Web Services Consumer sample for Liberty Phase II

This readme file explains how to deploy and run the WSC sample to query and modify Liberty Discovery Service and ID-SIS Personal Profile Service.

Introduction

There are five parties involved in this sample:

Here is the  general flow of the sample :
  1. Complete the Liberty Single-Sign-On Process, obtain Discovery Service Boot Strapping Resource Offering.
  2. Register user's Resource Offering at the ID-SIS-PP instance using Discovery Service Modification.
  3. Send Discovery Service Lookup request, discovery service returns discovery lookup response to the WSC which contains the resource offering for the user's ID-SIS-PP instance.
  4. Send Data Service Query to the ID-SIS-PP Instance to retrieve user attributes.
  5. Send Data Service Modification to the ID-SIS-PP Instance to modify user attributes.
There are five JSP provided in this sample: Deploy the Sample

Two machines required for this sample:
1. SP & WSC are deployed on machine1, whose host name is "www.sp1.com".
2. IDP, DS & ID-SIS-PP are deployed on machine2, whose host name is "www.idp1.com".

Note : <is_install_root> refers to the Identity Server installation directory, for example, "/opt".

A. Deploy on Machine 1

Step 1 : Deploy liberty sample1 SP, follow the instruction on <is_install_root>/SUNWam/samples/liberty/sample1/sp1.
Step 2 : Change protocol support of the remote IDP  to ID-FF 1.2.
Login to Identity Server Administration Console as top level administrator, goto Federation Management, select "Entity Descriptors" View,  click the remote IDP entity ID from the list,  select "Provider" on the View menu in the right panel, click the "[Edit...]"  link under Provider, select "urn:liberty:iff:2003-08" under the "Protocol Support Enum" field (enter an integer value, e.g. 60, in the "Cache Duration" field if it is empty), then click "Save"
Step 3 : Replace tags and hosts in  discovery-modify.jsp and index.jsp step 4 : Deploy JSPs. Copy all the five jsps to a sub directory of the document root of the web container. In case of Sun Java System Web Server 6.1, run following command:
mkdir <webserber_install_root>/docs/wsc
cp <is_install_root>/SUNWam/samples/phase2/wsc/*.jsp <webserber_install_root>/docs/wsc/
Step 5 : Login to identity server admin console, create a user called "spUser". This user will be used as federated user on the SP side.


B. Deploy on Machine 2

Step 1 : Deploy liberty sample1 IDP, follow the instruction on <is_install_root>/SUNWam/samples/liberty/sample1/idp1.
Step 2 : Register Liberty Personal Profile Service. Login to identity server admin console as top level administrator, go to Identity Management, choose "Services" in View  menu, click "Add". Select "Liberty Personal Profile Service" on the right panel, click "OK".
Step 3 : Create a user called "idpUser". This user will be used as the federated user on the IDP side, also as storage of Discovery Service resource offering and Personal Profile Service attributes. You must select "Liberty Personal Profile Service" in the Available Services when creating the idpUser (otherwise PP modify will fail).
Run the Sample
Basic Flow

Here is the steps to run the sample:

    1. Federate user "spUser" and "idpUser" follow Liberty sample1, and logout.
    2. Single-sign-on again from SP to IDP using "idpUser".
    3. Use your browser, connect to "http://<machine1>:<sever_port>/wsc/index.jsp". You will see the boot strapping resource offering for Discovery Service, also two buttons, one for "Send Discovery Lookup", one for "Add PP Resource Offering"
    4. Click "Add PP Resource Offering", this will lead to discovery-modify.jsp page, the PP resource offering has been computed based on the boot strapping Discovery Service Resource Offering.
    5. Click "Send Discovery Update Request", the user's Personal Profile resource offering will be registered in "idpUser" on machine2.
    6. Click "Return to index.jsp" link, this will bring you back to index.jsp page with boot strapping resource offering.
    7. Click "Send Discovery Lookup" button, this will lead to discovery-query.jsp page.  Fill in "ServiceType to look for" field if needed. Click "Send Discovery Lookup Request", the PP resource offering added in step 4 will be displayed.
    8. Two options in this page :
You could repeat above process for discovery/id-sis-pp query and modify cases.
 

User Interaction with Personal Profile Service

  1. Login to the administration console of Machine 2 (IDP) as top level administrator.
  2. Follow the same steps as in Basic Flow section to run the sample. In Step 8, after clicking "Send PP Query" or "Send PP Modify", you will be asked for consent or attribute value for the operation performed. Make the choice or enter value to complete the flow. You may change the policy defined in step 1 to see different behavior for user interaction.


X.509 Message Authentication

  1. Follow instruction in SAML xmlsig sample to set up JKS signing key store (instruction could be found at <is_install_root>/SUNWam/samples/saml/xmlsig) in both machines. Edit /etc/opt/SUNWam/config/AMConfig.properties to reflect the key store, password and cert alias.
  2. At both machine 1 (SP) and machine 2 (IDP), edit /etc/opt/SUNWam/config/AMConfig.properties, set the "com.sun.identity.liberty.ws.wsc.certalias" property to the alias of the signing certification.
  3. To test X.509 Message Authentication in discovery service, login to Identity Server administration console as top level administrator, goto "Service Configuration", then "Discovery Service". Edit Respource Offerings for Bootstrapping Resources, change Authentication Mechanism from "urn:liberty:security:2003-08:null:null" to "urn:liberty:security:2003-08:null:X509". click "Save" to save the change. Follow the steps as in Basic Flow section to run the sample.
  4. To test X.509 Message Authentication in Personal Profile Service,  follow the steps in  Basic Flow section, choose "urn:liberty:security:2003-08:null:X509" as Authentication Mechanism when perform PP query or modify.
  5. To test SSL (urn:liberty:security:2003-08:TLS:X509), you must import the CA for the web server certification of machine 2 (IDP) to the web server certificate database of machine 1 (SP).