Main Page > Liberty Sample Page
Liberty Samples2 Readme File
This sample includes a Service Provider and an Identity Provider.
The Service provider's resources are deployed on SUN Java System Web Server 6.1
and protected by a policy web agent. Apart from highlighting the different
Liberty protocols such as Account Federation, Single Sign On, Single Logout
and Federation Termination, this sample also demonstrates the configuration
of different authentication levels for different resources.
SP1 is the Service Provider and IDP1 is
the Identity Provider.
Note:
- This sample assumes that
- SUN Java System Web Server 6.1 is installed on machine1. Sun Java System
Identity Server Policy Agent 2.0 protects this web server instance
and
SP1 is deployed on this web server.
This installation can be on any of the following Identity Server
machines as well, but here it will be assumed on a different machine
for better understanding.
- Identity Server used by the web agent is installed
on machine2.
IDP1 is deployed on an Identity Server
installed on machine3.
- For Solaris
<begin_dir> = <IS_Root>/SUNWam
- For Windows2000
<begin_dir> = <IS_Root>/SunONEIS
<begin_dir>/samples/liberty/sample2/sp1/
will be referred to as <sp1_sample_dir> .
<begin_dir>/samples/liberty/sample2/idp1/
will be referred to as <idp1_sample_dir> .
A. Deploy and Configure SP1 (on machine1):
- Replace the following tags in
AMClient.properties
(available in <sp1_sample_dir>/WEB-INF/classes )
SERVER_PROTO - protocol (HTTPS/HTTP)
SERVER_HOST - fully qualified hostname
for your IS setup, eg: www.sp1.com
SERVER_PORT - port number where IS is
running
SERVICE_DEPLOY_URI : IS services' deployment
URI (By Default amserver )
META_ALIAS - metaAlias forSP1
(In given sp1Metadata.xml it is entered as www.sp1.com )
- Create war file for
SP1
cd <sp1_sample_dir> jar -cvf sp1.war .
- Make sure that the
server_root/bin/HTTPS/HTTPsadmin/bin
directory is in your path and that the IWS_SERVER_HOME
environment variable is set to your server_root directory.
- Enter the following command
wdeploy deploy -u uri_path -i instance -v vs_id [-d directory] war_file
Where:
-
uri_path is the URI prefix for the
web application.
instance is the server instance name.
vs_id is the virtual server ID.
directory is the directory to which the application
is deployed, or from which the application is deleted. If not specified
for deployment, the application is deployed to the document root directory.
war_file is the WAR file name.
-
Change
AMAgent.properties file entry com.sun.am.policy.am.library.loginURL
to point to login URL of the Identity Server installed on machine2.
For example:
com.sun.am.policy.am.library.loginURL=http://www.sp1.com:58080/amserver/UI/Login
- Add
http://www.agentHost.com:80/sp1/index.html
to the com.sun.am.policy.agents.notenforcedList property
of AMAgent.properties file. In case there is no such entry
in the AMAgent.properties , add the following:
com.sun.am.policy.agents.notenforcedList=http://www.agentHost.com:80/sp1/index.html
Assumption: The Hostname for the web server protected by the
web agent is www.agentHost.com and it is running
on port 80.
- Restart the Web Server.
B. Upload the policy xml file on machine2:
- Update
sp1Policy.xml (available in <sp1_sample_dir> )
The following assumptions are made in sp1Policy.xml :
SP1 Identity Server's root suffix is "dc=sp1,dc=com"
(attribute "DN" for element "OrganizationRequests"
and attribute "createDN" for element "CreatePolicy" )
- Hostname for the web server protected by the web
agent is
www.agentHost.com and it is running on
port 80.
Update above values in sp1Policy.xml as per your deployment.
- Load
sp1Policy.xml using following command.
<begin_dir>/bin/amadmin -u amadmin -w password -t SP1 Policy.xml
Two policies will be created, for all the users belonging to the
organization, dc=sp1,dc=com - corresponding to
two different authentication levels, by loading this XML.
C. Upload the Metadata on machine2 for SP1 :
- Update
sp1MetaData.xml (available in <sp1_sample_dir> )
The following assumptions are made in sp1MetaData.xml .
- Identity Server (IS) is running in HTTP mode.
