Wednesday Aug 27, 2008

Change the Fedlet's Preferred IDP with John Waite

In order to change the preferred identity provider configured for a Fedlet, you can either remove the identity provider discovery cookie from the browser, or choose another identity provider to perform a single sign-on interaction. Following the latter, the identity provider is then set as the preferred identity provider.

Now here's the original MTV video (with attempted suicide and all) for Change, the hit single from former Babys front man, John Waite.

Change was a WLIR Screamer of the Week before they realized Waite wasn't new wave.

I'm in huge writing mode for the upcoming release of OpenSSO so please forgive for the relative dearth of posts. You're gonna love the books though!

Thursday Aug 07, 2008

Discovering and Setting (On Fire?) Preferred Identity Providers

Here is additional information on the Identity Provider Discovery Service. Discovering the SAMLv2 IDP Discovery Service and the Discovery LP has general information and the procedure for setting up and testing the Identity Provider Discovery Service. Here is the process to set a preferred identity provider.

NOTE: spSSOInit.jsp is used to initiate single sign-on from the service provider side. On receiving a request for access, spSSOInit.jsp verifies that the required parameters are defined. See the Sun Java System SAML v2 Plug-in for Federation Services User's Guide for more information.

  1. A user accesses spSSOInit.jsp to initiate single sign-on on the service provider side, and passes to it the value of the idpEntityID parameter.

    The value is the entity identifier of the identity provider to which the request should be sent.
  2. The service provider retrieves the identity provider's single sign-on service URL using the value of the idpEntityID and redirects the user to it.
  3. Assuming the user is not authenticated, the identity provider prompts the user for credentials.

    >If the Identity Provider Discovery Service is configured, the user will be redirected to the Identity Provider Discovery Service Writer Service URL with the identity provider information. The Discovery Service Writer Service URL sets the common domain cookie.
  4. The Identity Provider Discovery Service Writer Service URL sets the cookie with the identity provider information and redirects the user back to the identity provider's single sign-on service URL.

    The preferred identity provider is now set.
  5. The identity provider's single sign-on service URL completes the single sign-on process.

Here is the process when discovering a preferred identity provider.

  1. A user accesses spSSOInit.jsp to initiate single sign-on on the service provider side and one of the following occurs:

    • If the value of idpEntityID is passed, the identity provider will be contacted directly. See the previous procedure.
    • If there is no value for idpEntityID but the Identity Provider Discovery Service is configured, the user will be directed to the Reader Service URL to retrieve the preferred identity provider's entity identifier. In this case, the RelayState parameter points back to spSSOInit.jsp.
  2. The Identity Provider Discovery Service Reader Service URL checks for an identity provider discovery cookie and, if set, extracts the preferred identity provider, returning the information as a query parameter in the relay state URL.
  3. spSSOInit.jsp checks for the preferred identity provider in the returned URL.

    • If the preferred identity provider is set, the request is sent to it for single sign-on.
    • If the preferred identity provider is not set, an error is displayed stating this.
Whewww, that was hot! But not as hot as the 5000 Volts song (with an uncredited Tina Charles singing lead), I'm On Fire. Was there ever anything as remotely entertaining as disco? (Don't answer that if you are going to be mean.)

Tuesday Mar 11, 2008

Setting Up a SAMLv2 IDP Proxy and Pulling Shapes

A SAMLv2 Identity Proxy acts as both an identity provider and a service provider. If an identity provider receives a request for authentication it cannot directly authenticate, it may issue its own authentication request to a second identity provider that can authenticate the principal. The identity provider that received the original authentication request is the identity provider proxy. The response from the second identity provider can be used to authenticate the principal and the identity provider proxy can issue an assertion of its own in response to the original authentication request.

Here is the procedure for setting up a SAMLv2 Identity Provider Proxy using OpenSSO.

