Tuesday Jun 17, 2008

Discovering the SAMLv2 IDP Discovery Service and the Discovery LP

All web services are defined by a Web Services Description Language (WSDL) file that describes the type of data the service contains, the available ways said data can be exchanged, the operations that can be performed using the data, a protocol that can be used to perform the operations, and a URL (or endpoint) for access to the service. Additionally, the WSDL file itself is assigned a unique resource identifier (URI) that is used to locate it. The file is then published and the URI is placed in a Universal Description, Discovery and Integration (UDDI) repository so it can be found by potential users. Thus, the web service can now be discovered. Discovery of a web service is the act of locating the WSDL file for it. Typically, there are one or more web services on a network so, a discovery service is required to keep track of the WSDL locations.

The SAML v2 IDP Discovery Service is an implementation of the Identity Provider Discovery Profile as described in the Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0 specification. In deployments having more than one identity provider, service providers need to determine which identity provider(s) a principal uses with the Web Browser SSO profile. To allow for this, the SAML v2 IDP Discovery Service relies on a cookie written in a domain that is common to all identity providers and service providers in a circle of trust. This predetermined domain is known as the common domain, and the cookie containing the list of identity providers to chose from is known as the common domain cookie.

The Reader and Writer URLs, used by the SAML v2 IDP Discovery Service, are defined when configuring the circle of trust. When a user requests access from a service provider, and an entity identifier for an identity provider is not received in the request, the service provider redirects the request to the common domain's SAML v2 IDP Discovery Service Reader URL to retrieve the identity provider's entity identifier. If more then one identity provider entity identifier is returned, the last entity identifier in the list is the one to which the request is redirected. Once received, the identity provider redirects to the Discovery Service Writer URL to set the common domain cookie using the value defined in the installation configuration properties file. Here is a procedure for setting up and testing the Identity Provider Discovery Service.
  1. Download opensso.zip file to a location on your server machine.
  2. Unzip opensso.zip into /opensso.
  3. Change to the deployable-war sub-directory.
  4. Follow the instructions in the README to build a specialized WAR for the identity provider discovery service.
    1. Create a new directory as the staging area for the identity provider discovery service WAR (for example, idpwar), and extract the contents of opensso.war into it.
      % mkdir idpwar
      % cd idpwar
      % jar xvf /opensso/deployable-war/opensso.war
    2. Create the identity provider discovery service WAR using the fam-idpdiscovery.list file.
      % cd idpwar
      % jar cvf /opensso/deployable-war/fam-idp.war @/opensso/deployable-war/fam-idpdiscovery.list
    3. Update fam-idp.war with the additional files in the idpdiscovery directory.
      % cd /opensso/deployable-war/idpdiscovery
      % jar uvf /opensso/deployable-war/fam-idp.war \*
    Now the identity provider discovery service WAR is ready to be deployed.
  5. Deploy fam-idp.war to your web container.
  6. Access http://idp-discovery-server-machine:port/idpdiscovery.
    The Federated Access Manager Identity Provider Discovery Service configuration page should be displayed.
  7. Provide values for the identity provider Discovery Service attributes on the configuration page.
    • Debug directory
    • Debug Level
    • Cookie Type - by default, PERSISTENT SESSION
    • Cookie Domain
    • Secure Cookie
    • Encode Cookie
  8. On the service provider host machine, use the console to create a Circle of Trust with the identity provider discovery service URL used as the prefix for the value of the Reader and Writer URL attributes; for example, the value of the SAML2 Writer Service URL would be http://idp-discovery-server-machine:port/idpdiscovery/saml2writer and the value of the SAML2 Reader Service URL would be http://idp-discovery-server-machine:port/idpdiscovery/saml2reader
