Main Page
Services Consumer sample for Liberty Phase II
1. Introduction
This explains how to deploy and run the WSC sample to query and modify
Liberty Discovery Service and ID-SIS Personal Profile Service.
There are five parties involved in this sample:
- Liberty Service Provider (SP)
- Liberty Identity Provider (IDP)
- Web Service Consumer (WSC)
- Liberty Discovery Service (DS)
- Liberty ID-SIS Personal Profile Service (ID-SIS-PP)
Here is the general flow of the sample :
- Complete the Liberty Single-Sign-On Process, obtain Discovery
Service Boot Strapping Resource Offering.
- Register user's Resource Offering at the ID-SIS-PP instance using
Discovery Service Modification.
- Send Discovery Service Lookup request, discovery service returns
discovery lookup response to the WSC which contains the resource
offering for the user's ID-SIS-PP instance.
- Send Data Service Query to the ID-SIS-PP Instance to retrieve user
attributes.
- Send Data Service Modification to the ID-SIS-PP Instance to modify
user attributes.
There are five JSP provided in this sample:
- index.jsp : Retrieve boot strapping resource offering for discovery
service.
- discovery-modify.jsp : Add Resource Offering for a user.
- discovery-query.jsp : Send query to discovery service for service
resource offering.
- id-sis-pp-modify.jsp : Send Data Service Modify request to modify
user attributes.
- id-sis-pp-query.jsp : Send Data Service Query Request to retrieve
user attributes
2. Deploy the Sample
Two machines required for this sample:
- SP & WSC are deployed on machine1, whose host name is "www.sp1.com".
- IDP, DS & ID-SIS-PP are deployed on machine2, whose host name is
"www.idp1.com".
Note : <INSTALL_DIR> refers to the Access Manager installation
directory, for example, "/opt".
A. Deploy on Machine 1
- Deploy liberty sample1 SP, follow the instruction on
<INSTALL_DIR>/SUNWam/samples/liberty/sample1/sp1
- Change protocol support of the remote IDP to ID-FF 1.2. Login to
Access Manager Administration Console as top level administrator, goto
Federation Management, select "Entity Descriptors" View, click the
remote IDP entity ID from the list, select "Provider" on the View menu
in the right panel, click the "[Edit...]" link under Provider, select
"urn:liberty:iff:2003-08" under the "Protocol Support Enum" field
(enter an integer value, e.g. 60, in the "Cache Duration" field if it
is empty), then click "Save"
- Replace tags and hosts in discovery-modify.jsp and index.jsp.
replace IDP_SERVER_PORT with server port of IDP machine.
replace SERVICE_DEPLOY_URI with service deployment URI of the IDP machine
replace www.sp1.com with host name of the SP machine if needed.
replace www.idp1.com with host name of IDP machine if needed.
replace userDN value for the IDP user whose personal profile resource
offering is to be created.
- Deploy JSPs. Copy all the five jsps to a sub directory of the
document root of the web container. In case of Sun Java System Web
Server 6.1, run following command:
mkdir <WEB_SERVER_INSTALL_DIR>/docs/wsc
cp <INSTALL_DIR>/SUNWam/samples/phase2/wsc/*.jsp
<WEB_SERVER_INSTALL_DIR>/docs/wsc/
- Login to access manager admin console, create a user called "spUser"
This user will be used as federated user on the SP side.
B. Deploy on Machine 2
- Deploy liberty sample1 IDP, follow the instruction on
<INSTALL_DIR>/SUNWam/samples/liberty/sample1/idp1.
- Register Liberty Personal Profile Service. Login to access manager
admin console as top level administrator, go to Identity Management,
choose "Services" in View menu, click "Add". Select "Liberty Personal
Profile Service" on the right panel, click "OK".
- Create a user called "idpUser". This user will be used as the
federated user on the IDP side, also as storage of Discovery Service
resource offering and Personal Profile Service attributes. You must
select "Liberty Personal Profile Service" in the Available Services
when creating the idpUser (otherwise PP modify will fail).
3. Run the Sample
Basic Flow
Here is the steps to run the sample:
- Federate user "spUser" and "idpUser" follow Liberty sample1, and
logout.
- Single-sign-on again from SP to IDP using "idpUser".
