Friday Aug 15, 2008

Hot Off Two Presses: Dennis' ssoadmin CLI Info and Max's Song

Dennis, Sun engineer extraordinaire, has just uploaded the Federated Access Manager 8.0 OpenSSO Commandline Interface Usage and Samples document. We'll have to get him to change the name next time he regenerates it but, in the meantime, here is everything you'd want to know about the newly-christened ssoadm command line interface.

But Dennis isn't the only one who has uploaded something hot off the press. My Jack Russell Terrier, Max, uploaded a video made as an ode to his treat ball. He's not the best singer (although back in the day he was considered the Manilow of the dog park) but he's sincere. His lyrics are published here.

Max hopes this video meets Dennis' high standards.

Wednesday Aug 13, 2008

Supported Security Tokens and Mr. Rock & Roll

The OpenSSO Security Token Service was developed from the WS-Trust protocol which defines extensions to the WS-Security specification for issuing and exchanging security tokens and establishing and accessing the presence of trust relationships. The Security Token Service is hosted as a servlet endpoint and coordinates security based interactions between a WSC and a WSP. The Security Token Service:

  • Issues, renews, cancels, and validates security tokens.
  • Allows customers to write their own plug-ins for different token implementations and for different token validations.
  • Provides a WS-Trust based API for client and application access.
  • Provides security tokens including Kerberos, Web Services-Interoperability Basic Service Profile (WS-I BSP), and Resource Access Control Facility (RACF).

Here is some information on supported security tokens in OpenSSO.

Security Token Service Supported Tokens

Tokens that can be authenticated:

  • UserName
  • X509
  • SAML 1.1
  • SAML 2.0
  • Kerberos

Tokens that can be issued:

  • UserName
  • X509
  • SAML 1.1
  • SAML 2.0

End user tokens that can be converted or validated out of the box:

  • OpenSSO SSOToken to SAML 1.1 or SAML 2.0 token
  • SAML 1.1 or SAML 2.0 token to OpenSSO SSOToken

Additionally, end user tokens can be converted or validated after customization. In this case, the new token is an On Behalf Of token (based on the WS-Trust protocol element) carried in the WS-Trust request as part of the SOAP body and not as an authentication token carried as part of the SOAP header. Custom tokens can also be created and sent On Behalf Of an end user token for conversion or validation by Security Token Service. To do this, implement the com.sun.identity.wss.sts.ClientUserToken interface and put the implemented class name in AMConfig.properties on the client side and the global Security Token Service configuration using the OpenSSO console.

Web Services Security Framework Supported Tokens

Tokens that can be authenticated:

  • UserName
  • X509
  • SAML 1.1
  • SAML 2.0
  • Kerberos

Tokens that can be issued:

  • UserName (generated via STS or locally at WSC)
  • X509 (generated via the Security Token Service or locally at the WSC)
  • SAML 1.1 (generated via the Security Token Service or locally at the WSC)
  • SAML 2.0 (generated via the Security Token Service or locally at the WSC)
  • Kerberos (generated locally at the WSC)

After learning something new, now enjoy some music from Amy MacDonald. This is Mr. Rock & Roll.

What's Going On with WSIT?

The Web Services Security feature of OpenSSO implements the Web Services Interoperability Technology (WSIT). WSIT is an open source implementation of the web services specifications (commonly referred to as WS-\*). The project was started by Sun Microsystems, and consists of Java API that allow developers to create web service clients and services that enables operations between the Java platform and clients and servers developed with the WS-\* specifications. WSIT provides implementations of the following specifications for interoperability with .NET 3.0.

  • WS-Metadata Exchange
  • WS-Transfer
  • WS-Reliable Messaging
  • WS-Reliable Messaging Policy
  • WS-Atomic Transaction
  • WS-Coordination
  • WS-Security 1.0 and 1.1
  • WS-Security Policy
  • WS-Trust
  • WS-Secure Conversation
  • WS-Policy
  • WS-Policy Attachment

While looking for information on WSIT, I found this great PDF file on developers.sun.com called the WSIT Tutorial. If you need to know what's going on with WSIT, this is the paper to read.

And if you just want to hear What's Going On by Marvin Gaye, this is the clip to click.

Tuesday Aug 12, 2008

SOA's Readers' Choice Awards and Sia's Buttons

You can now vote online for the SOA World Magazine 2008 Readers' Choice Awards which recognizes, and I quote, excellence in the software, solutions, or services provided by the industry's top vendors. Readers can cast their votes until November 8, 2008.

That was SOA. Now here is Sia performing her song Buttons live on Jimmy Kimmel.

Click here for the official music video which is just as...um...interesting...as the live performance.

Monday Aug 11, 2008

Turning Old Command Line Interfaces into New OpenSSO Command Line Interface

A number of command line interfaces originally developed for the products that have been integrated into OpenSSO have been EOL'ed. So here is some information on the new commands and options that can be used instead.

amadmin

Although the legacy command line interface amadmin is still bundled with OpenSSO, certain LIberty Alliance Project Identity-Federation Framework (Liberty ID-FF) related options are no longer supported because of a change in the metadata format. Use the following ssoadm commands to import and export metadata. Be sure to append --spec idff to the command.

amadmin Optionssoadm Command
-g|--importimport-entity
-o|--exportexport-entity

saml2meta

The command line interface saml2meta (originally developed for the Sun Java System SAMLv2 Plug-in for Federation Services) is not supported in OpenSSO. Use the corresponding ssoadm commands instead. Note that some of the new commands must have --spec saml2 appended.

saml2meta Optionssoadm Command
importimport-entity with --spec saml2 option
exportexport-entity with --spec saml2 option
templatecreate-metadata-templ with --spec saml2 option
deletedelete-entity with --spec saml2 option
listlist-entities with --spec saml2 option
cotcreatecreate-cot
cotdeletedelete-cot
cotaddadd-cot-member
cotremoveremove-cot-member
cotmemberlist-cot-members
cotlistlist-cots

saml2bulkfed

The command line interfaces saml2bulkfed (originally developed for the Sun Java System SAMLv2 Plug-in for Federation Services) is not supported in OpenSSO. Use the following ssoadm commands for SAMLv2 bulk federation. Be sure to append --spec saml2 to the command.
  • do-bulk-federation performs bulk federation.
  • import-bulk-fed-data imports the bulk federation data generated by the do-bulk-federation command.

ambulkfed

The command line interface ambulkfed (originally developed for Access Manager to bulk federate using the Liberty ID-FF protocol) is not supported in OpenSSO either. The ssoadm commands that take the place of the SAMLv2 bulk federation CLI (above) can also be used for Liberty ID-FF bulk federation by appending --spec idff to the command rather than --spec saml2.

And now some new music (on this side of the pond anyway) from Alison Moyet. The Turn was just released in North America and features the single, A Guy Like You.

