &default=adminPassword

    &default=imapHost

    &default=imapPort

    &default=clientPort

    &merge=uid

    &merge=password

The following line of code is an example of the possible properties in the front portion of an SSO Adapter template string or an SSO Adapter configuration string. This portion when compared to Code Example 2-4 demonstrates how properties are assigned values. Table 2-2 clarifies each property and Table 1-4 explains the property types.

protocol://uid:password@host:port/?configName=configuration-name&ssoClassName=
sso-adapter-class&...

The preceding portion of an SSO Adapter template string is the proper format for both templates—which apply to all users of that portal server instance—and configurations—which apply to specific organizations, roles, and users. However, certain sub-strings of the preceding portion often do not appear within a template or configuration string. For example, the sub-string “uid:password@ is not commonly used within templates because it is generally a value that is specific to a particular user.

Using the aforementioned sub-string within an SSO Adapter template sets the same user ID and password for all users. This type of configuration is plausible in some situations. For example, a site might want to create a read-only calendar that lists site-wide events. All users would get the calendar channel on their portal server desktops using the same user ID and password and they would see the same calendar.

Table 2-2  Some of the Properties in an SSO Adapter Template String

Property Name

Description

Necessity

protocol

The protocol used to talk to the server

Optional

uid

The User ID of the user who is on the server that is referenced by host

Optional

password

The password—which is encoded—of the user on the server referenced by host

Optional

host

The server host name

Optional

port

The server port number

Optional

configName

The name of the SSO Adapter Template

Mandatory

ssoClassName

The fully qualified class name for the SSO Adapter

Mandatory

SSO Adapter templates recognize the following property types:

Table 2-3  Property Types in an SSO Adapter Template String

Property Type

Description

merge

Denotes that this value is user editable. In Code Example 2-4, notice that only two values can be edited by the user: uid and password.

default

Denotes that an attribute is set to a default, which is actually a two step process. In Code Example 2-4, notice that imapPort is set to a specific port at one point in the string, &imapPort=143, and set as the default later in the string, &default=imapPort.

The following example—which includes subsections of an SSO Adapter template and an SSO Adapter configuration—demonstrates how the default property works:

  • SSO Adapter template:

configName=t1&ex1=ex2&exa=exb&default=exa

  • SSO Adapter configuration:

configName=c1&configDesc=t1

Then the resulting list of properties that is seen by the SSOAdapter implementation is just:

exa=exb

The ex1=ex2 value in the template is ignored because it is not listed as a default attribute.

encoded

Denotes that the attribute is not passed in clear text, but instead is obfuscated. In Code Example 2-4, notice that only one value password, is encoded.

The value adminPassword is not encoded. To encode a property such as adminPassword:

1.  Enter the encrypted value into the SSO Adapter template string. For this example, the encrypted value follows the equal sign of the following substring:

&adminPassword=

  • To encrypt a plain text value, use the Identity Server Software Development Kit (SDK) class that follows, where plain_text_value is the value of a property before it is encrypted:

AMPaswordUtil.encrypt plain_text_value

  • Use the encrypt method with the preceding class to obtain the encrypted value.

2.  Add a substring that assigns encoded to the property you want to encrypt. For this example the property is adminPassword and it is added to the end of the string (a convenient location):

&encoded=adminPassword

This action changes the SSO Adapter template to end as follows:

...merge=uid&merge=password&encoded
=adminPassword

SSO Adapter Configuration Format: Dynamic

Accessing SSO Adapter Configurations

Note

To edit the SSO Adapter configurations, follow the steps as shown subsequently—which access the configurations by selecting the User Management view, as described in step 2. Do not access the configurations through the Service Management view as described in "Accessing SSO Adapter Templates."

To access the SSO Adapter configurations from the Identity Server administration console:

  1. From an Internet browser, log on to the Identity Server administration console at http://hostname:port/amconsole, for example http://psserver.company22.siroe.com:80/amconsole
  2. Select User Management in the View drop down list.
  3. In the lower left frame, click the organization link. Example: siroe.com.
  4. Again, in the lower left frame, select Services in the Show drop down list.
  5. Scroll down the lower left frame to Single Sign-on Adapter Configuration and and click the arrow next to SSO Adapter.

