Friday Jan 23, 2009

Testing The Sweet OpenSSO SAMLv2 Name Identifiers

The SAMLv2 Name Identifier Management Profile documents how an identity provider and a service provider might inform each other of changes to the identifier that they reference when communicating about a particular identity. The various OpenSSO ManageNameID (MNI) JSP provide a way to change SAMLv2 name identifiers or terminate mappings between identity provider accounts and service provider accounts. For example, after establishing a name identifier for use between providers when referring to an identity in SAMLv2 communications, an identity provider may want to change the value and/or format. The identity provider will notify service providers of the change by sending them a ManageNameIDRequest. A service provider might also use this message type to register or change the SPProvidedID value (included when the underlying name identifier is used to communicate with it) or to terminate the use of a name identifier between itself and the identity provider.

Following is a procedure that can be used to test the profile using OpenSSO. In the example procedure, maple.sun.com is the identity provider and honey.sun.com is the service provider.

  1. Initiate single sign-on and account linking (federation) from the service provider side using http://honey.sun.com:80/opensso/saml2/jsp/spSSOInit.jsp?
    metaAlias=/sp&idpEntityID=maple.sun.com
    .

    spSSOInit.jsp is used to initiate single sign-on and federation on the service provider side. Because metaAlias and idpEntityID are defined, the request is created and sent to the identity provider. This links the two accounts and creates a name identifier to be used by the providers to refer to the identity during communications. Both providers keep the name identifier in the user's profile which makes the format persistent.
  2. Log in to the identity provider host machine and the service provider host machine as root.
  3. Run
    ldapsearch -h maple -D "cn=directory manager" -w password -p 389 -b "dc=sun,dc=com" "uid=\*" sun-fm-saml2-nameid-info sun-fm-saml2-nameid-infokey
    on each host machine to view the values for the sun-fm-saml2-nameid-info and sun-fm-saml2-nameid-infokey properties.

    • On the identity provider side, sun-fm-saml2-nameid-info will have a value similar to

      sun-fm-saml2-nameid-info=maple.sun.com|honey.sun.com|
      KFXSFabPdkOOhRpkkW8Aj5Etnq2o|maple.sun.com|
      urn:oasis:names:tc:SAML:2.0:nameid-format:persistent|
      null|honey.sun.com|IDPRole|false

      On the service provider side, sun-fm-saml2-nameid-info will have a value similar to

      sun-fm-saml2-nameid-info=honey.sun.com|maple.sun.com|
      KFXSFabPdkOOhRpkkW8Aj5Etnq2o|maple.sun.com|
      urn:oasis:names:tc:SAML:2.0:nameid-format:persistent|
      null|honey.sun.com|SPRole|false

      sun-fm-saml2-nameid-info is used to store all information related to the name identifier. The value is formatted as:

      hosted_entity_id|remote_entity_id|idp_nameid|
      idp_nameid_qualifier|idp_nameid_format|
      sp_nameid|sp_nameid_qualifier|
      hosted_entity_role|is_affiliation

      where

              hosted_entity_id    : entity id for this hosted entity
              remote_entity_id    : entity id for the remote entity
              idp_nameid          : name identifier for the IDP
              idp_nameid_qualifier: nameid qualifier for the IDP
              idp_nameid_format   : nameid format for the IDP
              sp_nameid           : name identifier for the SP/Affiliation
              sp_nameid_qualifier : nameid qualifier for the SP/Affiliation
              hosted_entity_role  : SPRole or IDPRole, useful when one entity could be IDP and SP at same time.
              is_affiliation      : true for affiliation, false otherwise 
      
    • On the identity provider side, sun-fm-saml2-nameid-infokey will have a value similar to

      sun-fm-saml2-nameid-infokey=maple.sun.com|honey.sun.com|
      KFXSFabPdkOOhRpkkW8Aj5Etnq2o

      On the service provider side, sun-fm-saml2-nameid-infokey will have a value similar to

      sun-fm-saml2-nameid-infokey=honey.sun.com|maple.sun.com|
      KFXSFabPdkOOhRpkkW8Aj5Etnq2o

      sun-fm-saml2-nameid-infokey is used to search an LDAP data store for better performance, when that type of data store is used. The user that binds to the LDAP data store must have read/write/search/compare permission to this attribute. You must also must make sure that the equality type index is added to the data store. The value is formatted as:

      hosted_entity_id|remote_entity_id|idp_nameid

      where

              hosted_entity_id    : entity id for this hosted entity
              remote_entity_id    : entity id for the remote entity
              idp_nameid          : name identifier for the IDP
      
  4. Terminate the link (defederate) between the user's service provider and identity provider accounts using one of the following URLs referencing spMNIRequestInit.jsp.

    • Initiate defederation from the service provider using either HTTP-Redirect binding or SOAP binding respectively:

      http://honey.sun.com:80/opensso/saml2/jsp/spMNIRequestInit.jsp?
      metaAlias=/sp&idpEntityID=maple.sun.com&requestType=Terminate&
      binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect

      http://honey.sun.com:80/opensso/saml2/jsp/spMNIRequestInit.jsp?
      metaAlias=/sp&idpEntityID=maple.sun.com&requestType=Terminate&
      binding=urn:oasis:names:tc:SAML:2.0:bindings:SOAP
    • Initiate defederation from the identity provider using either HTTP-Redirect binding or SOAP binding respectively:

      http://maple.sun.com:80/opensso/saml2/jsp/idpMNIRequestInit.jsp?
      metaAlias=/idp&spEntityID=honey.sun.com&requestType=Terminate&
      binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect

      http://maple.sun.com:80/opensso/saml2/jsp/idpMNIRequestInit.jsp?
      metaAlias=/idp&spEntityID=honey.sun.com&requestType=Terminate&
      binding=urn:oasis:names:tc:SAML:2.0:bindings:SOAP
  5. After defederation, run the previous ldapsearch command again.

    The two properties have no values on both the identity provider and service provider sides.
  6. Federate the user's service provider account and identity provider account again using the URL that references spSSOInit.jsp.

    http://honey.sun.com:80/opensso/saml2/jsp/spSSOInit.jsp?
    metaAlias=/sp&idpEntityID=maple.sun.com
    .
  7. Run the previous ldapsearch command again.
    The two properties have values on both the identity provider and service provider sides again; the value of the name identifier is different from the previous value.
  8. Initiate the creation of a new name identifier using one of the following:

    • Initiate the creation of a new name identifier from the service provider side using spMNIRequestInit.jsp and the following URL:

      http://honey.sun.com:80/opensso/saml2/jsp/spMNIRequestInit.jsp?
      metaAlias=/sp&idpEntityID=maple.sun.com&requestType=NewID&
      binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
    • Initiate the creation of a new name identifier from the identity provider side using idpMNIRequestInit.jsp and the following URL:

      http://maple.sun.com:80/opensso/saml2/jsp/idpMNIRequestInit.jsp?
      metaAlias=/idp&spEntityID=honey.sun.com&requestType=NewID&
      binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
  9. Run the previous ldapsearch command for a third time.
    The two properties have values on both the identity provider and service provider sides; the value of the new name identifier is different from both of the previous values.

More information on the JSP can be found in the OpenSSO Enterprise 8.0 Administration Guide.

And, in keeping with the sweet theme of the host machine names, here's The Sweet with Fox on the Run. I still smell hamburgers when I hear this song - high school lunches at the coffee shop with a jukebox.

About

docteger

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today