Sun ONE Portal Server version 6.2

Liberty Enabled Portal Sample 4
Contents
  1. Introduction
  2. Setup
  3. Configuration
  4. Testing

1. Introduction
This sample uses 2 machines, one for 2 IDPs running on one IS and the other for SP running Portal Server.
Because there are more than one IDP, the Common Domain Service (CDS) is used to read/write common domain cookie for the user. The common domain cookie is used to find the preferred IDP for the user. This CDS may be installed on any of the 2 machines or on a separate third machine. In this sample, it will be run on the machine hosting the SP.
It demonstrates the following features:
  1. Identity Federation
  2. Liberty Single Sign-On
  3. Federation Termination
  4. Single Log-Out at SP
2. Setup
3. Configuration

Configuration may be done manually by following the procedure given in the following sections.
It is also possible to do it using scripts configSP.sh and configIDP.sh. These scripts must be edited appropriately before using. The comments in the scripts will help to customize the scripts. Execute the configSP script on the system with Portal Server installed. Execute the configIDP script on the system to be used as IDP which has Identity Server installed.

Examples of tokens that need to be replaced in the configIDP.sh are:
  1. $ROOT_SUFFIX -> dc=sun,dc=com
  2. $ORG_DN -> o=DeveloperSample,$ROOT_SUFFIX
  3. $IDP_HOST_DOMAIN -> hostB.sun.com
  4. $IDP_PORT -> 58080
  5. $SP_HOST_DOMAIN -> hostA.sun.com
  6. $SP_PORT -> 58080
  7. $PROTOCOL -> http
  8. $PASSWORD -> 11111111
  9. $IDSAME_BASEDIR -> /opt
  10. $IS_DEPLOY_DESCRIPTOR -> amserver
  11. $COOKIE_DOMAIN -> .sun.com
Examples of tokens that need to be replaced in the configSP.sh are:
  1. $ROOT_SUFFIX -> dc=sun,dc=com
  2. $ORG_DN -> o=DeveloperSample,$ROOT_SUFFIX
  3. $PORTAL_ID -> portal1
  4. $IDP_HOST_DOMAIN -> hostB.sun.com
  5. $IDP_PORT -> 58080
  6. $SP_HOST_DOMAIN -> hostA.sun.com
  7. $SP_PORT -> 58080
  8. $PROTOCOL -> http
  9. $PASSWORD -> 11111111
  10. $IDSAME_BASEDIR -> /opt
  11. $PORTAL_BASEDIR -> /opt
  12. $IS_DEPLOY_DESCRIPTOR -> amserver
  13. $PS_DEPLOY_DESCRIPTOR -> portal
  14. $COOKIE_DOMAIN -> .sun.com
  15. $CHANNEL_FILE_DIR -> /var/opt/SUNWportal/portals/$PORTAL_ID/desktop/developer_sample/Federation
  16. $CHANNEL_FILE -> $CHANNEL_FILE_DIR/display.template

3.1. Service Provider (SP) Portal Server configuration

3.1.1. Load the metadata for SP

a. Edit spmetadata.xml
Replace the tokens with values appropriate to the deployment. Examples are shown below.
  1. $ORG_DN -> o=DeveloperSample,dc=sun,dc=com
  2. $PROTOCOL -> http
  3. $SP_HOST_DOMAIN -> hostA.sun.com
  4. $SP_PORT -> 80
  5. $IS_DEPLOY_DESCRIPTOR -> amserver
  6. $PS_DEPLOY_DESCRIPTOR -> portal
  7. $IDP_HOST_DOMAIN -> hostB.sun.com
  8. $IDP_PORT -> 80
  9. $COOKIE_DOMAIN -> .sun.com
b. Load the metadata using this command on hostA
<IS_BASE_DIR>/SUNWam/bin/amadmin  --runasdn amAdmin --password password --data spmetadata.xml

3.1.2. Create Federation Channel

a. Edit fedChannel.xml
Replace the tokens with values appropriate to the deployment. Examples are shown below.
  1. $PROTOCOL -> http
  2. $SP_HOST_DOMAIN -> hostA.sun.com
  3. $SP_PORT -> 80
  4. $IS_DEPLOY_DESCRIPTOR -> amserver
b. Load DP xml using this command on hostA. Remember to use appropriate dn for amAdmin and organization.
<PORTAL_BASEDIR>/SUNWportal/bin/psadmin modify-dp --adminuser "uid=amAdmin,ou=People,dc=sun,dc=com" --passwordfile <PASSWORD_FILE> -m --portal portal1 --dn "o=DeveloperSample,dc=sun,dc=com" fedChannel.xml

c. Create channel template directory
#mkdir /var/opt/SUNWportal/portals/portal1/desktop/developer_sample/Federation

d. Copy the channel template from the sample directory to the template directory.
#cp fedChannel.template /var/opt/SUNWportal/portals/portal1/desktop/developer_sample/Federation/display.template

3.1.3. Set Global Attributes for Desktop Service

In the Portal admin console
  1. Click the "Portals" tab
  2. Click the portal in the list, i.e. portal1
  3. select "TopLevel" in the "Select DN" dropdown list
And set the following fields: 3.1.4. Create a user on SP hostA
Create a user "psuser" with at least desktop service assigned. Login as psuser and verify the user's desktop.

