1. Introduction
This sample uses 2 machines, one for 2 IDPs running on one IS and the
other for SP running Portal Server.
Because there are more than one IDP, the Common Domain Service (CDS) is
used to read/write common domain cookie for the user. The common domain
cookie is used to find the preferred IDP for the user. This CDS may be
installed on any of the 2 machines or on a separate third machine. In
this sample, it will be run on the machine hosting the SP.
It demonstrates the following features:
Identity Federation
Liberty Single Sign-On
Federation Termination
Single Log-Out at SP
2. Setup
Portal Server on host A
Authentication-less desktop enabled
Authentication-less desktop disabled for federated users
Federation enabled
IDP-1 on host B (www.idp1.com)
IDP-2 on host B (www.idp2.com)
Common Domain Service (CDS) on host A
3. Configuration
Configuration may be done manually by following the procedure given in
the following sections.
It is also possible to do it using scripts configSP.sh and
configIDP.sh. These scripts must be edited appropriately before using.
The comments in the scripts will help to customize the scripts. Execute
the configSP script on the system with Portal Server installed. Execute
the configIDP script on the system to be used as IDP which has Identity
Server installed.
3.1. Service
Provider (SP) Portal Server configuration
3.1.1. Load the metadata for SP
a. Edit spmetadata.xml
Replace the tokens with values appropriate to the deployment. Examples
are shown below.
$ORG_DN -> dc=sun,dc=com
$PROTOCOL -> http
$SP_HOST_DOMAIN -> hostA.sun.com
$SP_PORT -> 80
$IS_DEPLOY_DESCRIPTOR -> amserver
$PS_DEPLOY_DESCRIPTOR -> portal
$IDP_HOST_DOMAIN -> hostB.sun.com
$IDP_PORT -> 80
$COOKIE_DOMAIN -> .sun.com
b. Load the metadata using this command on hostA
<IS_BASE_DIR>/SUNWam/bin/amadmin --runasdn amAdmin
--password password --data spmetadata.xml
3.1.2. Create Federation Channel
a. Edit fedChannel.xml
Replace the tokens with values appropriate to the deployment. Examples
are shown below.
$PROTOCOL -> http
$SP_HOST_DOMAIN -> hostA.sun.com
$SP_PORT -> 80
$IS_DEPLOY_DESCRIPTOR -> amserver
b. Load DP xml using this command on hostA. Remember to use appropriate
dn for amAdmin and organization.
<PORTAL_BASEDIR>/SUNWps/bin/dpadmin modify -u
"uid=amAdmin,ou=People,dc=sun,dc=com" -w password -d "dc=sun,dc=com" -m
fedChannel.xml
c. Create channel template directory
mkdir /etc/opt/SUNWps/desktop/sampleportal/Federation
d. Copy the channel template from the sample directory to the template
directory.
cp fedChannel.template
/etc/opt/SUNWps/desktop/sampleportal/Federation/display.template
3.1.3. Set Global Attributes for
Desktop Service In admin console, goto the "Service Management" tab. Click
on the "Portal Desktop" service in navigation frame and set the
following values in the global section in the data frame.
Set "Enable Federation" to true.
Set "Hosted Provider ID" to http://hostA.sun.com. Remember to
replace the correct protocol and host name as per your deployment.
Set "Authentication-less Portal Desktop Configuration" to enable.
Set the "Default Authentication-less User DN" and "Authorized
Authentication-less User DNs and Passwords" appropriately, if not
already set. Typically, this will have been already set by the
installer
if sample portal was installed.
Set the "Disable Authentication-less Access for Federated Users"
to true.
3.1.4. Create a user on SP hostA
Create a user "psuser" with at least desktop service assigned. Login as
psuser and verify the user's desktop.
3.2.Identity Provider (IDP)
configuration
3.2.1. Create sub-orgs and
users
Create sub-orgs "idp1" and "idp2" in the IS installed on hostB.
Create users "user1" and "user2" in these sub-orgs respectively.
