Sun Java System Access Manager version 7 2005Q4
Sample
 

Main Page

Services Consumer sample for Liberty Phase II


1. Introduction

This explains how to deploy and run the WSC sample to query and modify Liberty Discovery Service and ID-SIS Personal Profile Service.

There are five parties involved in this sample:

  • Liberty Service Provider (SP)
  • Liberty Identity Provider (IDP)
  • Web Service Consumer (WSC)
  • Liberty Discovery Service (DS)
  • Liberty ID-SIS Personal Profile Service (ID-SIS-PP)

Here is the general flow of the sample :

  1. Complete the Liberty Single-Sign-On Process, obtain Discovery Service Boot Strapping Resource Offering.
  2. Register user's Resource Offering at the ID-SIS-PP instance using Discovery Service Modification.
  3. Send Discovery Service Lookup request, discovery service returns discovery lookup response to the WSC which contains the resource offering for the user's ID-SIS-PP instance.
  4. Send Data Service Query to the ID-SIS-PP Instance to retrieve user attributes.
  5. Send Data Service Modification to the ID-SIS-PP Instance to modify user attributes.

There are five JSP provided in this sample:

  • index.jsp : Retrieve boot strapping resource offering for discovery service.
  • discovery-modify.jsp : Add Resource Offering for a user.
  • discovery-query.jsp : Send query to discovery service for service resource offering.
  • id-sis-pp-modify.jsp : Send Data Service Modify request to modify user attributes.
  • id-sis-pp-query.jsp : Send Data Service Query Request to retrieve user attributes


2. Deploy the Sample

Two machines are required for this sample:

  1. SP & WSC are deployed on machine1, whose host name is "www.sp1.com".
  2. IDP, DS & ID-SIS-PP are deployed on machine2, whose host name is "www.idp1.com".

    Note :

    <BEGIN_DIR> refers to the Access Manager installation directory:
      Solaris Sparc/x86: BEGIN_DIR = <install_dir>/SUNWam
      Linux : BEGIN_DIR = <install_dir>/sun/identity

    <CONFIG_DIR refers to the Access Manager Configuration Directory.
      Solaris Sparc/x86: CONFIG_DIR = /etc/opt/SUNWam/config
      Linux : CONFIG DIR = /etc/opt/sun/identity/config

A. Deploy on Machine 1

  1. Deploy liberty sample1 SP, follow the instruction on <BEGIN_DIR>/samples/liberty/sample1/sp1
  2. Change protocol support of the remote IDP to ID-FF 1.2. Login to Access Manager Administration Console as top level administrator.
      - Select "Federation" Tab.
      - Select "Entities" Sub Tab.
      - Click on the Remote Identity Provider Entity ID eg www.idp1.com.
      - Select "Identity Provider" from the drop down View Menu.
      - Edit the "Protocol Support Enum" attribute to set its value to "urn:liberty:iff:2003-08".
      - Set "Cache Duration" Attribute Value eg. to set value to 60 seconds enter PT60S.
      - Select Save to save changes made in the Provider page.
  3. Replace tags and hosts in discovery-modify.jsp and index.jsp.
           replace IDP_SERVER_PORT with server port of IDP machine.
           replace SERVICE_DEPLOY_URI with service deployment URI of the IDP machine
           replace www.sp1.com with host name of the SP machine if needed.
           replace www.idp1.com with host name of IDP machine if needed.
           replace userDN value for the IDP user whose personal profile resource 
           offering is to be created.
           
  4. Deploy JSPs. Copy all the five jsps to a sub directory of the document root of the web container. In case of Sun Java System Web Server 6.1, run following command:
           mkdir <WEB_SERVER_INSTALL_DIR>/docs/wsc
           cp <BEGIN_DIR>/samples/phase2/wsc/*.jsp
              <WEB_SERVER_INSTALL_DIR>/docs/wsc/
           
  5. Login to access manager admin console, create a user called "spUser" This user will be used as federated user on the SP side.

B. Deploy on Machine 2

  1. Deploy liberty sample1 IDP, follow the instruction on <BEGIN_DIR>/samples/liberty/sample1/idp1.
  2. Create a user called "idpUser". This user will be used as the federated user on the IDP side, also as storage of Discovery Service resource offering and Personal Profile Service attributes. You must select "Liberty Personal Profile Service" in the Available Services when creating the idpUser (otherwise PP modify will fail).


