Sweeping SAMLv2 Assertions from the 7th Floor
By docteger on Nov 26, 2008
The following information was just put in the Sun OpenSSO Enterprise 8.0 Administration Guide but the new version won't be published until next week. Read the information here first. (There might be some changes to this entry based on answers to questions I have sent the engineer. I will update as necessary.)
authenticateRequesterURI will not throw an exception.
Requesting SAMLv2 Authentication Context Information
A SAMLv2 assertion contains information regarding the context of a principal's authentication. The requesting party may require this additional information (for example, the authenticating technology or protocol used) in order to assess the level of confidence they can place in the assertion. To retrieve authentication context information, the service provider issues a query to the authentication authority.
Only SOAP binding is supported for this request And signing is required so make sure the Signing Certificate Alias attribute of the service provider and the authentication authority is configured.
To Configure for Authentication Context Query
- Requesting Identity Attributes via a SAMLv2 Assertion
- Requesting a Cached SAMLv2 Assertion
- Requesting SAMLv2 Authentication Context Information
- Mapping SAMLv2 Name Identifiers
com.sun.identity.saml2.plugins.AttributeAuthorityMapperto process queries. This default implementation uses the attribute map table configured in the identity provider's extended metadata; this table maps the requested SAMLv2 attributes to the user profile attributes in the identity data store. (If an attribute map is not configured, no attributes will be returned.) To set OpenSSO to use a customized attribute mapper implementation, modify the values of the
x509Subject_attributeAuthorityMapperproperties in the extended metadata of the provider defined as the attribute authority. The
default_attributeAuthorityMappervalue is used for a standard attribute queries and the
x509Subject_attributeAuthorityMappervalue is used for attribute queries with an X509 subject. The X509 mapper maps an X509 subject to a user by searching the identity data store for a specified attribute. (The specified attribute is defined as the value of the
x509SubjectDataStoreAttrNameproperty in the identity provider extended metadata of the attribute authority.) If the user has the specified attribute and the attribute's value is the same as that of the X509 subject in the attribute query, the user will be used. Only SOAP binding is supported. Signing is required so make sure the Signing Certificate Alias attribute of the providers acting as the attribute requester and the attribute authority is configured.
- To send an attribute query from the requester use the method of
public static Response sendAttributeQuery(
String attrProfile, String binding)
- To construct an
NOTE - In the metadata file of the identity provider acting as the SAMLv2 authority, add the following attribute to enable it to store assertions generated in the single sign-on, authentication query or attribute query process.
com.sun.identity.saml2.plugins.AssertionIDRequestMapperis the default implementation used to process the assertion request. To define a customized mapper, change the value of the
assertionIDRequestMapperproperty in the extended metadata of the provider acting as SAMLv2 attribute authority or authentication authority.
To send a request for an assertion from a provider use either of the methods of
public static Response sendAssertionIDRequest(
public static Assertion sendAssertionIDRequestURI(
- To construct an assertion request object,
- Create and load the metadata for the service provider.
- Create the metadata for the identity provider using
ssoadmand specifying the following additional options.
- -C Defines the meta Alias for the hosted authentication authority to be created. The format must be realm name/identifier.
- -D Defines the authentication authority signing certificate alias.
- -E Defines the authentication authority encryption certificate alias.
ssoadm create-metadata-templ -u amadmin -f /tmp/pw -m /home/user1/tmp/mm -x /home/usr1/tmp/xx -s /idp -a test -r test -C /authna -D test2 -E test2 -y example.com
- Add the following attribute to the identity provider metadata file just created. This allows the identity provider to
store assertions generated during the SAMLv2 single sign-on process.
- Configure for SAMLv2 single sign-on.
- Do either of the following:
- To send an authentication query from the service provider
public static Response sendAuthnQuery( AuthnQuery authnQuery, String authnAuthorityEntityID, String realm, String binding) throws SAML2Exception;
- To construct an
- To send an authentication query from the service provider use the
NameIDMappingRequestmessage to the identity provider. After processing the request, the identity provider issues a
NameIdMappingResponsemessage to the requester. Only SOAP binding is supported. Signing is required so make sure the Signing Certificate Alias attribute of the identity provider and the service provider is configured. To send a
NameIDMappingRequestmessage from the service provider, use the method of the
public static NameIDMappingResponse initiateNameIDMappingRequest( Object session,And now that we are finished sweeping the floor, how about some dancing on the floor? Here's a home-made video to Paul Nicholas' number 7 hit from 1977, Heaven on the 7th Floor.
Map paramsMap) throws SAML2Exception;