Friday Aug 08, 2008

HELP! Review OpenSSO During Early Access

Sun is now soliciting feedback regarding the Early Access download (Express Build 5) of the OpenSSO software. Here's the official marketing shpiel:

The OpenSSO Project is soliciting feedback on their Early Access Build -- OpenSSO Express Build 5. With the release of this build, community members now have the opportunity to participate in the Early Access (EA) program for Sun's next commercial offering. Review the Early Access documentation and hammer away at Express Build 5! Send your EA feedback to opensso.eafeedback@dev.java.net so we can make the product perfect. Thanks in advance!

Now here's my shpiel - or should I say the Beatles shpiel in my stead:

But who would embed the Beatles HELP without also embedding the Bananarama version featuring Lananeeneenoonoo (or Dawn French, Jennifer Saunders and Kathy Burke).

And they did it all for others.

Just like all of us. Thanks.

Sunday Aug 03, 2008

What Are You Doing The RESTful of Your Life?

I was looking for information on REST and found this great article on developers.sun.com. Check it out if you need to get REST.

And here is Miss Peggy Lee singing What Are You Doing The Rest If Your LIfe?

Thursday Jul 31, 2008

Create an OpenSSO Custom Authentication Module

In case you haven't seen it yet, wikis.sun.com has an entry here that contains the procedure for creating a custom authentication module for OpenSSO - ok, Access Manager but you know the history. Note that there is an error pointed out at the bottom of the entry itself so take a look at that first.

And when you are done authenticating, you can be sure that the identity is, indeed, the son of a preacher man. Ahhhh, Dusty.

08/09/08 UPDATE: Oy gevalt to that segue.

Monday Jul 28, 2008

Question Me An Answer About Federation

Following are a bunch of high-level answers to some questions regarding federation configuration.

  1. How can a service provider request one or more individual attributes (or a Class of Attributes) from an identity provider for a specified principal in a single request?

    • The identity provider can be configured to send any of a principal's attributes during the single sign-on process by defining simple attribute mappings for both the identity provider and service provider using the console.
    • Using SAMLv1 or SAMLv2, an explicit Attribute Query can be sent to an Attribute Authority.
    • Configure the Liberty Personal Profile Service.
  2. These options can also be used if an identity provider wants to send one or more attributes in a single response to the requesting entity.

  3. How can a service provider indicate that they are federated to an identity provider as a member of an affiliation rather than a circle of trust?

    An affiliation (referenced by an affiliationID) is a grouping of entity providers maintained by an affiliation owner who chooses the members without regard to the boundaries of any circles of trust which might also include the providers as members. Affiliation data is part of the provider metadata and the service provider request itself denotes whether it is an affiliation or not.
  4. How might a service provider or identity provider request a list of members in an affiliation?

    Affiliation-based federation is driven by a boolean flag at the service provider and uses the affiliationID defined for the remote provider (since a local provider can participate in more than one affiliation). The affiliationID can be used to request a list of members.
  5. How might a service provider indicate in an authentication request that they are acting as a member of an affiliation?

    Affiliation-based federation is driven by a boolean flag at the service provider and uses the affiliationID defined for the remote provider (since a local provider can participate in more than one affiliation). If enabled, the authentication request will be sent with the affiliation flag set to true.
  6. How might a service provider indicate in an attribute request that they are acting as a member of an affiliation?

    For explicit attribute requests, I am not sure if there is a flag to indicate whether it is acting as an affiliation however, if it is during authentication process, the affiliation can be used.
  7. How might an identity provider verify the affiliation membership indicated in an attribute request? For explicit attribute requests, I am not sure if there is a flag to indicate whether it is acting as an affiliation however, if it is during authentication process, the affiliation can be used.
  8. How might a service provider make anonymous attribute requests and receive anonymous attribute responses? In other words, the ability to share attributes without disclosing the identity of the Principal to the requestor or Service Provider.

    In requests using SAML or the Liberty Personal Profile Service, the identity of a principal is never disclosed. The interactions are made using an encrypted user ID. You could also use an anonymous user.
  9. How might a service provider associate intended usage with the corresponding requested attributes in an attribute request to an identity provider?

    See the usage directives are part of ID-WSF 2.0.
  10. Guideline for Attribute Providers (in the usage negotiation scenario) to reply, always, to a service provider's attribute request with usage directives that, for privacy purposes, are equal to or stricter than those originally stated in the Service Provider's attribute request.

    The usage directives are part of ID-WSF 2.0 which we plan to implement in FAM 8.next releases
Now Question Me An Answer from the movie musical, Lost Horizon.

Wednesday Jul 23, 2008

Here Comes the Express...OpenSSO and B.T.

Today is the day that Sun announces the OpenSSO Express build, and support and indemnification for OpenSSO. Here are some links with a bunch more information. In honor of this occasion, here comes the B.T. Express with, what else, Express.

Monday Jul 21, 2008

Watching MQ Traffic with OpenSSO Express

If you are using the new OpenSSO Express build 4.5 and want to watch as session updates, additions, or deletions are recorded to the amsessiondb.log when session failover is enabled, you must set the AMSESSIONDB_ARGS attribute with a value of "-v" in the amsfo.conf file. Then you can grep for MQ traffic with the following:
tail -f amsessiondb.log > a
grep WRITE a | wc; grep DELETE a | wc; wc a
Here is an example of what the log file that records writes looks like:

Starting...  true
   /usr/jdk/instances/jdk1.5.0/jre/bin/java -Xms128m -Xmx512m -classpath /opt/opensso/instance1/sfo/jmq/mq/lib/imq.jar:/opt/opensso/instance1/sfo/jmq/mq/lib/jms.jar:/opt/opensso/instance1/sfo/ext/je.jar:/opt/opensso/instance1/sfo/locale:/opt/opensso/instance1/sfo/lib/am_sessiondb.jar:. com.sun.identity.ha.jmqdb.client.FAMHaDB
   Initailizing and connecting to the Message Queue server ...
   Checking for peer BDB daemon processes. Please wait ...
   Successfully started.
   OP=WRITE
   service=session
   WRITE message received.
   >>>>>>>>>>>>>> Write by Primary Key : -1279015892
   OP=WRITE
   service=session
   WRITE message received.
   >>>>>>>>>>>>>> Write by Primary Key : -1279015892
   OP=WRITE
   service=session
   WRITE message received.
   >>>>>>>>>>>>>> Write by Primary Key : -1279015892
   OP=WRITE
   service=session
   WRITE message received.
   >>>>>>>>>>>>>> Write by Primary Key : -1279015892
   OP=READ
   service=session
   READ message received.
   >>>>>>>>>>>>>> Read by Primary Key : -1098220087
   >>>>>>>>>>>>>> Found record !
   OP=WRITE
   service=session
   WRITE message received.
   >>>>>>>>>>>>>> Write by Primary Key : -1098220087
   OP=WRITE
   service=session
   WRITE message received.
   >>>>>>>>>>>>>> Write by Primary Key : -1098220087

Now go eat some cannibals with Toto Coelo. Mmm, mmm, good.

