Vimal's Blog

How to use fedlet with Access Manager 7.1+

Posted in fedlet by vimalp on November 10, 2009

This blog describes how to setup the Single Sign On between Access Manager 7.1+ SAMLv2plugin acting as IDP and OpenSSO fedlet as SP.  I would suggest you to perform the steps mentioned in IDP and FEDLET sections parallely.

At the end you should have four xml’s on each side IDP and Fedlet. Out of the four xml’s there will be two IDP’s metadata(eg:- idpMeta.xml, idpExtended.xml… here name can be anything) and two Fedlet’s metadata(eg:- sp.xml, sp-extended.xml)

  • IDP

1. You can either modify the metadata’s(idpMeta.xml and idpExtended.xml) in the saml2/meta directory on the Access Manager 7.1 side which are already there or you can create new using the CLI commands. Usually the metadata will be under ‘/opt/SUNWam/saml2/meta’ after installing the saml2 patch

2. CLI commands

  • You can create new metadata using saml2meta template command

# pwd

/opt/SUNWam/saml2/bin

# ./saml2meta template -u amadmin -w secret12 -m /tmp/mm.xml -x /tmp/xx.xml -e fedletidp -d /fedletidp

Hosted entity descriptor for realm “/” was written to file “/tmp/mm.xml” successfully.

Hosted entity config for realm “/” was written to file “/tmp/xx.xml” successfully.

  • You can import the metadata using saml2meta import command

# ./saml2meta import -u amadmin -w secret12 -t samplecot -m ..//meta/idpMeta.xml -x ..//meta/idpExtended.xml

File “..//meta/idpMeta.xml” was imported successfully.

File “..//meta/idpExtended.xml” was imported successfully.

# ./saml2meta import -u amadmin -w secret12 -t samplecot -m ..//meta/sp.xml -x ..//meta/sp-extended.xml

File “..//meta/sp.xml” was imported successfully.

File “..//meta/sp-extended.xml” was imported successfully.

  • You can list the entities present in the circle of trust using the saml2meta cotmember command

# ./saml2meta cotmember -u amadmin -w secret12 -t samplecot

Listing the trusted entities in the circle of trust: “samplecot”.

Entity ID:IDP_ENTITY_ID

Entity ID:FEDLET_ENTITY_ID

Circle of trust “samplecot” is listed successfully.

  • You can list all the entities by the saml2meta list command

# ./saml2meta list -u amadmin -w secret12

Listing all the entity id(s) in the system:

Entity ID: IDP_ENTITY_ID

Entity ID: FEDLET_ENTITY_ID

Operation: list is executed successfully.

  • You can delete the entity using the saml2meta delete command

# ./saml2meta delete -u amadmin -w secret12 -e IDP_ENTITY_ID

Descriptor and config for entity “IDP_ENTITY_ID” was deleted successfully.

  • After deleting you can verify using the saml2meta list and saml2meta cotmember commands to see if that entity is deleted

# ./saml2meta list -u amadmin -w secret12

Listing all the entity id(s) in the system:

Entity ID:FEDLET_ENTITY_ID

Operation: list is executed successfully.

# ./saml2meta cotmember -u amadmin -w secret12 -t samplecot

Listing the trusted entities in the circle of trust: “samplecot”.

Entity ID: FEDLET_ENTITY_ID

Circle of trust “samplecot” is listed successfully.

3. Keystore Info

  • Assume that there is a CA approved certificate with alias ‘test’ in keystore ‘keystore.jks’

# /usr/jdk/jdk1.5.0_12/bin/./keytool -export -keystore /etc/opt/SUNWam/config/keystore.jks -rfc -alias test

Enter keystore password:  changeit

—–BEGIN CERTIFICATE—–

MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh

bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w

ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw

CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK

BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B

AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of+

RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY

Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U

QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA

cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC

/FfwWigmrW0Y0Q==

—–END CERTIFICATE—–

4. idpMeta.xml

  • Put the KeyDescriptor block before ArtifactResolutionService block.
  • Here X509Certificate is the certificate that is taken from the keystore.jks.
  • Follow the Keystore Info for details

<KeyDescriptor use=”signing”>

<ds:KeyInfo xmlns:ds=”http://www.w3.org/2000/09/xmldsig#”&gt;

<ds:X509Data>

<ds:X509Certificate>

MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh

bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w

ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw

CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK

BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B

AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of+

RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY

Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U

QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA

cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC

/FfwWigmrW0Y0Q==

</ds:X509Certificate>

</ds:X509Data>

</ds:KeyInfo>

</KeyDescriptor>

<KeyDescriptor use=”encryption”>

<ds:KeyInfo xmlns:ds=”http://www.w3.org/2000/09/xmldsig#”&gt;

