I was reading the latest scoop on The Whalpin Chronicles when I found a comment from someone requesting information on how to configure the ASP.NET Fedlet with multiple identity providers. Sure there's a README now but in a week or so this will be official. As Whalpin said, check out the nightly.
This procedure can be followed to enable the ASP.NET Fedlet to communicate with multiple identity providers. It assumes that you have already followed the instructions in Using the ASP.NET Fedlet with OpenSSO Enterprise 8.0 Update 1 to configure and test the ASP.NET Fedlet with an initial identity provider.
Get the standard metadata file for the new identity provider and name it idp2.xml.
If using OpenSSO, create the identity provider using the Common Tasks work flow and export the identity provider's standard metadata by accessing the export metadata page at http://idp-machine.domain:8080/opensso/saml2/jsp/exportmetadata.jsp.
Copy idp2.xml to the directory created during initial configuration of the ASP.NET Fedlet.
During initial configuration, move the /SampleApp directory from the Fedlet-unconfigured.zip file to a directory outside of the decompressed archive. For this article, we will use /tmp/asp.net/SampleApp/App_Data/. See Using the ASP.NET Fedlet with OpenSSO Enterprise 8.0 Update 1 for more information.
Add the identity provider to the appropriate circle of trust by modifying the Fedlet's .COT file.
To add to an existing circle of trust, append the entity ID of the new identity provider (specified by the entityID attribute in the idp2.xml metadata) to the value of the sun-fm-trusted-providers attribute in the appropriate .COT file (for example, fedlet.cot) within the /tmp/asp.net/SampleApp/App_Data/ directory.
Use a comma (,) as the separator.
To add to a new circle of trust follow this procedure.
Create a new .COT file named (for example, fedlet2.cot) using the existing fedlet.cot as a template.
Change the value of the cot-name attribute in the new .COT file to the name of the new circle of trust.
Add both the new identity provider entity ID and the Fedlet entity ID as the value for the sun-fm-trusted-providers attribute in the new .COT file. Use a comma (,) as the separator.
Put fedlet2.cot in the /tmp/asp.net/SampleApp/App_Data/ directory.
Add the new circle of trust name to the value of the cotlist attribute in the ASP.NET Fedlet/service provider extended metadata file, sp-extended.xml. For example:
</Attribute> sp-extended.xml is in the /tmp/asp.net/SampleApp/App_Data/ directory.
Create a new file named (for example, idp2-extended.xml) to define the extended metadata for the new identity provider using the existing idp-extended.xml as a template.
Change the value of the entityID attribute to the entityID of the new identity provider.
IF APPLICABLE, change the value of the cotlist attribute to the name of the new circle of trust.
IF APPLICABLE, change the setting of the hosted attribute in the EntityConfig element to false to define it as a remote identity provider.
Send the ASP.NET Fedlet/service provider standard metadata (for example, sp.xml) found in the /tmp/asp.net/SampleApp/App_Data/ folder to the second identity provider.
Import the ASP.NET Fedlet/service provider standard metadata to the appropriate circle of trust on the identity provider side.
If using OpenSSO, use Register Remote Service Provider under the Common Tasks tab.
Repeat these steps for any number of identity providers using the circle of trust and file-naming formats as discussed.
Using the Internet Information Services (IIS) Manager, restart the Application Pool associated with the ASP.NET application.
Each ASP.NET web application hosted on IIS is associated with an Application Pool that controls the application's runtime behavior (for example, session properties, memory allocation and garbage collection).
If you use the Sample Application return to the default page for a list of identity providers from which to choose. See To Configure the Sample Application and Test the ASP.NET Fedlet.
Now relax with a glass of Summer Wine as made by Nancy Sinatra and Lee Hazlewood. Strawberries, cherries, and an...oh, you know the rest.
OpenSSO can be integrated with .NET applications. Here are some ways to achieve single sign-on or attribute sharing:
Install the IIS agent to protect the .NET application, and install OpenSSO as the service provider with the .NET application. The identity provider could then achieve single sign-on with the .NET application, and attributes can be passed down, as part of the HTTP header, to the .NET application.
Securely exchange attributes using the .NET client API provided by OpenSSO for integration with the .NET application. This makes use of the SAMLv2 and the Virtual Federation Proxy feature of OpenSSO.
Deploy Active Directory Federation Services as the service provider with the .NET application. OpenSSO would act as the identity provider. Use the WS-Federation protocol to achieve single sign-on with the .NET application.
While ruminating these options, enjoy Cheap and Cheerful from The Kills EXCELLENT third album Midnight Boom.