To do this load the subOrgRequests.xml file. The passwords for users
are same as user names.
a. Edit the subOrgRequests.xml
Replace the tokens $ORG_DN, $PROTOCOL, $IS_DEPLOY_DESCRIPTOR,
$AMLDAPUSER_PWD
appropriately.
b. Load the xml using this command on hostB.
<IS_BASE_DIR>/SUNWam/bin/amadmin --runasdn amAdmin --password
password --data subOrgRequests.xml
3.2.2. Edit
AMConfig.properties
Edit /etc/opt/SUNWam/config/AMConfig.properties file on hostB
a. The cookie names should be different for SP and IDP if both are
running in the same domain.
Change "com.iplanet.am.cookie.name" to "sunDirectoryPro". This name may
be anything other than the one on SP which will be
"iPlanetDirectoryPro" by default.
b. Edit fqdnMap to add these entries
com.sun.identity.server.fqdnMap[www.idp1.com]=www.idp1.com
com.sun.identity.server.fqdnMap[www.idp2.com]=www.idp2.com
c. Restart the web container.
3.2.3. Load the metadata
for IDP a. Edit idpmetadata.xml
Replace the tokens with values appropriate to the deployment. Examples
are shown below.
$ORG_DN -> dc=sun,dc=com
$PROTOCOL -> http
$SP_HOST_DOMAIN -> hostA.sun.com
$SP_PORT -> 80
$IS_DEPLOY_DESCRIPTOR -> amserver
$PS_DEPLOY_DESCRIPTOR -> portal
$IDP_PORT -> 80
b. Load the metadata using this command on hostB
<IS_BASE_DIR>/SUNWam/bin/amadmin --runasdn amAdmin
--password password --data idpmetadata.xml
4. Testing
Important:
1. Before beginning testing, delete cookies and start a new browser
instance.
2. Synchronize clocks on IDP and SP. As root, execute command "rdate
hostA" on hostB or vice versa.
3. Edit hosts file on the system you will run the browser and add
IP.OF.THE.HOST_B www.idp1.com
IP.OF.THE.HOST_B www.idp2.com
4.1.
Federation
Access portal as http://hostA.red.iplanet.com:58080/portal/dt
Common Login page is displayed. Locally login as psuser created
earlier.
Click on the "Federate Identity" link in the "Identity
Federation" channel.
The 2 IDPs, www.idp1.com and www.idp2.com will be shown in the
drop-down list on the federation page.
Select the idp1 to federate and click submit.
Login page for www.idp1.com is displayed. Login as "user1"
created earlier.
Federation success page is displayed. Click on the "Continue"
link.
Repeat these steps to federate "psuser" with "user2" in
"www.idp2.com".
Desktop for psuser is displayed after clicking continue. Click
"Logout" to logout of portal.
Close the browser.
4.2. Single Sign-On
Start a new browser session.
Access portal as http://hostA.red.iplanet.com:58080/portal/dt
The last identity federation was done with idp2 in the previous
steps, so the idp2 is the preferred IDP.
www.idp2.com login screen is presented. Login as "user2" at idp2.
Desktop for psuser is displayed. Notice the user name in the
"User Information" channel.
If the last IDP to federate with was idp1, then idp1 login screen
will be presented. The common domain cookie stores the last IDP the
user interacted with and is treated as the preferred IDP.
4.3. Single Logout
This assumes that you have already performed single sign-on
by authenticating at idp2 and psuser's desktop is displayed
Click "Logout" to logout of the portal server
Now access http://www.idp2.com:58080/amconsole.
Login page for the idp2 is displayed indicating that by
performing a logout at the portal server, you have also been logged out
of the IDP.
4.4.
Federation Termination
This assumes that you have already performed single sign-on
and psuser's desktop is displayed
Click on the "Terminate Federation" link in the "Identity
Federation" channel
Select the provider and click submit.
Federation Termination success page is displayed. Click on the
"Continue" link.
psuser's desktop is displayed.
Repeat these steps to terminate federation at both the IDPs.
Click "Logout" to logout.
Close the browser and start a new browser session.
Access portal as http://hostA.red.iplanet.com:58080/portal/dt