Sunday Jun 22, 2008

Want to Set Up and Test a SAMLv2 Authentication Query? Ask.

A SAMLv2 Authentication Query requests existing authentication assertions about a given subject from an Authentication Authority. This procedure explains how to set up and test an authentication query; I found it internally and recreated it externally for you.

This procedure assumes the entityID of the service provider is ear.red.sun.com, and the entityID of the identity provider is eye.red.sun.com. It also assumes that you have downloaded and deployed the famadm command line interface. You can also accomplish the steps referring to the export and import of metadata using the Federation and Common Tasks portions of the OpenSSO console.

  1. On the service provider machine, generate standard and extended metadata templates and load them as an entity provider using the OpenSSO console. For example,

    /famconfig/famadm/fam/bin/famadm create-metadata-templ -u amadmin -f /tmp/pw -m /tmp/spmd -x /tmp/spxmd -s /sp -a test -r test -y ear.red.sun.com
  2. Login to the OpenSSO console on the identity provider machine to import the service provider metadata files.
  3. On the identity provider machine, generate standard and extended metadata templates, specifying the -C, -D, and -E options. For example,

    /famconfig/famadm/fam/bin/famadm create-metadata-templ -u amadmin -f /tmp/pw -m /tmp/idpmd -x /tmp/idpxmd -i /idp -b test -g test -C /authna -D test2 -E test2 -y eye.red.sun.com
  4. Modify the identity provider extended metadata as follows.

    • Set the value of the idpAuthncontextClassrefMapping attribute to:
      urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|0||default
      urn:oasis:names:tc:SAML:2.0:ac:classes:Level1|1|module=DataStore1
      urn:oasis:names:tc:SAML:2.0:ac:classes:Level3|3|module=DataStore3
      urn:oasis:names:tc:SAML:2.0:ac:classes:Level5|5|module=DataStore5
      urn:oasis:names:tc:SAML:2.0:ac:classes:Level7|7|module=DataStore7
      urn:oasis:names:tc:SAML:2.0:ac:classes:Level9|9|module=DataStore9
    • Set the value of the assertionCacheEnabled attribute to true.
  5. Login to the OpenSSO console on the service provider machine to import the identity provider metadata files.
  6. Login to the OpenSSO console on the identity provider machine to add the following named authentication modules.

    DataStore1
    DataStore3
    DataStore5
    DataStore7
    DataStore9

    The type of each module should be set to Data Store and the authentication level set to 1, 3, 5, 7, and 9, respectively.
  7. Single sign-on using the following URL:
    http://ear.red.sun.com/fam/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=eye.red.sun.com&reqBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST&AuthnContextClassRef=urn:oasis:names:tc:SAML:2.0:ac:classes:Level1
    This will create an assertion with the value of AuthnContextClassRef set as urn:oasis:names:tc:SAML:2.0:ac:classes:Level1.

    ALTERNATIVES: You can single sign-on with different authentication levels by changing Level1 to Level3, Level5, Level7, and Level9. You can also use a different browser which would change the value of sessionIndex. Following this, the user will have had multiple assertions created.
  8. To test your configuration, copy authnQuery.jsp to the service provider deploy root and customize it by changing the following attributes (located between // customization starts here and // customization ends here in the file).
    • sessionIndex
    • RequestedAuthnContext
    • Comparison
  9. Run the JSP by typing the following URL in a browser.
    http://ear.red.sun.com/fam/authnQuery.jsp?spMetaAlias=/sp&authnAuthorityEntityID=eye.red.sun.com
    The results will change based on the different customizations.
See, when you have a query, just ask - like the Smiths said.

About

docteger

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today