Friday Jul 18, 2008

Touching Legacy Mode in OpenSSO

Legacy mode in previous versions of the code that was open-sourced as OpenSSO is based on the Sun Java System Access Manager 6.3 architecture. There is no longer a legacy mode installation option in OpenSSO. Legacy mode is supported through upgrade only; if you have Sun Java System Access Manager 7.0 or 7.1 installed in legacy mode, you can upgrade to OpenSSO and keep it in legacy mode. Also, if you have Sun DS with AM schema installed, you can use the legacy mode features with the AMSDK data repository plugin.
There is no timeline set for removing legacy mode but it is strongly recommended not to use this option.

So don't touch legacy mode anymore - instead take a listen to Kim Wilde's 1984 UK hit, The Touch. Loved this song (and album) back then and I also love the pretty girls at the beginning of the video which never made it to this side of the pond until now.

Thursday Jul 17, 2008

Enabling PUT and DELETE Actions in OpenSSO Policy Definitions for Web URLs

Policy rules in OpenSSO allow control over GET and POST actions but, by default, do not list PUT and DELETE. Following are two procedures for adding the latter actions. When Deploying a New Instance of OpenSSO
  1. Explode opensso.war.
  2. cd WEB-INF/classes
  3. Create AttributeSchema elements for PUT and DELETE in amWebAgent.xml using the already existing AttributeSchema for GET and POST as the prototype.
  4. Add i18n keys and values to amWebAgent.properties for the elements created in the previous step.
  5. Regenerate the WAR.
  6. Deploy the WAR.

When Modifying an Existing Instance of OpenSSO
  1. Explode opensso.war.
  2. cd WEB-INF/classes
  3. Create AttributeSchema elements for PUT and DELETE in amWebAgent.xml using the already existing AttributeSchema for GET and POST as the prototype.
  4. Copy amWebAgent.xml outside the exploded WAR directory.
  5. Add i18n keys and values to amWebAgent.properties for the elements created in the previous step.
  6. Regenerate the WAR.
  7. Redeploy the WAR.
  8. Set up the famadm command line interface.

    • Download and unzip opensso.zip.
    • Change to the opensso/tools directory and unzip famAdminTools.zip.
    • Follow the instructions in README.setup.

  9. Run the following command:

    famadm delete-svc -s iplanetamwebagentservice
  10. Run the following command:

    famadm create-svc --xmlfile /path/amWebAgent.xml
And now enjoy Eddie Money and Ronnie Spector singing Take Me Home Tonight.

Wednesday Jul 16, 2008

Using Sub-Realms in OpenSSO Again & Again

In general, you should use the default root realm (opensso) to configure identity data stores, and manage policies and authentication chains. After deployment, OpenSSO creates a Realm Administrator who can perform all operations in the configured root realm, and a Policy Administrator who can only create and manage policies. The use of sub-realms in OpenSSO should be restricted to the following two scenarios.
  1. Application Policy Delegation The use case for this is when you need to have different Policy Administrators to create policies for a sub-set of resources. For example, let's assume a sub-realm is created and named Paycheck. This sub-realm is configured with a policy referral from the root realm for configuring protection of resources starting with https://paycheck.sun.com/paycheck. Within the Paycheck sub-realm, a Paycheck Administrator role or group is created and assigned Policy Administration privileges. These administrators are now able to login to the sub-realm and create policies for their applications. By default, the sub-realm inherits the same configuration data store and authentication chains configured for its parent; if these configurations change in the parent, a corresponding change would be needed in the sub-realm. Additionally, all users will still log in to the root realm for access to all the applications. The sub-realm is primarily for the Policy Administrator to manage policies for the application. An educated guess on the number of sub-realms that can be supported would be about 100.
  2. ISP/ASP/Silo The use case for this scenario is when each sub-realm is to have its own set of identity data stores, authentication chains, and policies. Ideally the only common thread between the root and the sub-realm would be the referral policy created in the root realm to delegate a set of resources to the sub-realm. Users would not be able to log in to the root realm (unless they are a member) but would have to authenticate to their sub-realm. Also, agents would have to be configured to redirect user authentication to the particular sub-realm. With regards to performance, the most resource consuming component would be when persistent searches created by the data stores connect to the same directory. An educated guess on the number of sub-realms that can be supported would be about 50.
So now you know how to use sub-realms again & again as confirmed by The Bird and the Bee in their song titled (what else) Again & Again.

Friday Jul 11, 2008

Absolutely Fabulous OpenSSO Notification Properties

Currently, OpenSSO uses the following absolutely fabulous properties to define notification URLs.
  • com.sun.identity.client.notification.url
  • defines the URL on the client side that will receive notifications from the Policy Service, the Session Service, and User Management features of OpenSSO. The value is the URL of the agent; for example, http://my.test.domain.com:6948/agentapp. The com.sun.identity.agents.notification.url property must also be set to true.
  • com.sun.identity.agents.notification.url is a server side property that allows you to enable (true) or disable (false) notifications to the agent caches.
  • com.sun.identity.idm.remote.notification.enabled allows you to enable (true) or disable (false) notifications to the am.sdk and IdRepo caches.
  • com.sun.identity.sm.notification.enabled allows you to enable (true) or disable (false) notifications to the service management caches.
NOTE: If com.sun.identity.idm.remote.notification.enabled and com.sun.identity.sm.notification.enabled are not set in the client side AMConfig.properties, their value defaults to true. If they are set to true but no URL is specified as a value for com.iplanet.am.notification.url, notifications will not be received. Finally, if the notification URL is defined but one of these properties is set to false, the cache update defaults to polling.

And here's my notification to you of the absolutely fabulous video for the Pet Shop Boys song Absolutely Fabulous featuring Jennifer Saunders and Joanna Lumley. Ahhhh, those were the days, my friend.

Tuesday Jul 08, 2008

Ma Quale Idea: Review the FAM8 Technical Overview

Ma Quale Idea! Here is a PDF of the first two parts of the Federated Access Manager 8.0 Technical Overview. The two parts are now open for review. Let me know if you have any issues, comments, or errors with the current information.

And here's another idea, Ma Quale Idea, Pino D'Angio's disco hit from 1980.

Thursday Jul 03, 2008

Affiliation-based Federation with...ABBA?

An affiliation (referenced by an affiliationID) is a grouping of entity providers configured using OpenSSO and maintained by an affiliation owner who chooses the members without regard to the boundaries of any circles of trust which might also include the entity providers as members. Affiliation-based federation is indicated by a boolean flag at the service provider and uses the affiliationID defined for the remote provider (since a local provider can participate in more than one affiliation). If enabled, the authentication request will be sent with the affiliation flag set to true.

Affiliation data is part of the provider metadata. A service provider request denotes whether the request is being made as part of an affiliation or not. If services are invoked as an affiliation member, a service provider might issue an authentication request for a user on behalf of the affiliation. When authentication is secured, the user can achieve single sign-on with all members of the affiliation.

And for those who don't know - I have an affiliation with ABBA. In honor of the upcoming release of Mamma Mia here's the group's music video for the title tune (mysteriously aped in Muriel's Wedding for Muriel and Rhonda's karaoke performance of...Waterloo?).