<ds:X509Data>

<ds:X509Certificate>

MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh

bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w

ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw

CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK

BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B

AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of+

RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY

Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U

QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA

cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC

/FfwWigmrW0Y0Q==

</ds:X509Certificate>

</ds:X509Data>

</ds:KeyInfo>

<EncryptionMethod Algorithm=”http://www.w3.org/2001/04/xmlenc#aes128-cbc”&gt;

<xenc:KeySize xmlns:xenc=”http://www.w3.org/2001/04/xmlenc#”>128</xenc:KeySize&gt;

</EncryptionMethod>

</KeyDescriptor>

5. idpExtended.xml

  • Add the certificate alias to these xml blocks

<Attribute name=”signingCertAlias”>

<Value>test</Value>

</Attribute>

<Attribute name=”encryptionCertAlias”>

<Value>test</Value>

</Attribute>

  • Now add the attributeMap as shown below

<Attribute name=”attributeMap”>

<Value>Mail=mail</Value>

<Value>GivenName=givenname</Value>

<Value>UserStatus=inetuserstatus</Value>

<Value>CommonName=cn</Value>

</Attribute>

  • Note: You can fetch any attribute but make sure it is there in the attributeMap of idp-extended and sp-extended xml’s

6. Now import the fedlet metadata’s which will be sp.xml and sp-extended.xml after all the necessary changes are done based on the FEDLET section. Make sure

  • sp-extended.xml when imported on idp it is with hosted=0

<EntityConfig entityID=”FEDLET_ENTITY_ID” hosted=”0″ xmlns=”urn:sun:fm:SAML:2.0:entityconfig”>

7. Server restart

# /var/opt/SUNWwbsvr7/https-vp227006.red.iplanet.com/bin/./stopserv

server has been shutdown

# /var/opt/SUNWwbsvr7/https-vp227006.red.iplanet.com/bin/./startserv

Sun Java System Web Server 7.0U1 B07/18/2007 14:21

info: CORE3016: daemon is running as super-user

info: CORE5076: Using [Java HotSpot(TM) Server VM, Version 1.5.0_12] from [Sun Microsystems Inc.]

info: WEB0100: Loading web module in virtual server [vp227006.red.iplanet.com] at [/ampassword]

warning: WEB6100: locale-charset-info is deprecated, please use parameter-encoding

info: WEB0100: Loading web module in virtual server [vp227006.red.iplanet.com] at [/amcommon]

warning: WEB6100: locale-charset-info is deprecated, please use parameter-encoding

info: WEB0100: Loading web module in virtual server [vp227006.red.iplanet.com] at [/amserver]

warning: WEB6100: locale-charset-info is deprecated, please use parameter-encoding

info: url: jar:file:/opt/SUNWmfwk/lib/mfwk_instrum_tk.jar!/com/sun/mfwk/config/MfConfig.class

info: “mfwk.multicast.disableloopback” set to false

info: url: jar:file:/opt/SUNWmfwk/lib/mfwk_instrum_tk.jar!/com/sun/mfwk/config/MfConfig.class

info: LogFile is: //var/opt/SUNWmfwk/logs/instrum.%g

info: HTTP3072: http-listener-1: http://vp227006.red.iplanet.com:80 ready to accept requests

info: CORE3274: successful server startup

  • FEDLET

1. Get the fedlet.war from the Fedlet-unconfigured.zip and deploy it on the container

2. Remember Access Manager 7.1 does not support SAMLv2 Single Logout, SAMLv2 Attribute Query, SAMLv2 XACML Query, so they should be removed from the fedlet xml’s

3. create a directory ‘fedlet’ under user.home

Ex:-      In Windows it is usually C:\Users\Administrator\fedlet(in Vista) or C:\Documents and Settings\Administrator\fedlet(in Windows Server 2003)

In Solaris/Linux it is usually /fedlet or /root/fedlet

4. copy all the configuration files(fedlet.cot, sp.xml, sp-extended.xml, idp.xml, idp-extended.xml, FederationConfig.properties) to the fedlet directory

5. Make these changes in sp.xml and sp-extended.xml according to your fedlet configuration

FEDLET_ENTITY_ID  : replace with the real entity id (name) for your Fedlet (SP). e.g. “fedletsp”.
FEDLET_PROTOCOL   : replace with the protocol of the web container the fedlet.war will be deployed, e.g. “http”.
FEDLET_HOST       : replace with the host name of the web container the fedlet.war will be deployed, e.g. “www.samples.com”.
FEDLET_PORT       : replace with port number of the web container the fedlet.war will be deployed, e.g. “80”.
FEDLET_DEPLOY_URI : replace with deployment URI of the web container the fedlet.war will be deployed, e.g. fedlet”.
IDP_ENTITY_ID     : replace with the real entity id (name) for your remote IDP. e.g. “myidp”.

6. sp.xml

  • Remove Single Logout for Http-Post link

<SingleLogoutService Binding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST” Location=”http://FEDLET_URL/fedletSloPOST&#8221;                      ResponseLocation=”http://<FEDLET_URL>/fedletSloPOST”/&gt;

  • Remove RoleDescriptor and XacmlAuthzDecisionQueryDescriptor blocks. If you have the certificate then you will see the KeyDescriptor blocks inside the RoleDescriptor otherwise not.