About SSO Adapter Configurations

Code Example 2-5  Mail SSO Adapter Configuration

imap:///?configName=imapmail&configDesc=imap

Code Example 2-5 is a Mail SSO Adapter configuration.

As mentioned previously, Dynamic SSO Adapter configurations have the same format as the Global SSO Adapter Service templates:

protocol://uid:password@host:port/?configName=configuration-name
&configDesc=sso-adapter-template&....

As with SSO Adapter templates, certain sub-strings of the preceding portion often do not appear within an SSO Adapter configuration string. For example, the sub-string “uid:password@host:port is not commonly used within configuration strings.

The properties and property types recognized at the dynamic level are:

Table 2-4  Property Types in an SSO Adapter Configuration String

Property Name

Description

Necessity

configName

This is the unique identifier of the SSO Adapter template or configuration definition.

Mandatory

configDesc

This is an SSO Adapter Template value. The value for the configDesc property from a Dynamic SSO Adapter configuration string is the same as the value for the configName property from a Global SSO Adapter string (assuming the two strings begin with the same protocol).

Mandatory

SSO Adapter Template and Configuration Examples

Two examples follow of how to create and share portal channel configurations. For both examples the data that is distributed between the SSO Adapter template and configuration is almost exactly the same. However, the first example demonstrates how to share the properties globally while the second example demonstrates how to share the properties within a single organization. For both of these examples, users are limited (in the editing they need to do) to entering user ID and password information, which then enables them to launch that channel from the desktop.

Server Is Defined within the SSO Adapter Template

Server Is Defined at the Organization Level

Some Users Won’t See Configuration Changes

When you make changes to the SSO Adapter templates and configurations, which are described in the next two examples, not all users will see the changes on their desktops. Users who have already edited their channel preferences by editing a channel from the desktop will not see future changes made by administrators to any channels, existing or new. The steps for implementing administrators’ configurations to these users are described in "Some Users Won’t See Configuration Changes."

Server Is Defined within the SSO Adapter Template

This section describes configuring an SSO Adapter template on a server that is shared globally. Therefore, all subdivisions of the global level—from organizations to roles—share the same configuration. For information on configuring a server at the organizational level see "Server Is Defined at the Organization Level".

For this configuration, the outcome is that users will have a Mail channel on the “My Front Page” tab where the Mail channel is editable and where the user only needs to enter their credentials—user ID (uid) and password— to complete the configuration.

The following example creates a new SSO Adapter template, SSO Adapter configuration, and Mail channel.

  1. Add a new SSO Adapter template, which for this example is named credentialMailTemplate.
    1. From an Internet browser, log on to the Identity Server administration console at http://hostname:port/amconsole, for example http://psserver.company22.siroe.com:80/amconsole
    2. Select Service Management in the View drop down list.
    3. Scroll down the lower left frame to Single Sign-on Adapter Configuration and click the arrow next to SSO Adapter.
    4. After the SSO Adapter page appears in the lower right frame, click in the blank configuration description field—which is just above the Add and Remove buttons— it is in the box labeled SSO Adapter Templates under the heading Global as opposed to Dynamic.
    5. In the blank configuration description field, type in the entire SSO Adapter Template string as shown subsequently in Code Example 2-6; replace the variable information with the specific information for your site, unless a particular example also fits the information for your site (therefore, replace some, if not all, the following values: credentialMailTemplate,company22.siroe.com:143, company22.siroe.com,true,and 1080). If the field is not blank when you get to it, select all the text in the field and delete it.