And here's the trailer for the film. Meryl Streep (sounding great), Julie Walters and an uncredited (?) Christine Baranski - what a trio!!

Wednesday Jul 02, 2008

Federated Access Manager Supported Data Stores and Operations

THIS INFORMATION IS STILL BEING UPDATED AND MAY CHANGE BEFORE THE FALL 2008 FEDERATED ACCESS MANAGER 8.0 RELEASE.

Federated Access Manager contains a lot of data and supports a number of products in which to store it. The following sections contain information regarding this support and the specific operations that can be performed on the data by each product.
  1. Directory Support
  2. Supported Identity Data Store Operations
  3. Notification Support

Directory Support

The table below lists the directories supported for the different types of data.


Sun Directory Server

Active Directory

IBM Tivoli Directory

LDAP v3 server (other)

User Data Store

Yes

Yes

Yes

No

Configuration Data Store\*

Yes

No

No

No

AM SDK (legacy)

Yes

No

No

No

LDAP Authentication

Yes

Yes

Yes

Yes

Membership Authentication

Yes

No

No

No

AD Authentication

N/A

Yes\*\*

N/A

N/A

Policy Subjects and Policy LDAPFilter Condition

Yes

Yes

Yes

Yes

Password Reset

Yes (with AM SDK only)

No

No

No

Account Lockout

Yes

No

No

No

Certificate Authentication

Yes

Yes`

Yes

Yes

MSISDN Authentication

Yes

Yes

Yes

Yes

Data Store Authentication (through LDAPv3 identity data store)

Yes

Yes

Yes

Yes

\* OpenDS can be configured as the embedded configuration data store during your initial Federated Access Manager configuration. It can not be configured as an external configuration data store as the Sun Directory Server can. OpenDS is not currently supported as a user data store.

\*\* There are some limitations.

As a side note, authentication also supports the JDBC repository through the JDBC authentication module.

Supported Identity Data Store Operations

IDRepo is the interface to provide basic management for user, group, role and agent entities. This interface allows support for any identity data repository with the development of a plug-in. Although currently limited to three directories, it can be expanded to include any LDAPv3 directory (like OpenLDAP or Novell Directory), a Java Database Connectivity (JDBC) directory, flat files, and others.

The matrix below specifies current support through the IDRepo interface. We have a specific implementation for each supported identity repository. The default implementation of this interface can be used and is supported for any LDAPv3 repository.

The following table lists operations supported by each data store type.


Sun DS

LDAP v3

IBM Tivoli

LDAP v3

AD

LDAP v3

LDAP v3

(generic)

AM SDK

(legacy)

User Create

Yes

Yes

Yes\*

No

Yes

User Modify

Yes

Yes

Yes\*

No

Yes

User Delete

Yes

Yes

Yes\*

No

Yes

Role create

Yes

Yes

No

No

Yes

Role Modify

Yes

Yes

No

No

Yes

Role Delete

Yes

Yes

No

No

Yes

Role Assignment

Yes

Yes

No

No

Yes

Role Evaluation for membership

Yes

Yes

No

No

Yes

Group Create

Yes

Yes

No

No

Yes

Group Modify

Yes

Yes

No

No

Yes

Group Delete

Yes

Yes

No

No

Yes

Group Assignment

Yes

Yes

No

No

Yes

Group evaluation for membership

Yes

Yes

Yes

No

Yes

Federation Attributes

Yes

Yes

Yes

No

Yes

\* Needs some fixes.

Notification Support

Data changes in directories need to be propagated to OpenSSO in a timely manner. The data in OpenSSO is updated in two ways:

  1. Polling of the directories
  2. Notifications from the directories

For notification, Federated Access Manager subscribes to persistent search notifications provided by the directories. For polling, it provides configurable parameters to specify the time intervals. When multiple instances of Federated Access Manager are running, the configuration data changes can also be propagated to those instances.

And now watch how the dancers support Goldie Hawn as she sings Star, the title tune from the 1960s film musical biography about Gertrude Lawrence and starring an excellently-cast Julie Andrews.

Thursday Jun 26, 2008

Move Any Mountain to Attend the SSO Summit

It's in the mountains of Colorado and, according to the web site, the SSO Summit is the only conference to arm you with case-studies, war stories, success stories and shared expertise. Click here for more information. But come back to dance with The Shamen as they Move Any Mountain.

Get it? Summit. Mountain.

I'm going, btw.

Wednesday Jun 25, 2008

The Fedlet Cyrkle of Information

I've recently posted a few entries about the Fedlet. Here is a list of them and what they are about...for easy reference.
  1. Besides having the catchiest kid's television show theme this side of MisterRogers, The Fedlet and U (Part 1): Winky Dink and Me introduces the Fedlet and how to create and test one using the Common Task wizard.
  2. The Fedlet and U (Part 2): Pre-Built to Last shows you the procedure I used to create a Fedlet using the pre-built but unconfigured Fedlet bundle.
  3. The Fedlet and U (Part 3): We Built This Application is the procedure I used to integrate the Fedlet by modifying application code in three ways. Unfortunately, I couldn't get them to work. (And I am exhausted from trying.) So I am putting this information out there to see if it works for someone else. Remember I'm not a developer - I only play one on TV (even if I was only using hello.jsp).
  4. Undeploying the Fedlet with Some Light from Jens Lekman is a bonus entry with the titular procedure and Swedish music from the titular pop singer. (Thankfully there was nothing else in the title so I didn't have to use that word again.)
So I'll sign off with the great new look and sound of the Cyrkle - as introduced by Paul Anka?

Tuesday Jun 24, 2008

The Fedlet and U (Part 3): We Built This Application

NOTE : I've been getting errors with the following procedures. I am posting them anyway in hopes that someone can see what I have missed. I'm not an engineer and therefore am thinking my code deletion and additions are incorrect. If you are able to successfully deploy and test the following Fedlet procedures, let me know what you did so I can try it out. Thanks.

Thus far, in previous entries, I explained how to implement the Fedlet using the Common Tasks work flow in the OpenSSO console and using the pre-built but unconfigured fedlet.war. (There's also a bonus entry on how to remove a deployed fedlet.)

In this entry, you'll find the procedures to integrate the fedlet.war code with an existing service provider application. The following diagram illustrates the three ways in which this can be done.

  1. fedletSampleApp.jsp is modified to add the service provider's application logic and, thus, is used as the endpoint for the Fedlet on the service provider side here.
  2. fedletSampleApp.jsp is modified to forward the request to the service provider application URL and, thus, is also used as the endpoint for the Fedlet on the service provider side here.
  3. fedletSampleApp.jsp is replaced by a new JSP (servlet) to create a new endpoint or the Fedlet code in the fedletSampleApp.jsp is copied to the new endpoint code here.