<RoleDescriptor xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance&#8221; xsi:type=”query:AttributeQueryDescriptorType”

protocolSupportEnumeration=”urn:oasis:names:tc:SAML:2.0:protocol” xmlns:query=”urn:oasis:names:tc:SAML:metadata:ext:query”>

<KeyDescriptor use=”signing”>

<ds:KeyInfo xmlns:ds=”http://www.w3.org/2000/09/xmldsig#”&gt;

<ds:X509Data>

<ds:X509Certificate>

MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh

bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w

ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw

CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK

BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B

AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of+

RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY

Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U

QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA

cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC

/FfwWigmrW0Y0Q==

</ds:X509Certificate>

</ds:X509Data>

</ds:KeyInfo>

</KeyDescriptor>

<KeyDescriptor use=”encryption”>

<ds:KeyInfo xmlns:ds=”http://www.w3.org/2000/09/xmldsig#”&gt;

<ds:X509Data>

<ds:X509Certificate>

MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh

bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w

ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw

CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK

BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B

AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of+

RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY

Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U

QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA

cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC

/FfwWigmrW0Y0Q==

</ds:X509Certificate>

</ds:X509Data>

</ds:KeyInfo>

<EncryptionMethod Algorithm=”http://www.w3.org/2001/04/xmlenc#aes128-cbc”&gt;

<xenc:KeySize xmlns:xenc=”http://www.w3.org/2001/04/xmlenc#”>128</xenc:KeySize&gt;

</EncryptionMethod>

</KeyDescriptor>

</RoleDescriptor>

<XACMLAuthzDecisionQueryDescriptor WantAssertionsSigned=”false” protocolSupportEnumeration=”urn:oasis:names:tc:SAML:2.0:protocol”/>

7. sp-extended.xml

  • Remove AttributeQueryConfig block which is the Attribute Query

<AttributeQueryConfig metaAlias=”/attrQuery”>

<Attribute name=”signingCertAlias”>

<Value>test</Value>

</Attribute>

<Attribute name=”encryptionCertAlias”>

<Value>test</Value>

</Attribute>

<Attribute name=”wantNameIDEncrypted”>

<Value/>

</Attribute>

<Attribute name=”cotlist”>

<Value>FEDLET_COT</Value>

</Attribute>

</AttributeQueryConfig>

  • Similarly Remove XACMLAuthzDecisionQueryConfig block which is the Xacml Query

<XACMLAuthzDecisionQueryConfig metaAlias=”/pep”>

<Attribute name=”signingCertAlias”>

<Value/>

</Attribute>

<Attribute name=”encryptionCertAlias”>

<Value/>

</Attribute>

<Attribute name=”basicAuthOn”>

<Value>false</Value>

</Attribute>

<Attribute name=”basicAuthUser”>

<Value/>

</Attribute>

<Attribute name=”basicAuthPassword”>

<Value/>

</Attribute>

<Attribute name=”wantXACMLAuthzDecisionResponseSigned”>

<Value>false</Value>

</Attribute>

<Attribute name=”wantAssertionEncrypted”>

<Value>false</Value>

</Attribute>

<Attribute name=”cotlist”>

<Value>FEDLET_COT</Value>

</Attribute>

</XACMLAuthzDecisionQueryConfig>

  • Now add the attributeMap as shown below.

<Attribute name=”attributeMap”>

<Value>Mail=mail</Value>

<Value>GivenName=givenname</Value>

<Value>UserStatus=inetuserstatus</Value>

<Value>CommonName=cn</Value>

</Attribute>

  • Note: You can fetch any attribute but make sure it is there in the attributeMap of idp-extended and sp-extended xml’s

8. Now import the idpmetadata’s which will be idpMeta.xml and idpExtended.xml after all the necessary changes are done based on the IDP section. Make sure

  • idp-extended.xml when imported on fedlet it is with hosted=0

<EntityConfig xmlns=”urn:sun:fm:SAML:2.0:entityconfig” xmlns:fm=”urn:sun:fm:SAML:2.0:entityconfig” hosted=”0″ entityID=”IDP_ENTITY_ID”>

9. Restart fedlet container

10. Troubleshooting

  • Check for any errors in the debug directory. Fedlet’s debug directory is under FEDLET_HOME.
  • Ex:- In Solaris it is /fedlet/debug or /root/fedlet/debug
  • In Windows it is under C:\Documents and Settings\Administrator\fedlet\debug or C:\Users\Administrator\fedlet
  • Also you can check the index.jsp bundled inside the fedlet.war for the specific errors
Tagged with:

Hello world!

Posted in Uncategorized by vimalp on November 8, 2009

Welcome to WordPress.com. This is your first post. Edit or delete it and start blogging!

Follow

Get every new post delivered to your Inbox.