  1. Install and deploy OpenSSO on three separate machines - preferably in different domains.
    Make sure each machine has a different cookie name when deployed.
  2. Create your own keystore using keytool.
    You can also use the keystore.jks file created during deployment of OpenSSO. It is located in /opensso/opensso directory and contains a private key named test and an associated public certificate. The keystore password and key password for the entry are secret. For information on creating your own keystore, see the keystore FAQ.
  3. Encrypt the keystore password for each host machine.
    The following procedure should be done on each host machine.

    1. Access encode.jsp by typing the following URL in a web browser.
      http://host:domain/opensso/encode.jsp
    2. Type your password in the Password to Encode field and click encode.
    3. Copy the resulting string into the keystore.jks, .keypass and .storepass files on the appropriate machine.
      These files should be in the /opensso/opensso/ directory.
  4. Type http://host:domain/opensso/famadm.jsp?cmd=create-metadata-template in a browser and use the famadm web interface to generate the service provider metadata.
    Use the following values:
    • entityid = YOUR_SP_HOST_URL
    • Enable : metadata, extended
    • serviceprovider : /sp
    • spscertalias : test
    • specertalias : test

    NOTE: It is recommended that you separate the standard and extended metadata into separate files.
  5. Type http://host:domain/opensso/famadm.jsp?cmd=create-metadata-template in a browser and use the famadm web interface to generate the identity provider metadata.
    Use the following values:
    • entityid = YOUR_IDP_HOST_URL
    • Enable : metadata, extended
    • serviceprovider : /idp
    • idpscertalias : test
    • idpecertalias : test

    NOTE: It is recommended that you separate the standard and extended metadata into separate files.
  6. Type http://host:domain/opensso/famadm.jsp?cmd=create-metadata-template in a browser and use the famadm web interface to generate the identity provider proxy metadata.
    Use the following values:
    • entityid = YOUR_PROXY_HOST_URL
    • Enable : metadata, extended
    • serviceprovider : /proxysp
    • identityprovider : /proxyidp
    • spscertalias : test
    • specertalias : test
    • idpscertalias : test
    • idpecertalias : test

    NOTE: It is recommended that you separate the standard and extended metadata into separate files.
  7. Type http://host:domain/opensso/famadm.jsp?cmd=create-circle-of-trust in a browser and use the famadm web interface to create circle of trust.
    Do this on each host machine, naming the circles as follows:
    • On the service provider host machine: spcot
    • On the identity provider host machine: idpcot
    • On the identity provider proxy host machine: proxycot
  8. Copy the appropriate standard and extended metadata onto each host machine.
  9. Type http://host:domain/opensso/famadm.jsp?cmd=import-entity in a browser and use the famadm web interface to import the metadata and create the entity.
    You will need to specify the name of the circle of trust into which you are importing the metadata.
  10. Using the same URL as in the previous step, do the following:

    1. Import the service provider metadata to the Identity Provider Proxy
    2. Import the identity provider metadata to the Identity Provider Proxy
    3. Import the service provider portion of the identity provider proxy metadata to the identity provider
    4. Import the identity provider portion of the identity provider proxy metadata to the service provider

    NOTE: When loading the metadata to the identity provider proxy be sure the host=0 - signifying the remote host.
  11. On the service provider machine, login to the console and click the Federation tab.
    You should see SP and Proxy.
  12. Click on the service provider host, followed by the service provider tab and enable:

    1. Authentication Requests Signed:
    2. Assertions Signed:
    3. Artifact Response:
    4. Logout Request:
    5. Logout Response :
    6. Manage Name ID Request :
    7. Manage Name ID Response:
    8. Enable : IDPProxy
Now you can perform the SAMLv2 test cases for single sign-on and logout through a proxy - or take another kind of test. This video from The Pipettes is for a song called Pull Shapes. Questions follow.

  1. What is pull shapes?
    Anyone who has spent time in the UK might know this one.
  2. What film does this video ape?
    Anyone who relishes trash films (the good kind) might know this one.
About

docteger

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today