NOTE: The diagram refers to fedletSampleApp.jsp, a sample JSP packaged with the fedlet.war thatprovides a default Assertion Consumer endpoint to process SAMLv2 Assertions from the identity provider. fedletSampleApp.jsp first invokes a util method to complete SAMLv2 protocol processing. A map containing various pieces of data (including a Response, an Assertion, and Attributes) is then returned to the caller for further processing. fedletSampleApp.jsp also provides some sample code to help you to understand how to retrieve data from the returned map.


<%--
   The contents of this file are subject to the terms
   of the Common Development and Distribution License
   (the License). You may not use this file except in
   compliance with the License.

   You can obtain a copy of the License at
   https://opensso.dev.java.net/public/CDDLv1.0.html or
   opensso/legal/CDDLv1.0.txt
   See the License for the specific language governing
   permission and limitations under the License.

   When distributing Covered Code, include this CDDL
   Header Notice in each file and include the License file
   at opensso/legal/CDDLv1.0.txt.
   If applicable, add the following below the CDDL Header,
   with the fields enclosed by brackets [] replaced by
   your own identifying information:
   "Portions Copyrighted [year] [name of copyright owner]"

   $Id: fedletSampleApp.jsp,v 1.2 2008/05/29 00:40:42 veiming Exp $

   Copyright 2008 Sun Microsystems Inc. All Rights Reserved
--%>

<%@page
import="com.sun.identity.saml2.common.SAML2Exception,
com.sun.identity.saml2.common.SAML2Constants,
com.sun.identity.saml2.assertion.Assertion,
com.sun.identity.saml2.assertion.Subject,
com.sun.identity.saml2.profile.SPACSUtils,
com.sun.identity.saml2.protocol.Response,
com.sun.identity.saml2.assertion.NameID,
com.sun.identity.plugin.session.SessionException,
java.io.IOException,
java.util.Iterator,
java.util.List,
java.util.Map"
%>
<%
    String deployuri = request.getRequestURI();
    int slashLoc = deployuri.indexOf("/", 1);
    if (slashLoc != -1) {
        deployuri = deployuri.substring(0, slashLoc);
    }
%>
<html>
<head>
    <title>Fedlet Sample Application</title>
    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
    <link rel="stylesheet" type="text/css" href="<%= deployuri %>/com_sun_web_ui/css/css_ns6up.css" />
</head>

<body>
<div class="MstDiv"><table width="100%" border="0" cellpadding="0" cellspacing="0" class="MstTblTop" title="">
<tbody><tr>
<td nowrap="nowrap"> </td>
<td nowrap="nowrap"> </td>
</tr></tbody></table>

<table width="100%" border="0" cellpadding="0" cellspacing="0" class="MstTblBot" title="">
<tbody><tr>
<td class="MstTdTtl" width="99%">
<div class="MstDivTtl"><img name="ProdName" src="<%= deployuri %>/console/images/PrimaryProductName.png" alt="" /></div></td><td class="MstTdLogo" width="1%"><img name="RMRealm.mhCommon.BrandLogo" src="<%= deployuri %>/com_sun_web_ui/images/other/javalogo.gif" alt="Java(TM) Logo" border="0" height="55" width="31" /></td></tr></tbody></table>
<table class="MstTblEnd" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td><img name="RMRealm.mhCommon.EndorserLogo" src="<%= deployuri %>/com_sun_web_ui/images/masthead/masthead-sunname.gif" alt="Sun(TM) Microsystems,
Inc." align="right" border="0" height="10" width="108" /></td></tr></tbody></table></div><div class="SkpMedGry1"><a name="SkipAnchor2089" id="SkipAnchor2089"></a></div>
<div class="SkpMedGry1"><a href="#SkipAnchor4928"><img src="<%= deployuri %>/com_sun_web_ui/images/other/dot.gif" alt="Jump Over Tab Navigation Area. Current Selection is: Access Control" border="0" height="1" width="1" /></a></div>
<%
    // BEGIN : following code is a must for Fedlet (SP) side application
    Map map;
    try {
        // invoke the Fedlet processing logic. this will do all the
        // necessary processing conforming to SAMLv2 specifications,
        // such as XML signature validation, Audience and Recipient
        // validation etc.  
        map = SPACSUtils.processResponseForFedlet(request, response);
    } catch (SAML2Exception sme) {
        response.sendError(response.SC_INTERNAL_SERVER_ERROR, sme.getMessage());
        return;
    } catch (IOException ioe) {
        response.sendError(response.SC_INTERNAL_SERVER_ERROR, ioe.getMessage());
        return;
    } catch (SessionException se) {
        response.sendError(response.SC_INTERNAL_SERVER_ERROR, se.getMessage());
        return;
    } catch (ServletException se) {
        response.sendError(response.SC_BAD_REQUEST, se.getMessage());
        return;
    }
    // END : code is a must for Fedlet (SP) side application
    
    String relayUrl = (String) map.get(SAML2Constants.RELAY_STATE);
    if ((relayUrl != null) && (relayUrl.length() != 0)) {
        // something special for validation to send redirect
        int stringPos  = relayUrl.indexOf("sendRedirectForValidationNow=true");
        if (stringPos != -1) {
            response.sendRedirect(relayUrl);
        }
    } 

    // Following are sample code to show how to retrieve information,
    // such as Reponse/Assertion/Attributes, from the returned map. 
    // You might not need them in your real application code. 
    Response samlResp = (Response) map.get(SAML2Constants.RESPONSE); 
    Assertion assertion = (Assertion) map.get(SAML2Constants.ASSERTION);
    Subject subject = (Subject) map.get(SAML2Constants.SUBJECT);
    String entityID = (String) map.get(SAML2Constants.IDPENTITYID);
    NameID nameId = assertion.getSubject().getNameID();
    String value = nameId.getValue();
    String format = nameId.getFormat();
    out.println("<br><br><b>Single Sign-On successful with IDP " 
        + entityID + ".</b>");
    out.println("<br><br>");
    out.println("<table border=0>");
    if (format != null) {
        out.println("<tr>");
        out.println("<td valign=top><b>Name ID format: </b></td>");
        out.println("<td>" + format + "</td>");
        out.println("</tr>");
    }
    if (value != null) {
        out.println("<tr>");
        out.println("<td valign=top><b>Name ID value: </b></td>");
        out.println("<td>" + value + "</td>");
        out.println("</tr>");
    }    
    Map attrs = (Map) map.get(SAML2Constants.ATTRIBUTE_MAP);
    if (attrs != null) {
        out.println("<tr>");
        out.println("<td valign=top><b>Attributes: </b></td>");
        Iterator iter = attrs.keySet().iterator();
        out.println("<td>");
        while (iter.hasNext()) {
            String attrName = (String) iter.next();
            List attrVals = (List) attrs.get(attrName);
            out.println(attrName + "="
                + attrVals.get(0) + "<br>");
        }
        out.println("</td>");
        out.println("</tr>");
    }
    out.println("</table>");
    out.println("<br><br><b><a href=# onclick=toggleDisp('resinfo')>Click to view SAML2 Response XML</a></b><br>");
    out.println("<span style='display:none;' id=resinfo><textarea rows=40 cols=100>" + samlResp.toXMLString(true, true) + "</textarea></span>");

    out.println("<br><b><a href=# onclick=toggleDisp('assr')>Click to view Assertion XML
<script>
function toggleDisp(id)
{
    var elem = document.getElementById(id);
    if (elem.style.display == 'none')
        elem.style.display = '';
    else
        elem.style.display = 'none';
}
</script>
</body>
</html>


The following procedures assume that you have downloaded the opensso.zip
and extracted the contents. The /opensso directory is at the top-level of the machine to which it was downloaded.

