Main Page
Services Consumer sample for Liberty Phase II
1. Introduction
This explains how to deploy and run the WSC sample to query and modify
Liberty Discovery Service and ID-SIS Personal Profile Service.
There are five parties involved in this sample:
- Liberty Service Provider (SP)
- Liberty Identity Provider (IDP)
- Web Service Consumer (WSC)
- Liberty Discovery Service (DS)
- Liberty ID-SIS Personal Profile Service (ID-SIS-PP)
Here is the general flow of the sample :
- Complete the Liberty Single-Sign-On Process, obtain Discovery
Service Boot Strapping Resource Offering.
- Register user's Resource Offering at the ID-SIS-PP instance using
Discovery Service Modification.
- Send Discovery Service Lookup request, discovery service returns
discovery lookup response to the WSC which contains the resource
offering for the user's ID-SIS-PP instance.
- Send Data Service Query to the ID-SIS-PP Instance to retrieve user
attributes.
- Send Data Service Modification to the ID-SIS-PP Instance to modify
user attributes.
There are five JSP provided in this sample:
- index.jsp : Retrieve boot strapping resource offering for discovery
service.
- discovery-modify.jsp : Add Resource Offering for a user.
- discovery-query.jsp : Send query to discovery service for service
resource offering.
- id-sis-pp-modify.jsp : Send Data Service Modify request to modify
user attributes.
- id-sis-pp-query.jsp : Send Data Service Query Request to retrieve
user attributes
2. Deploy the Sample
Two machines are required for this sample:
- SP & WSC are deployed on machine1, whose host name is "www.sp1.com".
- IDP, DS & ID-SIS-PP are deployed on machine2, whose host name is
"www.idp1.com".
Note :
<BEGIN_DIR> refers to the Access Manager installation
directory:
Solaris Sparc/x86: BEGIN_DIR = <install_dir>/SUNWam
Linux : BEGIN_DIR = <install_dir>/sun/identity
<CONFIG_DIR refers to the Access Manager Configuration Directory.
Solaris Sparc/x86: CONFIG_DIR = /etc/opt/SUNWam/config
Linux : CONFIG DIR = /etc/opt/sun/identity/config
A. Deploy on Machine 1
- Deploy liberty sample1 SP, follow the instruction on
<BEGIN_DIR>/samples/liberty/sample1/sp1
- Change protocol support of the remote IDP to ID-FF 1.2. Login to Access Manager
Administration Console as top level administrator.
- Select "Federation" Tab.
- Select "Entities" Sub Tab.
- Click on the Remote Identity Provider Entity ID eg www.idp1.com.
- Select "Identity Provider" from the drop down View Menu.
- Edit the "Protocol Support Enum" attribute to set its value to
"urn:liberty:iff:2003-08".
- Set "Cache Duration" Attribute Value eg. to set value to 60 seconds enter
PT60S.
- Select Save to save changes made in the Provider page.
- Replace tags and hosts in discovery-modify.jsp and index.jsp.
replace IDP_SERVER_PORT with server port of IDP machine.
replace SERVICE_DEPLOY_URI with service deployment URI of the IDP machine
replace www.sp1.com with host name of the SP machine if needed.
replace www.idp1.com with host name of IDP machine if needed.
replace userDN value for the IDP user whose personal profile resource
offering is to be created.
- Deploy JSPs. Copy all the five jsps to a sub directory of the
document root of the web container. In case of Sun Java System Web
Server 6.1, run following command:
mkdir <WEB_SERVER_INSTALL_DIR>/docs/wsc
cp <BEGIN_DIR>/samples/phase2/wsc/*.jsp
<WEB_SERVER_INSTALL_DIR>/docs/wsc/
- Login to access manager admin console, create a user called "spUser"
This user will be used as federated user on the SP side.
B. Deploy on Machine 2
- Deploy liberty sample1 IDP, follow the instruction on
<BEGIN_DIR>/samples/liberty/sample1/idp1.
- Create a user called "idpUser". This user will be used as the
federated user on the IDP side, also as storage of Discovery Service
resource offering and Personal Profile Service attributes. You must
select "Liberty Personal Profile Service" in the Available Services
when creating the idpUser (otherwise PP modify will fail).
3. Run the Sample
Basic Flow
Here is the steps to run the sample:
- Federate user "spUser" and "idpUser" follow Liberty sample1, and
logout.
- Single-sign-on again from SP to IDP using "idpUser".
- Use your browser, connect to
"http://<machine1>:<server_port>/wsc/index.jsp". You will see the
boot strapping resource offering for Discovery Service, also two
buttons, one for "Send Discovery Lookup", one for "Add PP Resource
Offering"
- Click "Add PP Resource Offering", this will lead to
discovery-modify.jsp page, the PP resource offering has been computed
based on the boot strapping Discovery Service Resource Offering.
