Tuesday Mar 11, 2008

Setting Up a SAMLv2 IDP Proxy and Pulling Shapes

A SAMLv2 Identity Proxy acts as both an identity provider and a service provider. If an identity provider receives a request for authentication it cannot directly authenticate, it may issue its own authentication request to a second identity provider that can authenticate the principal. The identity provider that received the original authentication request is the identity provider proxy. The response from the second identity provider can be used to authenticate the principal and the identity provider proxy can issue an assertion of its own in response to the original authentication request.

Here is the procedure for setting up a SAMLv2 Identity Provider Proxy using OpenSSO.

  1. Install and deploy OpenSSO on three separate machines - preferably in different domains.
    Make sure each machine has a different cookie name when deployed.
  2. Create your own keystore using keytool.
    You can also use the keystore.jks file created during deployment of OpenSSO. It is located in /opensso/opensso directory and contains a private key named test and an associated public certificate. The keystore password and key password for the entry are secret. For information on creating your own keystore, see the keystore FAQ.
  3. Encrypt the keystore password for each host machine.
    The following procedure should be done on each host machine.

    1. Access encode.jsp by typing the following URL in a web browser.
      http://host:domain/opensso/encode.jsp
    2. Type your password in the Password to Encode field and click encode.
    3. Copy the resulting string into the keystore.jks, .keypass and .storepass files on the appropriate machine.
      These files should be in the /opensso/opensso/ directory.
  4. Type http://host:domain/opensso/famadm.jsp?cmd=create-metadata-template in a browser and use the famadm web interface to generate the service provider metadata.
    Use the following values:
    • entityid = YOUR_SP_HOST_URL
    • Enable : metadata, extended
    • serviceprovider : /sp
    • spscertalias : test
    • specertalias : test

    NOTE: It is recommended that you separate the standard and extended metadata into separate files.
  5. Type http://host:domain/opensso/famadm.jsp?cmd=create-metadata-template in a browser and use the famadm web interface to generate the identity provider metadata.
    Use the following values:
    • entityid = YOUR_IDP_HOST_URL
    • Enable : metadata, extended
    • serviceprovider : /idp
    • idpscertalias : test
    • idpecertalias : test

    NOTE: It is recommended that you separate the standard and extended metadata into separate files.
  6. Type http://host:domain/opensso/famadm.jsp?cmd=create-metadata-template in a browser and use the famadm web interface to generate the identity provider proxy metadata.
    Use the following values:
    • entityid = YOUR_PROXY_HOST_URL
    • Enable : metadata, extended
    • serviceprovider : /proxysp
    • identityprovider : /proxyidp
    • spscertalias : test
    • specertalias : test
    • idpscertalias : test
    • idpecertalias : test

    NOTE: It is recommended that you separate the standard and extended metadata into separate files.
  7. Type http://host:domain/opensso/famadm.jsp?cmd=create-circle-of-trust in a browser and use the famadm web interface to create circle of trust.
    Do this on each host machine, naming the circles as follows:
    • On the service provider host machine: spcot
    • On the identity provider host machine: idpcot
    • On the identity provider proxy host machine: proxycot
  8. Copy the appropriate standard and extended metadata onto each host machine.
  9. Type http://host:domain/opensso/famadm.jsp?cmd=import-entity in a browser and use the famadm web interface to import the metadata and create the entity.
    You will need to specify the name of the circle of trust into which you are importing the metadata.
  10. Using the same URL as in the previous step, do the following:

    1. Import the service provider metadata to the Identity Provider Proxy
    2. Import the identity provider metadata to the Identity Provider Proxy
    3. Import the service provider portion of the identity provider proxy metadata to the identity provider
    4. Import the identity provider portion of the identity provider proxy metadata to the service provider

    NOTE: When loading the metadata to the identity provider proxy be sure the host=0 - signifying the remote host.
  11. On the service provider machine, login to the console and click the Federation tab.
    You should see SP and Proxy.
  12. Click on the service provider host, followed by the service provider tab and enable:

    1. Authentication Requests Signed:
    2. Assertions Signed:
    3. Artifact Response:
    4. Logout Request:
    5. Logout Response :
    6. Manage Name ID Request :
    7. Manage Name ID Response:
    8. Enable : IDPProxy
Now you can perform the SAMLv2 test cases for single sign-on and logout through a proxy - or take another kind of test. This video from The Pipettes is for a song called Pull Shapes. Questions follow.

  1. What is pull shapes?
    Anyone who has spent time in the UK might know this one.
  2. What film does this video ape?
    Anyone who relishes trash films (the good kind) might know this one.
About

docteger

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today