Modify fedletSampleApp.jsp with Application Logic
  1. Unzip fedlet.war into a temporal directory; for example, /sp1.
    This directory must be accessible by the user running the web container; for example, if running your web container as root, the user's home directory is / so the sp1 directory should be located at /sp1.

    NOTE: This directory is the default location from which the Fedlet reads its metadata, circle of trust, and configuration properties. To change it, set the value of the JVM run-time property com.sun.identity.fedlet.home to the desired location; for example:

    -Dcom.sun.identity.fedlet.home=/export/fedlet/conf

    % mkdir /sp1
    % cd /sp1
    % jar xvf /opensso/fedlet/fedlet.war
    
  2. In fedletSampleApp.jsp (located at the top-level of the temporal directory) remove all text after the line, // END : code is a must for Fedlet (SP) side application.
  3. Merge the import statements between fedletSampleApp.jsp and the application code, if applicable.
    I'm using a simple hello.jsp (as below) so nothing to merge.


    
    <%--
       The contents of this file are subject to the terms
       of the Common Development and Distribution License
       (the License). You may not use this file except in
       compliance with the License.
    
       You can obtain a copy of the License at
       https://opensso.dev.java.net/public/CDDLv1.0.html or
       opensso/legal/CDDLv1.0.txt
       See the License for the specific language governing
       permission and limitations under the License.
    
       When distributing Covered Code, include this CDDL
       Header Notice in each file and include the License file
       at opensso/legal/CDDLv1.0.txt.
       If applicable, add the following below the CDDL Header,
       with the fields enclosed by brackets [] replaced by
       your own identifying information:
       "Portions Copyrighted [year] [name of copyright owner]"
    
       $Id: fedletDefault.jsp,v 1.2 2008/03/31 19:54:11 qcheng Exp $
    
       Copyright 2008 Sun Microsystems Inc. All Rights Reserved
    --%>
    <html>
    <head>
        <title>My Hello</title>
        <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
    </head>
    
    <body>
        <h1>
            Hello World
        </h1>
    </body>
    </html>
    

  4. Add your application logic underneath the line that begins with //END - prepending a %> before it and appending the closing HTML tags after it.

    
    &>
    <h1>
    Hello, World
    </h1>
    </body>
    </html>
    
  5. From inside the sp1 directory, pack up the contents using the jar command.
    jar cvf ./fedlet.war
  6. Deploy the WAR.
  7. Launch the deployed application.

Modify fedletSampleApp.jsp to Forward Request

  1. Unzip fedlet.war into a temporal directory; for example, sp2.
    % mkdir sp2
    % cd sp2
    % jar xvf /opensso/fedlet/fedlet.war
    
  2. In fedletSampleApp.jsp (located at the top-level of the temporal directory) remove all text after the line, // END : code is a must for Fedlet (SP) side application.
  3. Add redirect code underneath the line that begins with //END - prepending a %> before it and appending the closing HTML tags after it.
    
    &>
    response.sendRedirect("hello.jsp"); 
    </body>
    </html>
    
  4. Add the modified fedletSampleApp.jsp and the hello.jsp to the document root of the unpacked WAR directory structure.
  5. Pack up the WAR using the jar command.
    jar cvf ./fedlet.war
  6. Deploy the WAR.
  7. Launch the deployed application.

Replace fedletSampleApp.jsp

  1. Modify web.xml to set the servlet and servlet-mapping for your new servlet or JSP.
    You must map your new servlet/JSP to the url-pattern /fedletapplication since that is the URI set in the Fedlet metadata for the assertion consumer URL. For example:
    
                   yourapplication
                   /Your-Application.jsp
               
               
                   yourapplication
                   /fedletapplication
               
  2. Copy the following code from fedletSampleApp.jsp to your application processing code.
    Be sure to also copy any appropriate import statements.
    Map map;
    try {
        // invoke the Fedlet processing logic. this will do all the
    
    Map map;
    try {
        // invoke the Fedlet processing logic. this will do all the
        // necessary processing conforming to SAMLv2 specifications,
        // such as XML signature validation, Audience and Recipient
        // validation etc.
        map = SPACSUtils.processResponseForFedlet(request, response);
    } catch (SAML2Exception sme) {
        response.sendError(response.SC_INTERNAL_SERVER_ERROR, sme.getMessage());
        return;
    } catch (IOException ioe) {
        response.sendError(response.SC_INTERNAL_SERVER_ERROR, ioe.getMessage());
        return;
    } catch (SessionException se) {
        response.sendError(response.SC_INTERNAL_SERVER_ERROR, se.getMessage());
        return;
    } catch (ServletException se) {
        response.sendError(response.SC_BAD_REQUEST, se.getMessage());
        return;
    }
    After obtaining the returned map object, follow the sample code to retrieve the data needed for your business logics.

Considering how we built these applications, now rock out to the much-maligned but still pleasurable We Built This City, Starship's number 1 hit from the 1980s.

Sunday Jun 22, 2008

Want to Set Up and Test a SAMLv2 Authentication Query? Ask.

A SAMLv2 Authentication Query requests existing authentication assertions about a given subject from an Authentication Authority. This procedure explains how to set up and test an authentication query; I found it internally and recreated it externally for you.

This procedure assumes the entityID of the service provider is ear.red.sun.com, and the entityID of the identity provider is eye.red.sun.com. It also assumes that you have downloaded and deployed the famadm command line interface. You can also accomplish the steps referring to the export and import of metadata using the Federation and Common Tasks portions of the OpenSSO console.

  1. On the service provider machine, generate standard and extended metadata templates and load them as an entity provider using the OpenSSO console. For example,

    /famconfig/famadm/fam/bin/famadm create-metadata-templ -u amadmin -f /tmp/pw -m /tmp/spmd -x /tmp/spxmd -s /sp -a test -r test -y ear.red.sun.com
  2. Login to the OpenSSO console on the identity provider machine to import the service provider metadata files.
  3. On the identity provider machine, generate standard and extended metadata templates, specifying the -C, -D, and -E options. For example,

    /famconfig/famadm/fam/bin/famadm create-metadata-templ -u amadmin -f /tmp/pw -m /tmp/idpmd -x /tmp/idpxmd -i /idp -b test -g test -C /authna -D test2 -E test2 -y eye.red.sun.com
  4. Modify the identity provider extended metadata as follows.