- Click "Send Discovery Update Request", the user's Personal Profile
resource offering will be registered in "idpUser" on machine2.
- Click "Return to index.jsp" link, this will bring you back to
index.jsp page with boot strapping resource offering.
- Click "Send Discovery Lookup" button, this will lead to
discovery-query.jsp page. Fill in "ServiceType to look for" field if
needed. Click "Send Discovery Lookup Request", the PP resource offering
added in step 4 will be displayed.
- Two options in this page :
a. Click "Send PP Query" will lead to id-sis-pp-query.jsp page, which
will query Personal Profile Service in machine 2 for user attributes.
Pick "urn:liberty:security:2003-08:null:null" in Authentication
Mechanism field. You could change the "XPath Expression" field
(default to /PP/CommonName) for different XPath expression for
attribute selection.
b. Click "Send PP Modify" will lead to id-sis-pp-modify.jsp page,
which will send Modify request to Personal Profile Service in
machine 2 to modify user's personal profile attributes. Pick
"urn:liberty:security:2003-08:null:null" in Authentication Mechanism
field. You could modify "XPath Expression" field (default to
/PP/CommonName/AnalyzedName/FN) for attribute selection, and
"Value" field for new values for the attribute.
You could repeat above process for discovery/id-sis-pp query and modify
cases.
User Interaction with Personal Profile Service
- Login to the administration console of Machine 2 (IDP) as top level
administrator.
* Create a policy for Personal Profile service to require user
interaction for Query and/or Modify.
- Select Access Control Tab.
- Click on the realm to which policy is to be added.
- Select the "Policies" sub tab.
- Click on "New Policy" to create a Policy. This will
display the "Add Policy" page.
- Enter the Policy Name in the "Name" field.
- Click on "New" under the Rules section on the same page to
add a new Rule.
- In the "Add Rule" page select choice value
"Liberty Personal Profile Service (with resource name)".
- Click on "Next" to go to Step 2 of Adding New Rule.
- Enter Rule Name in the "Name" field.
- Enter "*" for Resource Name.
- Select Actions MODIFY and/or QUERY check boxes and their values
could be either "Interact for Consent" OR "Interact for Value",
which can be selected from the drop down menu for these actions.
- Select "Finish" to save the Rule and return to "Add Policy" Page.
- Select New in the "Subjects" section to add subjects for the policy.This
will display the Add Subjects Page.
- Select choice value "Authenticated Users".
- Select Next to Continue.
- Enter value for "Name" Field and select Finish.
* Enable policy evaluation for Personal Profile Service Query and/or
Modify.In Access Manager Administration Console :
- Select "Web Services" Tab.
- Select "Personal Profile Service" Sub Tab.
- Click on "Enable" Check box for attribute "Require Query Policy Eval"
and/or "Require Modify Policy Eval".
- Select "Save" to save changes.
- Follow the same steps as in Basic Flow
section to run the sample. In Step 8, after clicking "Send PP Query"
or "Send PP Modify", you will be asked for consent or attribute value
for the operation performed. Make the choice or enter value to complete
the flow. You may change the policy defined in step 1 to see different
behavior for user interaction.
X.509 Message Authentication
- Follow instruction in SAML xmlsig sample to set up JKS signing key
store (instruction could be found at
<BEGIN_DIR>/samples/saml/xmlsig) in both machines. Edit
<CONFIG_DIR>/AMConfig.properties to reflect the key store,
password and cert alias. The properties to edit are :
com.sun.identity.saml.xmlsig.keystore
com.sun.identity.saml.xmlsig.storepass
com.sun.identity.saml.xmlsig.keypass
com.sun.identity.saml.xmlsig.certalias
- At both machine 1 (SP) and machine 2 (IDP), edit
<CONFIG_DIR>/AMConfig.properties, set the
"com.sun.identity.liberty.ws.wsc.certalias" property to the alias of
the signing certification.
- To test X.509 Message Authentication in discovery service, login to
Access Manager administration console as top level administrator:
- Select "Web Services" Tab.
- Select "Discovery Service" Sub Tab.
- Click on Service Type "urn:liberty:disco:2003-08" in the
"Resource Offerings for Bootstrapping Resources Section.
- In Service Description Section, Select Edit to change
the Security Mechanism ID.
- Select Remove to remove Security Mechanism ID,
"urn:liberty:security:2003-08:null:null".
- Select Security Mechanism ID "urn:liberty:security:2003-08:null:X509" and
click on Add to add it as the Security Mechanism.
Follow the steps as in Basic Flow section to run the
sample.
- To test X.509 Message Authentication in Personal Profile Service,
follow the steps in Basic Flow section,
choose "urn:liberty:security:2003-08:null:X509" as Authentication
Mechanism when perform PP query or modify.
- To test SSL (urn:liberty:security:2003-08:TLS:X509), you must import
the CA for the web server certification of machine 2 (IDP) to the web
server certificate database of machine 1 (SP).
|