- Use your browser, connect to
"http://<machine1>:<sever_port>/wsc/index.jsp". You will see the
boot strapping resource offering for Discovery Service, also two
buttons, one for "Send Discovery Lookup", one for "Add PP Resource
Offering"
- Click "Add PP Resource Offering", this will lead to
discovery-modify.jsp page, the PP resource offering has been computed
based on the boot strapping Discovery Service Resource Offering.
- Click "Send Discovery Update Request", the user's Personal Profile
resource offering will be registered in "idpUser" on machine2.
- Click "Return to index.jsp" link, this will bring you back to
index.jsp page with boot strapping resource offering.
- Click "Send Discovery Lookup" button, this will lead to
discovery-query.jsp page. Fill in "ServiceType to look for" field if
needed. Click "Send Discovery Lookup Request", the PP resource offering
added in step 4 will be displayed.
- Two options in this page :
a. Click "Send PP Query" will lead to id-sis-pp-query.jsp page, which
will query Personal Profile Service in machine 2 for user attributes.
Pick "urn:liberty:security:2003-08:null:null" in Authentication
Mechanism field. You could change the "XPath Expression" field
(default to /PP/CommonName) for different XPath expression for
attribute selection.
b. Click "Send PP Modify" will lead to id-sis-pp-modify.jsp page,
which will send Modify request to Personal Profile Service in
machine 2 to modify user's personal profile attributes. Pick
"urn:liberty:security:2003-08:null:null" in Authentication Mechanism
field. You could modify "XPath Expression" field (default to
/PP/CommonName/AnalyzedName/FN) for attribute selection, and
"Value" field for new values for the attribute.
You could repeat above process for discovery/id-sis-pp query and modify
cases.
User Interaction with Personal Profile Service
- Login to the administration console of Machine 2 (IDP) as top level
administrator.
* Create a policy for Personal Profile service to require user
interaction for Query and/or Modify. In Access Manager Administration
Console, select "Identity Management", choose "Policies" in the View
menu, click "New", select "Normal" policy and enter the Name for this
policy, click "OK" to create the policy. Select "Rules" in the View
menu for this policy, click "Add", choose "Liberty Personal Profile
Service" as service, click "Next". Enter a "Rule Name", enter "*" in
the "Resource Name" field, check the "Select" box for "MODIFY" and/or
"QUERY", select "Interact for Consent" or "Interact for Value" under
Value choices, click "OK", then "Save" to save the rule. Choose
"Subjects" in the View menu for this policy, click "Add", choose
"Authenticated Users" as Type, click "Next", enter a Name, click
"OK", then "Save" to save the subject.
* Enable policy evaluation for Personal Profile Service Query and/or
Modify. In Access Manager administration console, select "Service
Configuration", then "Liberty Personal Profile Service", check the
two boxes labeled "is Query Policy Eval Required" and "is Modify
Policy Eval Required", click "Save" button to save the change.
- Follow the same steps as in Basic Flow
section to run the sample. In Step 8, after clicking "Send PP Query"
or "Send PP Modify", you will be asked for consent or attribute value
for the operation performed. Make the choice or enter value to complete
the flow. You may change the policy defined in step 1 to see different
behavior for user interaction.
X.509 Message Authentication
- Follow instruction in SAML xmlsig sample to set up JKS signing key
store (instruction could be found at
<INSTALL_DIR>/SUNWam/samples/saml/xmlsig) in both machines. Edit
/etc/opt/SUNWam/config/AMConfig.properties to reflect the key store,
password and cert alias.
- At both machine 1 (SP) and machine 2 (IDP), edit
/etc/opt/SUNWam/config/AMConfig.properties, set the
"com.sun.identity.liberty.ws.wsc.certalias" property to the alias of
the signing certification.
- To test X.509 Message Authentication in discovery service, login to
Access Manager administration console as top level administrator, goto
"Service Configuration", then "Discovery Service". Edit Respource
Offerings for Bootstrapping Resources, change Authentication Mechanism
from "urn:liberty:security:2003-08:null:null" to
"urn:liberty:security:2003-08:null:X509". click "Save" to save the
change. Follow the steps as in Basic Flow section to run the
sample.
- To test X.509 Message Authentication in Personal Profile Service,
follow the steps in Basic Flow section,
choose "urn:liberty:security:2003-08:null:X509" as Authentication
Mechanism when perform PP query or modify.
- To test SSL (urn:liberty:security:2003-08:TLS:X509), you must import
the CA for the web server certification of machine 2 (IDP) to the web
server certificate database of machine 1 (SP).
|