      6. Code Example 2-6  Mail SSO Adapter Template for Sharing Globally

      imap://company22.siroe.com:143/?configName=credentialMailTemplate

          &encoded=password

          &default=ssoClassName

          &default=protocol

          &default=clientProtocol

          &default=host

          &default=port

          &default=smtpServer

          &default=sentFolderCopy

          &default=clientPort

          &ssoClassName=com.sun.ssoadapter.impl.JavaMailSSOAdapter

          &clientProtocol=http

          &smtpServer=company22.siroe.com

          &sentFolderCopy=true

          &clientPort=1080

          &merge=uid

          &merge=password

    6. Click Add.
    7. Click Save.

      8. At this point, there may be more than one string that begins with the IMAP protocol. This is acceptable.

  2. Add a new SSO Adapter Configuration, which for this example is named credentialMail.Chose your own name for your site.
    1. From an Internet browser, log on to the Identity Server administration console at http://hostname:port/amconsole, for example http://psserver.company22.siroe.com:80/amconsole
    2. Select User Management in the View drop down list.
    3. In the lower left frame, click the organization link. For example: siroe.com.
    4. Again, in the lower left frame, select Services in the Show drop down list.
    5. Scroll down the lower left frame to Single Sign-on Adapter Configuration and click the arrow next to SSO Adapter.
    6. After the SSO Adapter page appears in the lower right frame, click in the blank configuration description field—which is just above the Add and Remove buttons.
    7. In the blank configuration description field, type in the following line of code, where for this example the configuration name is credentialMail and the configuration description is credentialMailTemplate (replace the names used for configuration name and configuration description with the specific information for your site):

      8. imap:///?configName=credentialMail
      &configDesc=credentialMailTemplate

      If the field is not blank when you get to it, select all the text in the field and delete it.

    8. Click Add.
    9. Click Save.
  3. Add a new Mail Channel to the My Front Page tab. For this example the name of the new channel is CredentialMailChannel.
    1. From an Internet browser, log on to the Identity Server administration console at http://hostname:port/amconsole, for example http://psserver.company22.siroe.com:80/amconsole
    2. Select User Management in the View drop down list.
    3. In the lower left frame, click the organization link. Example: siroe.com.
    4. Again, in the lower left frame, select Services in the Show drop down list.
    5. Under the Portal Server Configuration heading, click the arrow next to the word Desktop.
    6. After the Desktop page appears in the lower right frame, click the Channel and Container Management link.
    7. Under the Channels heading, click Add.
    8. In the Channel Name field, type the name for the new channel, which for this example is CredentialMailChannel.
    9. In the Provider drop down menu, select MailProvider.
    10. Click Create, which returns you to the Channel and Container Management Web page where the channel you just created now exists.
    11. Under the Channels heading, click Edit next to the name of the channel you just created, which for this example is CredentialMailChannel.
    12. In the “title” field, select and delete any words that currently exist, for example mail, and type a provider title, which for this example is Credential Only Mail Account.
    13. In the description field, select and delete any words that currently exist, for example mail, and type a provider description, which for this example is again Credential Only Mail Account.
    14. Scroll down the page (still in the lower right frame); select and delete any words that currently exist in the “ssoAdapter” field, for example imapmail; and type the same SSO Adapter configuration name used in Step 2, which for this example is credentialMail.
    15. Click Save.
    16. Scroll back up the page to click the word root, which is the first item following the words Container Path.
    17. Under the Container Channels heading, click the link MyFrontPageTabPanelContainer. Do not click the accompanying Edit link.
    18. Under the Channel Management heading, click the words CredentialMailChannel, which is in the Existing Channels list.
    19. Click the Add button that is next to the Available and Visible list. This makes the channel available to users and visible without any further configuration.
    20. Scroll back up the page to click Save under the Channel Management heading.
  4. Copy and modify the Mail templates. This step will remove information from a user’s newly created Mail channel’s display profile. After this step is completed, when the user edits this Mail channel, the user will only see two of the six configuration options in the display profile: User ID and password. The four other configuration options, such as client port, will no longer be visible. Each configuration option appears to the user in its own table row as a part of an overall table. To remove the four configuration options from the display profile, remove four table rows from the HTML code:
    1. Log in to the server where the Desktop templates are located.
    2. Change directories to:

      3. /etc/opt/SUNWps/desktop/default

    3. Copy the MailProvider directory and rename it to the same name as the newly created channel, which for this example is CredentialMailChannel, by typing a command such as the following:

      4. cp -Rf MailProvider CredentialMailChannel

    4. Change directories to the newly created file, which for this example is CredentialMailChannel
    5. Edit the edit.template file by removing the code for four table rows. Therefore, delete everything from <tr> to </tr>—which includes multiple table cells (<td> to </td>)—for each row that contains one of the following HTML tags.