    • Set the value of the idpAuthncontextClassrefMapping attribute to:
      urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|0||default
      urn:oasis:names:tc:SAML:2.0:ac:classes:Level1|1|module=DataStore1
      urn:oasis:names:tc:SAML:2.0:ac:classes:Level3|3|module=DataStore3
      urn:oasis:names:tc:SAML:2.0:ac:classes:Level5|5|module=DataStore5
      urn:oasis:names:tc:SAML:2.0:ac:classes:Level7|7|module=DataStore7
      urn:oasis:names:tc:SAML:2.0:ac:classes:Level9|9|module=DataStore9
    • Set the value of the assertionCacheEnabled attribute to true.
  5. Login to the OpenSSO console on the service provider machine to import the identity provider metadata files.
  6. Login to the OpenSSO console on the identity provider machine to add the following named authentication modules.

    DataStore1
    DataStore3
    DataStore5
    DataStore7
    DataStore9

    The type of each module should be set to Data Store and the authentication level set to 1, 3, 5, 7, and 9, respectively.
  7. Single sign-on using the following URL:
    http://ear.red.sun.com/fam/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=eye.red.sun.com&reqBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST&AuthnContextClassRef=urn:oasis:names:tc:SAML:2.0:ac:classes:Level1
    This will create an assertion with the value of AuthnContextClassRef set as urn:oasis:names:tc:SAML:2.0:ac:classes:Level1.

    ALTERNATIVES: You can single sign-on with different authentication levels by changing Level1 to Level3, Level5, Level7, and Level9. You can also use a different browser which would change the value of sessionIndex. Following this, the user will have had multiple assertions created.
  8. To test your configuration, copy authnQuery.jsp to the service provider deploy root and customize it by changing the following attributes (located between // customization starts here and // customization ends here in the file).
    • sessionIndex
    • RequestedAuthnContext
    • Comparison
  9. Run the JSP by typing the following URL in a browser.
    http://ear.red.sun.com/fam/authnQuery.jsp?spMetaAlias=/sp&authnAuthorityEntityID=eye.red.sun.com
    The results will change based on the different customizations.
See, when you have a query, just ask - like the Smiths said.

Tuesday Jun 17, 2008

Discovering the SAMLv2 IDP Discovery Service and the Discovery LP

All web services are defined by a Web Services Description Language (WSDL) file that describes the type of data the service contains, the available ways said data can be exchanged, the operations that can be performed using the data, a protocol that can be used to perform the operations, and a URL (or endpoint) for access to the service. Additionally, the WSDL file itself is assigned a unique resource identifier (URI) that is used to locate it. The file is then published and the URI is placed in a Universal Description, Discovery and Integration (UDDI) repository so it can be found by potential users. Thus, the web service can now be discovered. Discovery of a web service is the act of locating the WSDL file for it. Typically, there are one or more web services on a network so, a discovery service is required to keep track of the WSDL locations.

The SAML v2 IDP Discovery Service is an implementation of the Identity Provider Discovery Profile as described in the Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0 specification. In deployments having more than one identity provider, service providers need to determine which identity provider(s) a principal uses with the Web Browser SSO profile. To allow for this, the SAML v2 IDP Discovery Service relies on a cookie written in a domain that is common to all identity providers and service providers in a circle of trust. This predetermined domain is known as the common domain, and the cookie containing the list of identity providers to chose from is known as the common domain cookie.