  9. Now, on the identity provider host machine, use the console to create a Circle of Trust with the value of the prefix attribute also set to the identity provider discovery service URL, http://idp-discovery-server-machine:port/idpdiscovery.
  10. Generate metadata for both the identity provider and the service provider using the command line utility famadm and the create-metadata-templ option.
  11. Load the service provider metadata onto the identity provider machine.
  12. Change the value of host in the identity provider metadata from 0 or remote.
  13. Load the identity provider metadata onto the service provider machine.
    After this configuration, the values of the Writer URL and Reader URL in each circle of trust are the URL of the Identity Provider Discovery Service.
  14. Perform SAMLv2 test cases for service provider-initiated and identity provider-initiated single sign-on and single logout.
    Each time you perform these operations from the service provider side, the Discovery Service logs will show the redirection to the identity provider. Here is an example log:
    root@nude# cat libIDPDiscovery
    \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
    05/05/2008 01:41:18:782 AM PDT: Thread[service-j2ee-6,5,main]
    CookieWriterServlet Initializing...
    05/05/2008 01:41:18:786 AM PDT: Thread[service-j2ee-6,5,main]
    CookieWriterServlet.doGetPost: Preferred Cookie Name is _saml_idp
    05/05/2008 01:41:18:787 AM PDT: Thread[service-j2ee-6,5,main]
    CookieWriterServlet.doGetPost: URL Scheme is null, set to https.
    05/05/2008 01:41:18:789 AM PDT: Thread[service-j2ee-6,5,main]
    CookieWriterServlet.doGetPost: Preferred IDP Cookie Not found
    05/05/2008 01:41:18:796 AM PDT: Thread[service-j2ee-6,5,main]
    CookieWriterServlet.doGetPost: Cookie Type is PERSISTENT
    05/05/2008 01:41:18:797 AM PDT: Thread[service-j2ee-6,5,main]
    CookieWriterServlet.doGetPost: Cookie value is YW1xYS14MjEwMC0wOC5yZWQuaXBsYW5ldC5jb20=
    05/05/2008 01:41:18:798 AM PDT: Thread[service-j2ee-6,5,main]
    CookieWriterServlet.doGetPost: Preferred Cookie Name _saml_idp
    05/05/2008 01:41:18:806 AM PDT: Thread[service-j2ee-6,5,main]
    CookieWriterServlet.doGetPost: Redirect to http://amqa-x2100-08.red.iplanet.com:80/openfm/SSORedirect/metaAlias/idp?resInfoID=s2611f93262943905ab083390581b85f05c83d6001
    05/05/2008 01:46:26:786 AM PDT: Thread[service-j2ee-6,5,main]
    CookieWriterServlet.doGetPost: Preferred Cookie Name is _saml_idp
    05/05/2008 01:46:26:789 AM PDT: Thread[service-j2ee-6,5,main]
    CookieUtils:cookieValue=YW1xYS14MjEwMC0wOC5yZWQuaXBsYW5ldC5jb20=, result=YW1xYS14MjEwMC0wOC5yZWQuaXBsYW5ldC5jb20=
    05/05/2008 01:46:26:790 AM PDT: Thread[service-j2ee-6,5,main]
    CookieWriterServlet.doGetPost: Cookie Type is PERSISTENT
    05/05/2008 01:46:26:791 AM PDT: Thread[service-j2ee-6,5,main]
    CookieWriterServlet.doGetPost: Cookie value is YW1xYS14MjEwMC0wOC5yZWQuaXBsYW5ldC5jb20=
    05/05/2008 01:46:26:792 AM PDT: Thread[service-j2ee-6,5,main]
    CookieWriterServlet.doGetPost: Preferred Cookie Name _saml_idp
    05/05/2008 01:46:26:793 AM PDT: Thread[service-j2ee-6,5,main]
    CookieWriterServlet.doGetPost: Redirect to http://amqa-x2100-08.red.iplanet.com:80/openfm/saml2/jsp/idpSSOInit.jsp?resInfoID=s2110f1c9017525509c5c7c4ae715c0ef6f45ea201
    05/05/2008 01:47:26:656 AM PDT: Thread[service-j2ee-6,5,main]
    CookieWriterServlet.doGetPost: Preferred Cookie Name is _saml_idp
    05/05/2008 01:47:26:658 AM PDT: Thread[service-j2ee-6,5,main]
    CookieUtils:cookieValue=YW1xYS14MjEwMC0wOC5yZWQuaXBsYW5ldC5jb20=, result=YW1xYS14MjEwMC0wOC5yZWQuaXBsYW5ldC5jb20=
    05/05/2008 01:47:26:659 AM PDT: Thread[service-j2ee-6,5,main]
    CookieWriterServlet.doGetPost: Cookie Type is PERSISTENT
    05/05/2008 01:47:26:660 AM PDT: Thread[service-j2ee-6,5,main]
    CookieWriterServlet.doGetPost: Cookie value is YW1xYS14MjEwMC0wOC5yZWQuaXBsYW5ldC5jb20=
    05/05/2008 01:47:26:661 AM PDT: Thread[service-j2ee-6,5,main]
    CookieWriterServlet.doGetPost: Preferred Cookie Name _saml_idp
    05/05/2008 01:47:26:662 AM PDT: Thread[service-j2ee-6,5,main]
    CookieWriterServlet.doGetPost: Redirect to http://amqa-x2100-08.red.iplanet.com:80/openfm/saml2/jsp/idpSSOInit.jsp?resInfoID=s21501eb5b9656be54878baeb762f5242d1999ad01
    
And now that I've shined a little light on the Identity Provider Discovery Service, discover Electric Light Orchestra's song Shine a Little Love from their excellent 1979 long-player, Discovery.

About

docteger

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today