- Hostname for
SP1 is www.sp1.com
- Hostname for
IDP1 is www.idp1.com
- IS is running on port 58080
- IS services are deployed under URI:
amserver
SP1 Identity Server's root suffix is
"dc=sp1,dc=com" (attribute "DN" for element
"OrganizationRequests" )
SP1 Certificate Alias is SP1_SECURITY_KEY
IDP1 Certificate Alias is IDP1_SECURITY_KEY
SP1 metaAlias is www.sp1.com
IDP1 metaAlias is www.idp1.com
SP1 's homepage is http://www.agentHost.com:80/sp1/homepage.jsp
Update above values in sp1MetaData.xml as per
your deployment.
- Load
sp1MetaData.xml using following command.
<begin_dir>/bin/amadmin -u amadmin -w password -t SP1 MetaData.xml
D. Upload the Metadata on machine3 for IDP1:
- Update
idp1Metadata.xml (available in <idp1_sample_dir> )
The following assumptions are made in idp1Metadata.xml :
- Identity Server (IS) is running in HTTP mode.
- Hostname for
SP1 is www.sp1.com
- Hostname for
IDP1 is www.idp1.com
- IS is running on port 58080
- IS services are deployed under URI:
amserver
IDP1 Identity Server's root suffix
is "dc=idp1,dc=com" (attribute "DN" for element
"OrganizationRequests" )
SP1 Certificate Alias is SP1_SECURITY_KEY
IDP1 Certificate Alias is IDP1_SECURITY_KEY
SP1 metaAlias is www.sp1.com
IDP1 metaAlias is www.idp1.com
Update above values in idp1Metadata.xml as per
your deployment.
- Load
idp1Metadata.xml using following command.
<begin_dir>/bin/amadmin -u amadmin -w password -t idp1Metadata.xml
E. Deploy and Configure IDP1 (on machine3):
- Replace the following tags in AMClient.properties (available
in /WEB-INF/classes)
SERVER_PROTO - protocol (HTTPS/HTTP)
SERVER_HOST - fully qualified hostname for
your IS setup, eg: www.sp1.com
SERVER_PORT - port number where IS is running
SERVICE_DEPLOY_URI : IS services' deployment
URI (By Default amserver )
META_ALIAS - metaAlias forSP1
(In given sp1Metadata.xml it is entered as www.sp1.com )
- Create war file for
SP1
cd <idp1_sample_dir> jar -cvf idp1.war .
- Make sure that the
server_root/bin/HTTPS/HTTPsadmin/bin
directory is in your path and that the IWS_SERVER_HOME
environment variable is set to your server_root directory.
- Enter the following command
wdeploy deploy -u uri_path -i instance -v vs_id [-d directory] war_file
Where:
-
uri_path is the URI prefix for the web
application.
instance is the server instance name.
vs_id is the virtual server ID.
directory is the directory to which the application
is deployed, or from which the application is deleted. If not specified
for deployment, the application is deployed to the document root directory.
war_file is the WAR file name.
- Restart the web server.
F. Federate user account at SP1 with an account at
IDP1
- Access the following URL in a web browser
SERVER_PROTO://SERVER_HOST:SERVER_PORT/sp1/index.html
For example http://www.agentHost.com:80/sp1/index.html
Note: Here index.html is not a protected page.
Hence it will not prompt for authentication.
Now, click on the Organization Home Page link in index.html
and you will be prompted for authentication.
- It will check for the valid user session and if session
is invalid it will redirect to the
preLogin service running
at the Identity Server, used by this agent.
preLogin service will redirect to
common login page.
- Click on "Local Login", it will redirect to
SP1 's
Login page.
- After successful authentication at
SP1 , it
will redirect to homepage.jsp . This Organization Home Page
(homepage.jsp ) has following three links :
- Federate : will initiate the federation process.
- Logout : will initiate the single logout process.
- Terminate Federation : will initiate the federation
termination process.
- When you choose federate, you will be taken to Federate
page where you can select your preferred Identity Provider to federate
with. Select
IDP1 as your preferred Identity Provider.
- Now you will be taken to
IDP1 login page.
Provide authentication credentials for your IDP1 account.
If the authentication is successful, you will get "Federation Done".
- At this point you have succesfully federated your account
between
SP1 and IDP1 .
Note: When the account is already federated, you will be redirected
to IDP Login page first.
