Sun ONE Portal Server version 6.2

Liberty Enabled Portal Sample 1

Contents
  1. Introduction
  2. Setup
  3. Configuration
  4. Testing

1. Introduction
This sample uses 2 machines, one for IDP running only IS and the other for SP running Portal Server. Authentication-less desktop is disabled. Federated users who are already liberty signed-on are presented personalized desktop when they access the portal desktop, while those who are not liberty signed-on are redirected to the IDP's authentication page. User's without any Identity federation are presented the local login page if they are not locally signed-on.
It demonstrates the following features:
  1. Identity Federation
  2. Liberty Single Sign-On
  3. Federation Termination
  4. Single Log-Out at SP
2. Setup
3. Configuration

Configuration may be done manually by following the procedure given in the following sections.
It is also possible to do it using scripts configSP.sh and configIDP.sh. These scripts must be edited appropriately before using. The comments in the scripts will help to customize the scripts. Execute the configSP script on the system with Portal Server installed. Execute the configIDP script on the system to be used as IDP which has Identity Server installed.

Examples of tokens that need to be replaced in the configIDP.sh are:
  1. $ROOT_SUFFIX -> dc=sun,dc=com
  2. $ORG_DN -> o=DeveloperSample,$ROOT_SUFFIX
  3. $IDP_HOST_DOMAIN -> hostB.sun.com
  4. $IDP_PORT -> 58080
  5. $SP_HOST_DOMAIN -> hostA.sun.com
  6. $SP_PORT -> 58080
  7. $PROTOCOL -> http
  8. $PASSWORD -> 11111111
  9. $IDSAME_BASEDIR -> /opt
  10. $IS_DEPLOY_DESCRIPTOR -> amserver
  11. $COOKIE_DOMAIN -> .sun.com
Examples of tokens that need to be replaced in the configSP.sh are:
  1. $ROOT_SUFFIX -> dc=sun,dc=com
  2. $ORG_DN -> o=DeveloperSample,$ROOT_SUFFIX
  3. $PORTAL_ID -> portal1
  4. $IDP_HOST_DOMAIN -> hostB.sun.com
  5. $IDP_PORT -> 58080
  6. $SP_HOST_DOMAIN -> hostA.sun.com
  7. $SP_PORT -> 58080
  8. $PROTOCOL -> http
  9. $PASSWORD -> 11111111
  10. $IDSAME_BASEDIR -> /opt
  11. $PORTAL_BASEDIR -> /opt
  12. $IS_DEPLOY_DESCRIPTOR -> amserver
  13. $PS_DEPLOY_DESCRIPTOR -> portal
  14. $COOKIE_DOMAIN -> .sun.com
  15. $CHANNEL_FILE_DIR -> /var/opt/SUNWportal/portals/$PORTAL_ID/desktop/developer_sample/Federation
  16. $CHANNEL_FILE -> $CHANNEL_FILE_DIR/display.template

3.1. Service Provider (SP) Portal Server configuration

3.1.1. Load the metadata for SP

a. Edit spmetadata.xml
Replace the tokens with values appropriate to the deployment. Examples are shown below.
  1. $ORG_DN -> o=DeveloperSample,dc=sun,dc=com
  2. $PROTOCOL -> http
  3. $SP_HOST_DOMAIN -> hostA.sun.com
  4. $SP_PORT -> 80
  5. $IS_DEPLOY_DESCRIPTOR -> amserver
  6. $PS_DEPLOY_DESCRIPTOR -> portal
  7. $IDP_HOST_DOMAIN -> hostB.sun.com
  8. $IDP_PORT -> 80
  9. $COOKIE_DOMAIN -> .sun.com
b. Load the metadata using this command on hostA
<IS_BASE_DIR>/SUNWam/bin/amadmin  --runasdn amAdmin --password password --data spmetadata.xml

3.1.2. Create Federation Channel

a. Edit fedChannel.xml
Replace the tokens with values appropriate to the deployment. Examples are shown below.
  1. $PROTOCOL -> http
  2. $SP_HOST_DOMAIN -> hostA.sun.com
  3. $SP_PORT -> 80
  4. $IS_DEPLOY_DESCRIPTOR -> amserver
b. Load DP xml using this command on hostA. Remember to use appropriate dn for amAdmin and organization.
<PORTAL_BASEDIR>/SUNWportal/bin/psadmin modify-dp --adminuser "uid=amAdmin,ou=People,dc=sun,dc=com" --passwordfile <PASSWORD_FILE> -m --portal portal1 --dn "o=DeveloperSample,dc=sun,dc=com" fedChannel.xml

c. Create channel template directory
#mkdir /var/opt/SUNWportal/portals/portal1/desktop/developer_sample/Federation

d. Copy the channel template from the sample directory to the template directory.
#cp fedChannel.template /var/opt/SUNWportal/portals/portal1/desktop/developer_sample/Federation/display.template