      6. [tag:host]
      [tag:port]
      [tag:smtpServer]
      [tag:clientPort]

      Each of the preceding tags appears only once in the edit.template file and each tag appears in its own row. The code for the four table rows appears consecutively. Code Example 2-7 displays the code to be deleted for the first of the four tags in the preceding list: [tag:host].

      Code Example 2-7  One of the Table Rows to Delete

      <TR>

      <TD WIDTH="20%" ALIGN="CENTER" VALIGN="MIDDLE" NOWRAP>

      <P ALIGN="RIGHT">

      <FONT FACE="[tag:iwtDesktop-fontFace1]" SIZE="-1" COLOR="#000000">

      Server Name:</FONT>

      </TD>

      <TD WIDTH="45%" VALIGN="MIDDLE" NOWRAP>

      <FONT FACE="[tag:iwtDesktop-fontFace1]" SIZE="+0">

      <INPUT TYPE="TEXT" NAME="host" SIZE="2 5" MAXLENGTH="40"

      VALUE="[tag:host]">

      </FONT>

      </TD>

      </TR>

  5. Create a new portal user and authenticate to the desktop (optional).

    6. If you create new users, they will see the configuration changes, you just made, on their portal desktops. Existing users who have not previously configured any of the channels from their desktops will also see the changes you just made. However, existing users who have configured a channel from their desktops won’t see the changes you just made. To allow them to see those changes, refer to "Some Users Won’t See Configuration Changes"

    1. Select User Management in the View drop down list, if it is not already selected.
    2. Click the organization link. For example: siroe.com.
    3. In the lower left frame, select Users in the Show drop down list.
    4. Click New.
    5. In the Create User panel, select the services to be assigned to the user.
    6. Select at a minimum Desktop and SSO Adapter.
    7. Click Next.
    8. Enter the user information in the Create User panel.
    9. Click Create.

      10. The new user’s name then appears in the lower left frame under the column titled Name.

Server Is Defined at the Organization Level

This section describes configuring an SSO Adapter template at the organizational level. The data used in the SSO Adapter template and SSO Adapter configuration in this example is almost exactly the same as the data used in the example in "Server Is Defined within the SSO Adapter Template". However, in the following example, more of the properties appear within the SSO Adapter configuration and fewer appear within the SSO Adapter template. Putting the properties in the SSO Adapter configuration allows you to share those properties within an organization rather than sharing the properties globally.

The following example creates a new SSO Adapter configuration and Mail channel. The default SSO Adapter template is used in this example. You do not need to create another template:

Code Example 2-8  Mail SSO Adapter Template for Sharing within an Organization.

imap:///?configName=imap

    &encoded=password

    &default=ssoClassName

    &default=protocol

    &default=clientProtocol

    &merge=host

    &merge=port

    &merge=uid

    &merge=password

    &merge=smtpServer

    &merge=sentFolderCopy

    &merge=clientPort

    &clientProtocol=http

    &ssoClassName=com.sun.ssoadapter.impl.JavaMailSSOAdapter

  1. Add a new SSO Adapter Configuration, which for this example is named orgCredentialMail. Chose your own name for your site.
    1. From an Internet browser, log on to the Identity Server administration console at http://hostname:port/amconsole, for example http://psserver.company22.siroe.com:80/amconsole
    2. Select User Management in the View drop down list.
    3. In the lower left frame, click the organization link. For Example: siroe.com.
    4. Again, in the lower left frame, select Services in the Show drop down list.
    5. Scroll down the lower left frame to Single Sign-on Adapter Configuration and click the arrow next to SSO Adapter.
    6. After the SSO Adapter page appears in the lower right frame, click in the blank configuration description field—which is just above the Add and Remove buttons.
    7. In the blank configuration description field, type in the following line of code, where for this example the configuration name is orgcredentialMail and the configuration description is imap; replace the variable information with the specific information for your site, unless a variable example used here also fits the information for your site (therefore, replace some, if not all, the following values: company22.siroe.com:143, orgcredentialMail, company22.siroe.com company22.siroe.com, true, and 1080).