The Reader and Writer URLs, used by the SAML v2 IDP Discovery Service, are defined when configuring the circle of trust. When a user requests access from a service provider, and an entity identifier for an identity provider is not received in the request, the service provider redirects the request to the common domain's SAML v2 IDP Discovery Service Reader URL to retrieve the identity provider's entity identifier. If more then one identity provider entity identifier is returned, the last entity identifier in the list is the one to which the request is redirected. Once received, the identity provider redirects to the Discovery Service Writer URL to set the common domain cookie using the value defined in the installation configuration properties file. Here is a procedure for setting up and testing the Identity Provider Discovery Service.
  1. Download opensso.zip file to a location on your server machine.
  2. Unzip opensso.zip into /opensso.
  3. Change to the deployable-war sub-directory.
  4. Follow the instructions in the README to build a specialized WAR for the identity provider discovery service.
    1. Create a new directory as the staging area for the identity provider discovery service WAR (for example, idpwar), and extract the contents of opensso.war into it.
      % mkdir idpwar
      % cd idpwar
      % jar xvf /opensso/deployable-war/opensso.war
    2. Create the identity provider discovery service WAR using the fam-idpdiscovery.list file.
      % cd idpwar
      % jar cvf /opensso/deployable-war/fam-idp.war @/opensso/deployable-war/fam-idpdiscovery.list
    3. Update fam-idp.war with the additional files in the idpdiscovery directory.
      % cd /opensso/deployable-war/idpdiscovery
      % jar uvf /opensso/deployable-war/fam-idp.war \*
    Now the identity provider discovery service WAR is ready to be deployed.
  5. Deploy fam-idp.war to your web container.
  6. Access http://idp-discovery-server-machine:port/idpdiscovery.
    The Federated Access Manager Identity Provider Discovery Service configuration page should be displayed.
  7. Provide values for the identity provider Discovery Service attributes on the configuration page.
    • Debug directory
    • Debug Level
    • Cookie Type - by default, PERSISTENT SESSION
    • Cookie Domain
    • Secure Cookie
    • Encode Cookie
  8. On the service provider host machine, use the console to create a Circle of Trust with the identity provider discovery service URL used as the prefix for the value of the Reader and Writer URL attributes; for example, the value of the SAML2 Writer Service URL would be http://idp-discovery-server-machine:port/idpdiscovery/saml2writer and the value of the SAML2 Reader Service URL would be http://idp-discovery-server-machine:port/idpdiscovery/saml2reader
  9. Now, on the identity provider host machine, use the console to create a Circle of Trust with the value of the prefix attribute also set to the identity provider discovery service URL, http://idp-discovery-server-machine:port/idpdiscovery.
  10. Generate metadata for both the identity provider and the service provider using the command line utility famadm and the create-metadata-templ option.
  11. Load the service provider metadata onto the identity provider machine.
  12. Change the value of host in the identity provider metadata from 0 or remote.
  13. Load the identity provider metadata onto the service provider machine.
    After this configuration, the values of the Writer URL and Reader URL in each circle of trust are the URL of the Identity Provider Discovery Service.
  14. Perform SAMLv2 test cases for service provider-initiated and identity provider-initiated single sign-on and single logout.
    Each time you perform these operations from the service provider side, the Discovery Service logs will show the redirection to the identity provider. Here is an example log:
    root@nude# cat libIDPDiscovery
    \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
    05/05/2008 01:41:18:782 AM PDT: Thread[service-j2ee-6,5,main]
    CookieWriterServlet Initializing...
    05/05/2008 01:41:18:786 AM PDT: Thread[service-j2ee-6,5,main]
    CookieWriterServlet.doGetPost: Preferred Cookie Name is _saml_idp
    05/05/2008 01:41:18:787 AM PDT: Thread[service-j2ee-6,5,main]
    CookieWriterServlet.doGetPost: URL Scheme is null, set to https.
    05/05/2008 01:41:18:789 AM PDT: Thread[service-j2ee-6,5,main]
    CookieWriterServlet.doGetPost: Preferred IDP Cookie Not found
    05/05/2008 01:41:18:796 AM PDT: Thread[service-j2ee-6,5,main]
    CookieWriterServlet.doGetPost: Cookie Type is PERSISTENT
    05/05/2008 01:41:18:797 AM PDT: Thread[service-j2ee-6,5,main]
    CookieWriterServlet.doGetPost: Cookie value is YW1xYS14MjEwMC0wOC5yZWQuaXBsYW5ldC5jb20=
    05/05/2008 01:41:18:798 AM PDT: Thread[service-j2ee-6,5,main]
    CookieWriterServlet.doGetPost: Preferred Cookie Name _saml_idp
    05/05/2008 01:41:18:806 AM PDT: Thread[service-j2ee-6,5,main]
    CookieWriterServlet.doGetPost: Redirect to http://amqa-x2100-08.red.iplanet.com:80/openfm/SSORedirect/metaAlias/idp?resInfoID=s2611f93262943905ab083390581b85f05c83d6001
    05/05/2008 01:46:26:786 AM PDT: Thread[service-j2ee-6,5,main]
    CookieWriterServlet.doGetPost: Preferred Cookie Name is _saml_idp
    05/05/2008 01:46:26:789 AM PDT: Thread[service-j2ee-6,5,main]
    CookieUtils:cookieValue=YW1xYS14MjEwMC0wOC5yZWQuaXBsYW5ldC5jb20=, result=YW1xYS14MjEwMC0wOC5yZWQuaXBsYW5ldC5jb20=
    05/05/2008 01:46:26:790 AM PDT: Thread[service-j2ee-6,5,main]
    CookieWriterServlet.doGetPost: Cookie Type is PERSISTENT
    05/05/2008 01:46:26:791 AM PDT: Thread[service-j2ee-6,5,main]
    CookieWriterServlet.doGetPost: Cookie value is YW1xYS14MjEwMC0wOC5yZWQuaXBsYW5ldC5jb20=
    05/05/2008 01:46:26:792 AM PDT: Thread[service-j2ee-6,5,main]
    CookieWriterServlet.doGetPost: Preferred Cookie Name _saml_idp
    05/05/2008 01:46:26:793 AM PDT: Thread[service-j2ee-6,5,main]
    CookieWriterServlet.doGetPost: Redirect to http://amqa-x2100-08.red.iplanet.com:80/openfm/saml2/jsp/idpSSOInit.jsp?resInfoID=s2110f1c9017525509c5c7c4ae715c0ef6f45ea201
    05/05/2008 01:47:26:656 AM PDT: Thread[service-j2ee-6,5,main]
    CookieWriterServlet.doGetPost: Preferred Cookie Name is _saml_idp
    05/05/2008 01:47:26:658 AM PDT: Thread[service-j2ee-6,5,main]
    CookieUtils:cookieValue=YW1xYS14MjEwMC0wOC5yZWQuaXBsYW5ldC5jb20=, result=YW1xYS14MjEwMC0wOC5yZWQuaXBsYW5ldC5jb20=
    05/05/2008 01:47:26:659 AM PDT: Thread[service-j2ee-6,5,main]
    CookieWriterServlet.doGetPost: Cookie Type is PERSISTENT
    05/05/2008 01:47:26:660 AM PDT: Thread[service-j2ee-6,5,main]
    CookieWriterServlet.doGetPost: Cookie value is YW1xYS14MjEwMC0wOC5yZWQuaXBsYW5ldC5jb20=
    05/05/2008 01:47:26:661 AM PDT: Thread[service-j2ee-6,5,main]
    CookieWriterServlet.doGetPost: Preferred Cookie Name _saml_idp
    05/05/2008 01:47:26:662 AM PDT: Thread[service-j2ee-6,5,main]
    CookieWriterServlet.doGetPost: Redirect to http://amqa-x2100-08.red.iplanet.com:80/openfm/saml2/jsp/idpSSOInit.jsp?resInfoID=s21501eb5b9656be54878baeb762f5242d1999ad01
    
And now that I've shined a little light on the Identity Provider Discovery Service, discover Electric Light Orchestra's song Shine a Little Love from their excellent 1979 long-player, Discovery.

Sunday Jun 15, 2008

Generating Specialized WARs with Generation X

Here are the instructions in the README found in the /deployable-war directory of the extracted opensso.zip. It describes how to generate a specialized WAR for deployment. I've added some explanations to the procedure.
  1. Create a new directory as the staging area for the WAR you want to generate. For example:
    % mkdir /noconsolewar
  2. Extract the contents of opensso.war into it.
    % cd /noconsolewar
    % jar xvf /opensso/deployable-war/opensso.war
  3. Create the WAR using the appropriate .list file. For example:
    % cd /noconsolewar
    % jar cvf /opensso/deployable-war/fam-nocon.war @/opensso/deployable-war/fam-noconsole.list

    .list files included are:
    • fam-idpdiscovery.list lists the files needed to generate a WAR to deploy the Identity Provider Discovery Service.
    • fam-distauth.list lists the files needed to generate a WAR to deploy the Distributed Authentication User Interface.
    • fam-console.list lists the files needed to generate a WAR to deploy a Federated Access Manager console only.
    • fam-noconsole.list lists the files needed to generate a WAR to deploy a Federated Access Manager server without the console.
  4. Update the generated WAR with the additional files found in the appropriate directory. For example:
    % cd /opensso/deployable-war/noconsole
    % jar uvf /opensso/deployable-war/fam-nocon.war \*

    Directories included are:
    • idpdiscovery contains additional files for the Identity Provider Discovery Service WAR.
    • distauth contains additional files for the Distributed Authentication User Interface WAR.
    • console contains additional files for the console only WAR.
    • noconsole contains additional files for the Federated Access Manager server without a console WAR.
  5. Deploy your specialized WAR.
  6. Access the WAR deployment URL from your browser to configure. For example:
    http://machine-name:port/URI
And now that we are done generatin' WARs, how about Generation X - with a very young and brunette Billy Idol singing New Order at the Marquee Club.

Thursday Jun 12, 2008

What's Up, Doc? Early Access Docs!

We've just added a page to the OpenSSO site that contains links to some of the documentation now being written internally for the productized release of OpenSSO, Sun Federated Access Manager 8.0. These early access documents might contain information and procedures that have not yet been reviewed or tested. In fact, if you find something that doesn't sit right, shoot me an email or comment below and the writing team will look into it.

Click through to the Early Access Documents Page and start federatin'. The page will open in a new window because you know you want to see the credits of Peter Bogdanovich's 1972 film What's Up, Doc? with Barbra Streisand and Ryan O'Neal doing it to Cole Porter's You're the Top.

About

docteger

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today