G. Single Sign On:
- After successful federation start a new browser session
and try to access
SP1 protected page (homepage.jsp ).
For this access the following url in a web browser:
SERVER_PROTO://SERVER_HOST:SERVER_PORT/sp1/homepage.jsp
For example
http://www.agentHost.com:80/sp1/homepage.jsp
- Now you will be taken to
IDP1 login page.
Provide authentication credentials for your IDP1 account.
If authentication is successful you will be directly taken to the initially
accessed SP1 protected page without being asked for SP1
authentication credentials.
H. Single Logout:
- On
SP1 's protected page (homepage.jsp
click on the "Logout" link.
- You will be logged out from both
SP1 and
IDP1 and then shown the "LogoutDone"
page.
- Alternatively, you can start the logout process from
IDP
protected page (index.jsp ) too accomplishing the same result.
I. Federation Termination:
- On
SP1 protected page (homepage.jsp
click on "Terminate federation" link.
- You will be taken to the termination page. Here you can
select a provider to defederate with. Select
IDP1 for federation
termination.
- On successful defederation you will be taken to
TerminationDone
page.
- Alternatively, you can initiate federation termination
from
IDP side too.
J. Configuring Third Level Domain:
This sample application does not require the use of a third level
domain. If you want to configure third level domain:
- Access Identity Server Administration Console.
- Click on Federation tab.
- Then select Authentication Domain in the drop down menu
and click on SHOW button.
- Select
sample1Alliance in the left panel.
- In the right panel enter the Reader Service URL and Writer
Service URL as per your common domain services installation.
For example if common doamin services are installed
on machine3 with hostname is www.machine3.com for default
installation:
Writer Service URL: http://www.machine3.com:80/amcommon/writer
Reader Service URL: http://www.machine3.com:80/amcommon/transfer
/
- This completes third level domain setup.
K. Demonstrating different authentication levels:
- For Unix authentication to be a success, create an Unix
account with user id (
unixID ) and password (abcde12 )
- on the IDP side.
- Assuming that your account on
SP - SP1Acct
is federated with account idp1Acct on IDP , in
the user profile of idp1Acct , add unixID to
the user alias list attribute using IS2004Q2 Console (IdentityManagement
-> Users -> idp1Acct -> user alias list ).
- Now access
homepage.jsp . You will be prompted
for authentication. Given that the account is already federated with
idp1Acct , log in with idp1Acct credentials
and you will be taken to the homepage.jsp .
- Try accessing the
Financials Page link in
the homepage.jsp . You will be prompted for Unix
authentication, which is configured to be a higher level of authentication.
- Log in with the Unix user id (
unixID ) and
password (abcde12 ) and you would be taken to the Financials
page.
NOTE:
- In case, the Web Server is the same as the one used by IS2004Q2,
deploy
SP1 under <begin_dir>/web-apps
and include the URI mapping in web-apps.xml (available in
<begin_dir>/servers/https-<HOST_NAME>/config/ ).
- In case, the Web server is on the same machine as the
IS 2004Q2, then the following should be appended to
com.sun.am.policy.agents.notenforcedList
property of AMAgent.properties file:
http://www.sp1.com :58080/amserver /config/federation* http://www.sp1.com :58080/amserver /IntersiteTransferService* http://www.sp1.com :58080/amserver /AssertionConsumerService* http://www.sp1.com :58080/amserver /preLogin* http://www.sp1.com :58080/amserver /postLogin* http://www.sp1.com :58080/amserver /SOAPReceiver* http://www.sp1.com :58080/amserver /ReturnTermination* http://www.sp1.com :58080/amserver /ProcessLogout* http://www.sp1.com :58080/amserver /ReturnLogout* http://www.sp1.com :58080/amserver /liberty-logout* http://www.sp1.com :58080/amserver /consentHandler* http://www.sp1.com :58080/amserver /SingleSignOnService* http://www.sp1.com :58080/amserver /federation-terminate* http://www.sp1.com :58080/amserver /ProcessTermination*
- In case,
SP and IDP are installed
in the same domain, then change the cookie name on the IDP side by doing
the following:
Change the com.iplanet.am.cookie.domain entry in
/etc/opt/SUNWam/config/AMConfig.properties to anything other
than iPlanetDirectoryPro .
For example com.iplanet.am.cookie.domain=iPlanetPro
|