      8. imap://company22.siroe.com:143/?configName=orgCredentialMail
      &configDesc=imap
      &smtpServer=company22.siroe.com
      &sentFolderCopy=true
      &clientPort=1080

      If the field is not blank when you get to it, select all the text in the field and delete it.

    8. Click Add.
    9. Click Save.

      10. At this point, there may be more than one string that begins with the IMAP protocol. This is perfectly acceptable.

  2. Add a new Mail Channel to the My Front Page tab; for this example, the name of the new channel is OrgCredentialMailChannel.
    1. From an Internet browser, log on to the Identity Server administration console at http://hostname:port/amconsole, for example http://psserver.company22.siroe.com:80/amconsole
    2. Select User Management in the View drop down list, if it is not already selected.
    3. In the lower left frame, click the organization link. Example: siroe.com.
    4. Again, in the lower left frame, select Services in the Show drop down list.
    5. Under the Portal Server Configuration heading, click the arrow next to the word Desktop.
    6. After the Desktop page appears in the lower right frame, click the Channel and Container Management link.
    7. Under the Channels heading, click Add.
    8. In the Channel Name field, type the name for the new channel, which for this example is OrgCredentialMailChannel.
    9. In the Provider drop down menu, select MailProvider.
    10. Click Create, which returns you to the Channel and Container Management Web page where the channel you just created now exists.
    11. Under the Channels heading, click Edit next to the name of the channel you just created, which for this example is OrgCredentialMailChannel.
    12. In the title field, select and delete any words that currently exist, for example mail, and type a provider title, which for this example is Organization Defined Credential Only Mail Account.
    13. In the description field, select and delete any words that currently exist, for example mail, and type a provider description, which for this example is again Credential Only Mail Account.
    14. Scroll down the page (still in the lower right frame); select and delete any words that currently exist in the ssoAdapter field, for example imapmail; and type the same SSO Adapter configuration name used in Step 1, which for this example is orgCredentialMail.
    15. Click Save.
    16. Scroll back up the page to click the word root, which is the first item following the words Container Path.
    17. Under the Container Channels heading, click the link MyFrontPageTabPanelContainer. Do not click the accompanying Edit link.
    18. Under the Channel Management heading, click the words CredentialMailChannel, which is in the Existing Channels list.
    19. Click the Add button that is next to the Available and Visible list. This makes the channel available to users and visible without any further configuration.
    20. Scroll back up the page to click Save under the Channel Management heading.
  3. Copy and modify the Mail templates. This step will remove information from a user’s newly created Mail channel’s display profile. After this step is completed, when the user edits this Mail channel, the user will only see two of the six configuration options in the display profile: User ID and password. The four other configuration options, such as client port, will no longer be visible. Each configuration option appears to the user in its own table row as a part of an overall table. To remove the four configuration options from the display profile, remove four table rows from the HTML code:31
    1. Log in to the server where the Desktop templates are located.
    2. Change directories to:

      3. /etc/opt/SUNWps/desktop/default

    3. Copy the MailProvider directory and rename it to the same name as the newly created channel, which for this example is OrgCredentialMailChannel, by typing a command such as the following:

      4. cp -Rf MailProvider OrgCredentialMailChannel

    4. Change directories to the newly created file, which for this example is:

      5. OrgCredentialMailChannel

    5. Edit the edit.template file by removing the code for four table rows. Therefore, delete everything from <tr> to </tr>—which includes several table cells (<td> to </td>)—for each row that contains one of the following HTML tags.

      6. [tag:host]
      [tag:port]
      [tag:smtpServer]
      [tag:clientPort]

      Each of the preceding tags appears only once in the edit.template file and each tag appears in its own row. The code for the four table rows appears consecutively. Code Example 2-9 displays the code to be deleted for the first of the four tags in the preceding list: [tag:host].

