Friday Jan 09, 2009

SAMLv2 Assertion Failover in OpenSSO

SAMLv2 Assertion Failover, when enabled, redirects a request for an assertion to a second identity provider if the identity provider that initially created the assertion is out of commission. The feature piggybacks on OpenSSO Session Failover configuration by using the same databases. Here is the procedure to configure and test SAMLv2 Assertion Failover.
  1. Deploy 2 instances of OpenSSO Enterprise to act as identity providers and 1 load balancer in front of them.
  2. Set up the entities as a site with servers (using the OpenSSO console) and confirm that the configurations work.
  3. Install and setup session failover as documented in the Sun OpenSSO Enterprise 8.0 Installation and Configuration Guide.
  4. Deploy 1 instance of OpenSSO Enterprise to act as service provider.
  5. On all three provider instances of OpenSSO, enable SAMLv2 Assertion Failover.
    1. Log in to the OpenSSO console as administrator.
    2. Click the Configuration tab.
    3. Click the Global tab.
    4. Click the SAMLv2 Service Configuration link.
    5. Check the box next to Enable SAMLv2 Failover.
    6. Click Save.
    7. Log out of the console.
  6. Configure each server instance of OpenSSO as the appropriate entity provider and member of the same SAMLv2 circle of trust.
  7. Export the entity provider metadata from all three server instances of OpenSSO.
  8. Load the service provider and identity provider metadata on the respective instances of OpenSSO and on the load balancer.

    You need to create the metadata for the load balancer. See your load balancer's documentation for more information. Make sure you change the URL values in the load balancer metadata from the OpenSSO instances behind the load balancer to the load balancer URL itself.
  9. Modify the spAssertionConsumer.jsp on the service provider machine to add sleep that allows enough time to shutdown the identity provider on which the request will land. (See step 11.)

    Object newSession = null;
    SAML2Utils.debug.error("Before sleep Assertion Failover");
    SAML2Utils.debug.message("Before sleep Asserion Failover");
    Thread.sleep(50000);
    SAML2Utils.debug.error("After sleep Assertion Failover");
    SAML2Utils.debug.message("After sleep Asserion Failover");
  10. Initiate single sign-on using the following URL: http://host-machine.domain:port/opensso/saml2/jsp/spSSOInit.jsp?metaAlias=
    /sp&idpEntityID=LB-host-machine.LB-domain

    Before proceeding to the next step, run tail on the SAMLv2 debug logs (located in OpenSSO-install-directory/opensso/debug) on the identity provider host machines to see where the single sign-on request lands.
  11. After providing the service provider user credentials, monitor the log and shutdown the identity provider on which the initial single sign-on request landed.

    Make sure the user is not federated before shutting down the identity provider. The sleep time added to spAssertionConsumer.jsp in the previous step should allow enough time for this. (See step 9.)
  12. Verify that federation successfully occurs after the identity provider is shutdown. This confirms that assertion failover was successful.
  13. Initiate single logout using the following URL:

    http://host-machine.domain:port/opensso/saml2/jsp/spSingleLogoutInit.jsp?metaAlias=
    /sp&idpEntityID=LB-host-machine.LB-domain
  14. Bring the previously shutdown identity provider back up and, once again, initiate single sign-on again using the following URL:

    http://host-machine.domain:port/opensso/saml2/jsp/spSSOInit.jsp?metaAlias=
    /sp&idpEntityID=LB-host-machine.LB-domain
  15. Monitor the log and shutdown the identity provider on which this second single sign-on request landed.
  16. Initiate single logout using the following URL:

    http://host-machine.domain:port/opensso/saml2/jsp/spSingleLogoutInit.jsp?metaAlias=
    /sp&idpEntityID=LB-host-machine.LB-domain
  17. A successful logout confirms assertion failover is working.

And now that Assertion Failover has been correctly configured, put your footsies up and check out this live version of The Killers' latest hit - are we Human or are we dancer?

About

docteger

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today