3.2.Identity Provider (IDP) configuration

3.2.1. Create sub-orgs and users
Create sub-orgs "idp1" and "idp2" in the IS installed on hostB.
Create users "user1" and "user2" in these sub-orgs respectively.
To do this load the subOrgRequests.xml file. The passwords for users are same as user names.

a. Edit the subOrgRequests.xml
Replace the tokens $ORG_DN, $PROTOCOL, $IS_DEPLOY_DESCRIPTOR, $AMLDAPUSER_PWD appropriately.

b. Load the xml using this command on hostB.
<IS_BASE_DIR>/SUNWam/bin/amadmin --runasdn amAdmin --password password --data subOrgRequests.xml

3.2.2. Edit AMConfig.properties
Edit /etc/opt/SUNWam/config/AMConfig.properties file on hostB

a. The cookie names should be different for SP and IDP if both are running in the same domain.
Change "com.iplanet.am.cookie.name" to "sunDirectoryPro". This name may be anything other than the one on SP which will be "iPlanetDirectoryPro" by default.

b. Edit fqdnMap to add these entries
com.sun.identity.server.fqdnMap[www.idp1.com]=www.idp1.com
com.sun.identity.server.fqdnMap[www.idp2.com]=www.idp2.com

c. Restart the web container.

3.2.3. Load the metadata for IDP
a. Edit idpmetadata.xml
Replace the tokens with values appropriate to the deployment. Examples are shown below.
  1. $ORG_DN -> o=DeveloperSample,dc=sun,dc=com
  2. $PROTOCOL -> http
  3. $SP_HOST_DOMAIN -> hostA.sun.com
  4. $SP_PORT -> 80
  5. $IS_DEPLOY_DESCRIPTOR -> amserver
  6. $PS_DEPLOY_DESCRIPTOR -> portal
  7. $IDP_PORT -> 80
b. Load the metadata using this command on hostB
<IS_BASE_DIR>/SUNWam/bin/amadmin  --runasdn amAdmin --password password --data idpmetadata.xml

4. Testing

Important:
1. Before beginning testing, delete cookies and start a new browser instance.
2. Synchronize clocks on IDP and SP. As root, execute command "rdate hostA" on hostB or vice versa.
3. Edit hosts file on the system you will run the browser and add
IP.OF.THE.HOST_B   www.idp1.com
IP.OF.THE.HOST_B    www.idp2.com

4.1. Federation
  1. Access portal as http://hostA.red.iplanet.com:58080/portal/dt
  2. Common Login page is displayed. Locally login as psuser created earlier.
  3. Click on the "Federate Identity" link in the "Identity Federation" channel.
  4. The 2 IDPs, www.idp1.com and www.idp2.com will be shown in the drop-down list on the federation page.
  5. Select the idp1 to federate and click submit.
  6. Login page for www.idp1.com is displayed. Login as "user1" created earlier.
  7. Federation success page is displayed. Click on the "Continue" link.
  8. Repeat these steps to federate "psuser" with "user2" in "www.idp2.com".
  9. Desktop for psuser is displayed after clicking continue. Click "Logout" to logout of portal.
  10. Close the browser.
4.2. Single Sign-On
  1. Start a new browser session.
  2. Access portal as http://hostA.red.iplanet.com:58080/portal/dt
  3. The last identity federation was done with idp2 in the previous steps, so the idp2 is the preferred IDP.
  4. www.idp2.com login screen is presented. Login as "user2" at idp2.
  5. Desktop for psuser is displayed. Notice the user name in the "User Information" channel.
  6. If the last IDP to federate with was idp1, then idp1 login screen will be presented. The common domain cookie stores the last IDP the user interacted with and is treated as the preferred IDP.
4.3. Single Logout
  1. This assumes that you have already  performed single sign-on by authenticating at idp2 and psuser's desktop is displayed
  2. Click "Logout" to logout of the portal server
  3. Now access http://www.idp2.com:58080/amconsole.
  4. Login page for the idp2 is displayed indicating that by performing a logout at the portal server, you have also been logged out of the IDP.
4.4. Federation Termination
  1. This assumes that you have already  performed single sign-on and psuser's desktop is displayed
  2. Click on the "Terminate Federation" link in the "Identity Federation" channel
  3. Select the provider and click submit.
  4. Federation Termination success page is displayed. Click on the "Continue" link.
  5. psuser's desktop is displayed.
  6. Repeat these steps to terminate federation at both the IDPs.
  7. Click "Logout" to logout.
  8. Close the browser and start a new browser session.
  9. Access portal as http://hostA.red.iplanet.com:58080/portal/dt
  10. Authless desktop is displayed.
  11. Login as psuser to perform a local login.