      Code Example 2-9  One of the Table Rows to Delete

      <TR>

      <TD WIDTH="20%" ALIGN="CENTER" VALIGN="MIDDLE" NOWRAP>

      <P ALIGN="RIGHT">

      <FONT FACE="[tag:iwtDesktop-fontFace1]" SIZE="-1" COLOR="#000000">

      Server Name:</FONT>

      </TD>

      <TD WIDTH="45%" VALIGN="MIDDLE" NOWRAP>

      <FONT FACE="[tag:iwtDesktop-fontFace1]" SIZE="+0">

      <INPUT TYPE="TEXT" NAME="host" SIZE="2 5" MAXLENGTH="40"

      VALUE="[tag:host]">

      </FONT>

      </TD>

      </TR>

  4. Create a new portal user and authenticate to the desktop (optional).

    5. If you create new users, they will see the configuration changes, you just made, on their portal desktops. Existing users who have not previously configured any of the channels from their desktops will also see the changes you just made. However, existing users who have configured a channel from their desktops won’t see the changes you just made. To allow them to see those changes, refer to "Some Users Won’t See Configuration Changes".

    1. Select User Management in the View drop down list, if it is not already selected.
    2. Click the organization link. For example: siroe.com.
    3. In the lower left frame, select Users in the Show drop down list.
    4. Click New.
    5. In the Create User panel, select the services to be assigned to the user.
    6. Select at a minimum Desktop and SSO Adapter.
    7. Click Next.
    8. Enter the user information in the Create User panel.
    9. Click Create.

      10. The new user’s name then appears in the lower left frame under the column titled Name.

Some Users Won’t See Configuration Changes

Administrators make channel configuration changes—including the adding of new channels— by editing or creating SSO Adapter templates and configurations. These changes do not affect all users. The users they affect are:

However, for users who have previously changed one or more of their channel configurations—which they do by editing a channel from their desktops—administrators need to make configuration changes directly at the user level before the changes take affect. For example, when administrators add a channel at the global, organization, or role level, the channel appears on these users’ desktops with an error message.

This situation occurs because of the way Class of Service functions in the directory server. Users who configure one or more of their channels overwrite the SSO Adapter templates and configurations. Thereafter—for these users—values added by administrators at the global, organization, or role level are no longer inherited at the user level.

Therefore, configure changes directly at the user level for every user who has previously changed one or more of their channel configurations. It is usually more convenient to configure changes for other users first then to copy those template and configuration strings and paste them directly at the user level for the users that need them; the following instructions assume that you will configure changes in this manner. However, you can key in configuration strings directly at the user level without copying and pasting, if you wish.

After making configuration changes for others, make configuration changes directly at the user level—for those who need it—with one of the two following methods:

User-Level Configuration Changes for One to a Few Users

Copy and paste the SSO Adapter template string or the SSO Adapter configuration string that you just edited or created for other users to the users who need the changes made directly at the user level as follows:

  1. Of the two instruction titles listed subsequently, choose the one that fits your current situation and follow all of the substeps of that instruction before continuing on to Step 2.
    • To copy a string from an SSO Adapter template:
    • To copy a string from an SSO Adapter configuration:

      • To copy a string from an SSO Adapter template:

    • From an Internet browser, log on to the Identity Server administration console at http://hostname:port/amconsole, for example http://psserver.company22.siroe.com:80/amconsole
    • Select Service Management in the View drop down list, if it is not already selected.
    • Scroll down the lower left frame to Single Sign-on Adapter Configuration and click the arrow next to SSO Adapter.
    • After the SSO Adapter page appears in the lower right frame, click the string that you want to copy, such as “http:///...”,“imap:///...”, etc. These strings are in the box labeled SSO Adapter Templates under the heading Global as opposed to Dynamic.
    • With the string you just selected showing in the configuration description field—which is just above Add and Remove buttons—select and copy the entire contents of the field and go on to Step 2.