3. Run the Sample

Basic Flow

Here is the steps to run the sample:

  1. Federate user "spUser" and "idpUser" follow Liberty sample1, and logout.
  2. Single-sign-on again from SP to IDP using "idpUser".
  3. Use your browser, connect to "http://<machine1>:<server_port>/wsc/index.jsp". You will see the boot strapping resource offering for Discovery Service, also two buttons, one for "Send Discovery Lookup", one for "Add PP Resource Offering"
  4. Click "Add PP Resource Offering", this will lead to discovery-modify.jsp page, the PP resource offering has been computed based on the boot strapping Discovery Service Resource Offering.
  5. Click "Send Discovery Update Request", the user's Personal Profile resource offering will be registered in "idpUser" on machine2.
  6. Click "Return to index.jsp" link, this will bring you back to index.jsp page with boot strapping resource offering.
  7. Click "Send Discovery Lookup" button, this will lead to discovery-query.jsp page. Fill in "ServiceType to look for" field if needed. Click "Send Discovery Lookup Request", the PP resource offering added in step 4 will be displayed.
  8. Two options in this page :

    a. Click "Send PP Query" will lead to id-sis-pp-query.jsp page, which will query Personal Profile Service in machine 2 for user attributes. Pick "urn:liberty:security:2003-08:null:null" in Authentication Mechanism field. You could change the "XPath Expression" field (default to /PP/CommonName) for different XPath expression for attribute selection.

    b. Click "Send PP Modify" will lead to id-sis-pp-modify.jsp page, which will send Modify request to Personal Profile Service in machine 2 to modify user's personal profile attributes. Pick "urn:liberty:security:2003-08:null:null" in Authentication Mechanism field. You could modify "XPath Expression" field (default to /PP/CommonName/AnalyzedName/FN) for attribute selection, and "Value" field for new values for the attribute.

You could repeat above process for discovery/id-sis-pp query and modify cases.

User Interaction with Personal Profile Service

  1. Login to the administration console of Machine 2 (IDP) as top level administrator.

    * Create a policy for Personal Profile service to require user interaction for Query and/or Modify.
      - Select Access Control Tab.
      - Click on the realm to which policy is to be added.
      - Select the "Policies" sub tab.
      - Click on "New Policy" to create a Policy. This will display the "Add Policy" page.
      - Enter the Policy Name in the "Name" field.
      - Click on "New" under the Rules section on the same page to add a new Rule.
      - In the "Add Rule" page select choice value "Liberty Personal Profile Service (with resource name)".
      - Click on "Next" to go to Step 2 of Adding New Rule.
      - Enter Rule Name in the "Name" field.
      - Enter "*" for Resource Name.
      - Select Actions MODIFY and/or QUERY check boxes and their values could be either "Interact for Consent" OR "Interact for Value", which can be selected from the drop down menu for these actions.
      - Select "Finish" to save the Rule and return to "Add Policy" Page.
      - Select New in the "Subjects" section to add subjects for the policy.This will display the Add Subjects Page.
      - Select choice value "Authenticated Users".
      - Select Next to Continue.
      - Enter value for "Name" Field and select Finish.


    * Enable policy evaluation for Personal Profile Service Query and/or Modify.In Access Manager Administration Console :
      - Select "Web Services" Tab.
      - Select "Personal Profile Service" Sub Tab.
      - Click on "Enable" Check box for attribute "Require Query Policy Eval" and/or "Require Modify Policy Eval".
      - Select "Save" to save changes.

  2. Follow the same steps as in Basic Flow section to run the sample. In Step 8, after clicking "Send PP Query" or "Send PP Modify", you will be asked for consent or attribute value for the operation performed. Make the choice or enter value to complete the flow. You may change the policy defined in step 1 to see different behavior for user interaction.

X.509 Message Authentication

  1. Follow instruction in SAML xmlsig sample to set up JKS signing key store (instruction could be found at <BEGIN_DIR>/samples/saml/xmlsig) in both machines. Edit <CONFIG_DIR>/AMConfig.properties to reflect the key store, password and cert alias. The properties to edit are :
      com.sun.identity.saml.xmlsig.keystore
      com.sun.identity.saml.xmlsig.storepass
      com.sun.identity.saml.xmlsig.keypass
      com.sun.identity.saml.xmlsig.certalias
  2. At both machine 1 (SP) and machine 2 (IDP), edit <CONFIG_DIR>/AMConfig.properties, set the "com.sun.identity.liberty.ws.wsc.certalias" property to the alias of the signing certification.
  3. To test X.509 Message Authentication in discovery service, login to Access Manager administration console as top level administrator:
      - Select "Web Services" Tab.
      - Select "Discovery Service" Sub Tab.
      - Click on Service Type "urn:liberty:disco:2003-08" in the "Resource Offerings for Bootstrapping Resources Section.
      - In Service Description Section, Select Edit to change the Security Mechanism ID.
      - Select Remove to remove Security Mechanism ID, "urn:liberty:security:2003-08:null:null".
      - Select Security Mechanism ID "urn:liberty:security:2003-08:null:X509" and click on Add to add it as the Security Mechanism.

    Follow the steps as in Basic Flow section to run the sample.
  4. To test X.509 Message Authentication in Personal Profile Service, follow the steps in Basic Flow section, choose "urn:liberty:security:2003-08:null:X509" as Authentication Mechanism when perform PP query or modify.
  5. To test SSL (urn:liberty:security:2003-08:TLS:X509), you must import the CA for the web server certification of machine 2 (IDP) to the web server certificate database of machine 1 (SP).


End of Sample