1. Introduction
This sample uses 2 machines, one for IDP running only IS and the other
for SP running Portal Server.
This sample is different from sample 1 in only one aspect, i.e.
Authentication-less desktop is enabled. So, users without any Identity
federation and not locally signed-on will see authentication-less
desktop, while the federated users are redirected to the IDP
authentication page when they access the portal desktop and if they are
not liberty signed-on. The federated and liberty signed-on users will
see the personalized desktop without any need for further
authentication.
It demonstrates the following features:
Identity Federation
Liberty Single Sign-On
Federation Termination
Single Log-Out at SP
2. Setup
Portal Server on host A
Authentication-less desktop enabled
Authentication-less desktop disabled for federated users
Federation enabled
One IDP on host B
3. Configuration
Configuration may be done manually by following the procedure given in
the following sections.
It is also possible to do it using scripts configSP.sh and
configIDP.sh. These scripts must be edited appropriately before using.
The comments in the scripts will help to customize the scripts. Execute
the configSP script on the system with Portal Server installed. Execute
the configIDP script on the system to be used as IDP which has Identity
Server installed.
Examples of tokens that need to be replaced in the configIDP.sh are:
$ROOT_SUFFIX -> dc=sun,dc=com
$ORG_DN -> o=DeveloperSample,$ROOT_SUFFIX
$IDP_HOST_DOMAIN -> hostB.sun.com
$IDP_PORT -> 58080
$SP_HOST_DOMAIN -> hostA.sun.com
$SP_PORT -> 58080
$PROTOCOL -> http
$PASSWORD -> 11111111
$IDSAME_BASEDIR -> /opt
$IS_DEPLOY_DESCRIPTOR -> amserver
$COOKIE_DOMAIN -> .sun.com
Examples of tokens that need to be replaced in the configSP.sh are:
3.1. Service
Provider (SP) Portal Server configuration
3.1.1. Load the metadata for SP
a. Edit spmetadata.xml
Replace the tokens with values appropriate to the deployment. Examples
are shown below.
$ORG_DN -> o=DeveloperSample,dc=sun,dc=com
$PROTOCOL -> http
$SP_HOST_DOMAIN -> hostA.sun.com
$SP_PORT -> 80
$IS_DEPLOY_DESCRIPTOR -> amserver
$PS_DEPLOY_DESCRIPTOR -> portal
$IDP_HOST_DOMAIN -> hostB.sun.com
$IDP_PORT -> 80
$COOKIE_DOMAIN -> .sun.com
b. Load the metadata using this command on hostA
<IS_BASE_DIR>/SUNWam/bin/amadmin --runasdn amAdmin
--password password --data spmetadata.xml
3.1.2. Create Federation Channel
a. Edit fedChannel.xml
Replace the tokens with values appropriate to the deployment. Examples
are shown below.
$PROTOCOL -> http
$SP_HOST_DOMAIN -> hostA.sun.com
$SP_PORT -> 80
$IS_DEPLOY_DESCRIPTOR -> amserver
b. Load DP xml using this command on hostA. Remember to use appropriate
dn for amAdmin and organization.
<PORTAL_BASEDIR>/SUNWportal/bin/psadmin modify-dp --adminuser
"uid=amAdmin,ou=People,dc=sun,dc=com" --passwordfile <PASSWORD_FILE> -m --portal portal1 --dn "o=DeveloperSample,dc=sun,dc=com" fedChannel.xml
c. Create channel template directory
#mkdir /var/opt/SUNWportal/portals/portal1/desktop/developer_sample/Federation
d. Copy the channel template from the sample directory to the template
directory.
#cp fedChannel.template
/var/opt/SUNWportal/portals/portal1/desktop/developer_sample/Federation/display.template
3.1.3. Set Global Attributes for Desktop Service
In the Portal admin console
Click the "Portals" tab
Click the portal in the list, i.e. portal1
Select "TopLevel" in the "Select DN" dropdown list
And set the following fields:
Set "Federation" to enable.
Set "Anonymous Desktop" to enable.
Set "Anonymous Access for Federated Users" to disable.
Set "Hosted Provider ID" to http://hostA.sun.com. Remember to replace the correct
protocol and host name as per your deployment.
Set the "Valid UIDs for Anonymous Desktop" with the User DN and Password and
assign the "Default" User DN. Typically, this will have been already set by the
installer if the developer sample was installed.
3.1.4. Create a user on SP hostA
Create a user "psuser" with at least desktop service assigned. Login as
psuser and verify the user's desktop.
3.2. Identity
Provider (IDP) configuration
3.2.1. Change the cookie name
a. The cookie names should be different for SP and IDP if both are
running in the same domain.
Edit /etc/opt/SUNWam/config/AMConfig.properties file on hostB
and change "com.iplanet.am.cookie.name" to "sunDirectoryPro". This name
may be anything other than the one on SP which will be
"iPlanetDirectoryPro" by default.
b. Restart the web container.
3.2.2. Load the metadata for IDP
a. Edit idpmetadata.xml
Replace the tokens with values appropriate to the deployment. Examples
are shown below.
b. Load the metadata using this command on hostB
<IS_BASE_DIR>/SUNWam/bin/amadmin --runasdn amAdmin
--password password --data idpmetadata.xml
3.2.3. Create a user on IDP
Create a user, say "user1" and login to amconsole as user1 and verify.
4. Testing
Important:
1. Before beginning testing, delete cookies and start a new browser
instance.
2. Synchronize clocks on IDP and SP. As root, execute command "rdate
hostA" on hostB or vice versa.
4.1.
Federation
Access portal as http://hostA.red.iplanet.com:58080/portal/dt
Common Login page is displayed. Locally login as psuser created
earlier.
Click on the "Federate Identity" link in the "Identity
Federation" channel.
The IDP hostB will be shown in the drop-down list on the
federation page.
Select the IDP to federate (only hostB in this case) and click
submit.
Login page for IDP hostB is displayed. Login as "user1" created
earlier.
Federation success page is displayed. Click on the "Continue"
link.
Desktop for psuser is displayed again. Click "Logout" to logout
of portal.
Close the browser.
4.2. Single Sign-On
Start a new browser session.
Access portal as http://hostA.red.iplanet.com:58080/portal/dt
IDP hostB login screen is presented. Login as "user1" at hostB.
Desktop for psuser is displayed. Notice the user name in the
"User Information" channel.