      • To copy a string from an SSO Adapter configuration:

    • From an Internet browser, log on to the Identity Server administration console at http://hostname:port/amconsole, for example http://psserver.company22.siroe.com:80/amconsole
    • Select User Management in the View drop down list, if it is not already selected.
    • In the lower left frame, click the organization link. For Example: siroe.com.
    • Again, in the lower left frame, select Services in the Show drop down list.
    • Scroll down the lower left frame to Single Sign-on Adapter Configuration and click the arrow next to SSO Adapter.
    • After the SSO Adapter page appears in the lower right frame, click the string that you want to copy, such as “http:///...”,“imap:///...”, etc.
    • With the string you just selected showing in the configuration description field—which is just above Add and Remove buttons—select and copy the entire contents of the field and go on to Step 2.
  2. In the Identity Server administration console, select User Management in the View drop down list, if it is not already selected.
  3. In the lower left frame, click the organization link. For example: siroe.com.
  4. Select Users in the Show drop down list.
  5. After the list of users appears, click the arrow next to the user whose user level configuration you want to edit.
  6. In the lower right frame, scroll down to the box labeled SSO Adapter Configurations under the SSO Adapter heading.
  7. Click in the configuration description field—which is just above Add and Remove buttons.
  8. Paste the SSO Adapter template string or the SSO Adapter configuration string that you copied in Step 1 here in the configuration description field.
  9. Scroll to the far right, past the SSO Adapter Configurations box.
  10. Select Customize from the drop down list, if it is not already selected (possible selections are Customize, Inherit, and Ignore).
  11. Scroll to the far left.
  12. Click Save.

User-Level Configuration Changes for Many Users (Using a Script)

To apply configuration changes to many users directly at the user level you will create a file made up of simple scripts that—among other things—identify specific users and the specific SSO Adapter template(s) and configuration(s) you want to connect each of these users to.

You will then issue an ldapmodify command that references the file; the file then modifies the directory server by implementing the user configuration changes in the scripts.

  1. Create a file similar to that in Code Example 2-10 using information specific to your site.
    • Name the file using the .ldif suffix.
    • In the file, create a separate entry for every user who needs the SSO Adapter configured for them directly at the user level.
    • Include the four lines of code for each user.

      • The following example file includes only two example entries. This file is named attr.ldif; the two users are named user1 and user2; the organization name is siroe; the configuration name—which is the name of the SSO Adapter configuration that both users happen to be referencing—is group1imapmail; the configuration description—which identifies which SSO Adapter template the group1imapmail configuration is referencing—is everyoneimap. For this example, it is the same for both users.

      .

      Code Example 2-10  A File named attr.ldif with Scripts for the Directory Server

      dn: uid=user1,ou=People,o=siroe.com,o=isp

      changetype: modify

      add:sunSSOAdapterConfigurations

      sunSSOAdapterConfigurations:

          imap:///?configName=group1imapmail&configDesc=everyoneimap

      dn: uid=user2,ou=People,o=siroe.com,o=isp

      changetype: modify

      add:sunSSOAdapterConfigurations

      sunSSOAdapterConfigurations:

          imap:///?configName=group1imapmail&configDesc=everyoneimap

  2. Use an ldapmodify command similar to that used in Code Example 2-11 to send the file you created in step 1 to the directory server. When entering the code for these commands, use information specific to your site

    3. The following example lists commands needed to send a file to the directory server to be read. The following information is specific to this example site: the password is mypassword, the host name is localhost; the port number is the default, 389; and the file being sent is named attr.ldif.

    Code Example 2-11  Sending a File Named attr.ldif to the Directory Server

    setenv LD_LIBRARY_PATH DSBaseDir/lib

    DSBaseDir/shared/bin/ldapmodify -D "cn=Directory Manager

        " -w mypassword -h localhost -p 389 -f attr.ldif

    The preceding code first sets the path LD_LIBRARY_PATH and indicates the location of the ldapmodify command. Then, ldapmodify is issued. A summary of each option used with this command follows:

    -D

    specifies the distinguished name, in this case “cn=Directory Manager,” to bind to the directory

    -w

    specifies the password, in this case mypassword, for authenticating to the directory

    -h

    specifies the host, in this case localhost, on which the directory server is running

    -p

    specifies the port, in this case the default port 389,through which the directory server is listening

    -f

    specifies a file, in this case attr.ldif, to be read by the directory server

    For more information about the ldapmodify command see iPlanet Directory Server 5.1 Administrator’s Guide at the following location:

    http://docs.sun.com/db/doc/816-5606-10



Previous      Contents      Index      Next     

Copyright 2003 Sun Microsystems, Inc. All rights reserved.