3.1.3. Set Global Attributes for Desktop Service

In the Portal admin console
  1. Click the "Portals" tab
  2. Click the portal in the list, i.e. portal1
  3. select "TopLevel" in the "Select DN" dropdown list
And set the following fields: 3.1.4. Create a user on SP hostA
Create a user "psuser" with at least desktop service assigned. Login as psuser and verify the user's desktop.


3.2. Identity Provider (IDP) configuration

3.2.1. Change the cookie name
a. The cookie names should be different for SP and IDP if both are running in the same domain.
Edit /etc/opt/SUNWam/config/AMConfig.properties file on hostB and change "com.iplanet.am.cookie.name" to "sunDirectoryPro". This name may be anything other than the one on SP which will be "iPlanetDirectoryPro" by default.

b. Restart the web container.

3.2.2. Load the metadata for IDP

a. Edit idpmetadata.xml
Replace the tokens with values appropriate to the deployment. Examples are shown below.
  1. $ORG_DN -> o=DeveloperSample,dc=sun,dc=com
  2. $PROTOCOL -> http
  3. $SP_HOST_DOMAIN -> hostA.sun.com
  4. $SP_PORT -> 80
  5. $IS_DEPLOY_DESCRIPTOR -> amserver
  6. $IDP_HOST_DOMAIN -> hostB.sun.com
  7. $IDP_PORT -> 80
  8. $COOKIE_DOMAIN -> .sun.com
b. Load the metadata using this command on hostB
<IS_BASE_DIR>/SUNWam/bin/amadmin  --runasdn amAdmin --password password --data idpmetadata.xml

3.2.3. Create a user on IDP hostB
Create a user, say "user1" and login to amconsole as user1 and verify.

4. Testing

Important:
1. Before beginning testing, delete cookies and start a new browser instance.
2. Synchronize clocks on IDP and SP. As root, execute command "rdate hostA" on hostB or vice versa.


4.1. Federation
  1. Access portal as http://hostA.red.iplanet.com:58080/portal/dt
  2. Common Login page is displayed with a list of IDPs and a local login link. As only one IDP is configured, link to hostB is shown.
  3. Click on the local login and login as "psuser" created earlier.
  4. Click on the "Federate Identity" link in the "Identity Federation" channel.
  5. The IDP hostB will be shown in the drop-down list on the federation page.
  6. Select the IDP to federate (only hostB in this case) and click submit.
  7. Login page for IDP hostB is displayed. Login as "user1" created earlier.
  8. Federation success page is displayed. Click on the "Continue" link.
  9. Desktop for psuser is displayed again. Click "Logout" to logout of portal.
  10. Close the browser.
4.2. Single Sign-On
  1. Start a new browser session.
  2. Access portal as http://hostA.red.iplanet.com:58080/portal/dt
  3. IDP hostB login screen is presented. Login as "user1" at hostB.
  4. Desktop for psuser is displayed. Notice the user name in the "User Information" channel.
  5. Logout and start a new browser session.
  6. Access http://hostB.red.iplanet.com:58080/amconsole
  7. Login as "user1" at the IDP and see the user profile page at the IDP.
  8. Change url and access http://hostA.red.iplanet.com:58080/portal/dt
  9. Desktop for "psuser" is displayed.
4.3. Single Logout
  1. This assumes that you have already  performed single sign-on and psuser's desktop is displayed
  2. Click "Logout" to logout of the portal server
  3. Now access http://hostB.red.iplanet.com:58080/amconsole
  4. Login page for the IDP hostB is displayed indicating that by performing a logout at the portal server, you have also been logged out of the IDP.
4.4. Federation Termination
  1. This assumes that you have already  performed single sign-on and psuser's desktop is displayed
  2. Click on the "Terminate Federation" link in the "Identity Federation" channel
  3. Select the provider and click submit.
  4. Federation Termination success page is displayed. Click on the "Continue" link.
  5. psuser's desktop is displayed.
  6. Click "Logout" to logout.
  7. Close the browser and start a new browser session.
  8. Access portal as http://hostA.red.iplanet.com:58080/portal/dt
  9. Login page for hostA portal server is displayed. As federation has been terminated, you are not presented the IDP login page.
  10. Login as psuser to perform a local login.