This readme file explains how to deploy and run the WSC sample to query and modify Liberty Discovery Service and ID-SIS Personal Profile Service.
Introduction
There are five parties involved in this sample:
Two machines required for this sample:
1. SP & WSC are deployed on machine1, whose host name is "www.sp1.com".
2. IDP, DS & ID-SIS-PP are deployed on machine2, whose host name
is "www.idp1.com".
Note : <is_install_root> refers to the Identity Server installation directory, for example, "/opt".
A. Deploy on Machine 1
Step 1 : Deploy liberty sample1 SP, follow the instruction on <is_install_root>/SUNWam/samples/liberty/sample1/sp1.
Step 2 : Change protocol support of the remote IDP to ID-FF 1.2.Login to Identity Server Administration Console as top level administrator, goto Federation Management, select "Entity Descriptors" View, click the remote IDP entity ID from the list, select "Provider" on the View menu in the right panel, click the "[Edit...]" link under Provider, select "urn:liberty:iff:2003-08" under the "Protocol Support Enum" field (enter an integer value, e.g. 60, in the "Cache Duration" field if it is empty), then click "Save"Step 3 : Replace tags and hosts in discovery-modify.jsp and index.jspstep 4 : Deploy JSPs. Copy all the five jsps to a sub directory of the document root of the web container. In case of Sun Java System Web Server 6.1, run following command:
- replace IDP_SERVER_PORT with server port of IDP machine.
- replace SERVICE_DEPLOY_URI with service deployment URI of the IDP machine.
- replace www.sp1.com with host name of the SP machine if needed.
- replace www.idp1.com with host name of IDP machine if needed.
mkdir <webserber_install_root>/docs/wscStep 5 : Login to identity server admin console, create a user called "spUser". This user will be used as federated user on the SP side.
cp <is_install_root>/SUNWam/samples/phase2/wsc/*.jsp <webserber_install_root>/docs/wsc/
B. Deploy on Machine 2
Step 1 : Deploy liberty sample1 IDP, follow the instruction on <is_install_root>/SUNWam/samples/liberty/sample1/idp1.Run the Sample
Step 2 : Register Liberty Personal Profile Service. Login to identity server admin console as top level administrator, go to Identity Management, choose "Services" in View menu, click "Add". Select "Liberty Personal Profile Service" on the right panel, click "OK".
Step 3 : Create a user called "idpUser". This user will be used as the federated user on the IDP side, also as storage of Discovery Service resource offering and Personal Profile Service attributes. You must select "Liberty Personal Profile Service" in the Available Services when creating the idpUser (otherwise PP modify will fail).
Basic FlowHere is the steps to run the sample:
You could repeat above process for discovery/id-sis-pp query and modify cases.
User Interaction with Personal Profile Service
- Login to the administration console of Machine 2 (IDP) as top level administrator.
- Create a policy for Personal Profile service to require user interaction for Query and/or Modify. In Identity Server Administration Console, select "Identity Management", choose "Policies" in the View menu, click "New", select "Normal" policy and enter the Name for this policy, click "OK" to create the policy. Select "Rules" in the View menu for this policy, click "Add", choose "Liberty Personal Profile Service" as service, click "Next". Enter a "Rule Name", enter "*" in the "Resource Name" field, check the "Select" box for "MODIFY" and/or "QUERY", select "Interact for Consent" or "Interact for Value" under Value choices, click "OK", then "Save" to save the rule. Choose "Subjects" in the View menu for this policy, click "Add", choose "Authenticated Users" as Type, click "Next", enter a Name, click "OK", then "Save" to save the subject.
- Enable policy evaluation for Personal Profile Service Query and/or Modify. In Identity Server administration console, select "Service Configuration", then "Liberty Personal Profile Service", check the two boxes labeled "is Query Policy Eval Required" and "is Modify Policy Eval Required", click "Save" button to save the change.
- Follow the same steps as in Basic Flow section to run the sample. In Step 8, after clicking "Send PP Query" or "Send PP Modify", you will be asked for consent or attribute value for the operation performed. Make the choice or enter value to complete the flow. You may change the policy defined in step 1 to see different behavior for user interaction.
- Follow instruction in SAML xmlsig sample to set up JKS signing key store (instruction could be found at <is_install_root>/SUNWam/samples/saml/xmlsig) in both machines. Edit /etc/opt/SUNWam/config/AMConfig.properties to reflect the key store, password and cert alias.
- At both machine 1 (SP) and machine 2 (IDP), edit /etc/opt/SUNWam/config/AMConfig.properties, set the "com.sun.identity.liberty.ws.wsc.certalias" property to the alias of the signing certification.
- To test X.509 Message Authentication in discovery service, login to Identity Server administration console as top level administrator, goto "Service Configuration", then "Discovery Service". Edit Respource Offerings for Bootstrapping Resources, change Authentication Mechanism from "urn:liberty:security:2003-08:null:null" to "urn:liberty:security:2003-08:null:X509". click "Save" to save the change. Follow the steps as in Basic Flow section to run the sample.
- To test X.509 Message Authentication in Personal Profile Service, follow the steps in Basic Flow section, choose "urn:liberty:security:2003-08:null:X509" as Authentication Mechanism when perform PP query or modify.
- To test SSL (urn:liberty:security:2003-08:TLS:X509), you must import the CA for the web server certification of machine 2 (IDP) to the web server certificate database of machine 1 (SP).