DocTeger

OpenSSO Technical Information

And a Spoonful of Music

To Make the Medicine Go Down

Want to Set Up and Test a SAMLv2 Authentication Query? Ask.

A SAMLv2 Authentication Query requests existing authentication assertions about a given subject from an Authentication Authority. This procedure explains how to set up and test an authentication query; I found it internally and recreated it externally for you.

This procedure assumes the entityID of the service provider is ear.red.sun.com, and the entityID of the identity provider is eye.red.sun.com. It also assumes that you have downloaded and deployed the famadm command line interface. You can also accomplish the steps referring to the export and import of metadata using the Federation and Common Tasks portions of the OpenSSO console.

1. On the service provider machine, generate standard and extended metadata templates and load them as an entity provider using the OpenSSO console. For example,
   /famconfig/famadm/fam/bin/famadm create-metadata-templ -u amadmin -f /tmp/pw -m /tmp/spmd -x /tmp/spxmd -s /sp -a test -r test -y ear.red.sun.com
2. Login to the OpenSSO console on the identity provider machine to import the service provider metadata files.
3. On the identity provider machine, generate standard and extended metadata templates, specifying the -C, -D, and -E options. For example,
   /famconfig/famadm/fam/bin/famadm create-metadata-templ -u amadmin -f /tmp/pw -m /tmp/idpmd -x /tmp/idpxmd -i /idp -b test -g test -C /authna -D test2 -E test2 -y eye.red.sun.com
4. Modify the identity provider extended metadata as follows.
   • Set the value of the idpAuthncontextClassrefMapping attribute to:

     urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|0||default
     urn:oasis:names:tc:SAML:2.0:ac:classes:Level1|1|module=DataStore1
     urn:oasis:names:tc:SAML:2.0:ac:classes:Level3|3|module=DataStore3
     urn:oasis:names:tc:SAML:2.0:ac:classes:Level5|5|module=DataStore5
     urn:oasis:names:tc:SAML:2.0:ac:classes:Level7|7|module=DataStore7
     urn:oasis:names:tc:SAML:2.0:ac:classes:Level9|9|module=DataStore9

   • Set the value of the assertionCacheEnabled attribute to true.
5. Login to the OpenSSO console on the service provider machine to import the identity provider metadata files.
6. Login to the OpenSSO console on the identity provider machine to add the following named authentication modules.
   DataStore1
   DataStore3
   DataStore5
   DataStore7
   DataStore9
   The type of each module should be set to Data Store and the authentication level set to 1, 3, 5, 7, and 9, respectively.
7. Single sign-on using the following URL:
   http://ear.red.sun.com/fam/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=eye.red.sun.com&reqBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST&AuthnContextClassRef=urn:oasis:names:tc:SAML:2.0:ac:classes:Level1
   This will create an assertion with the value of AuthnContextClassRef set as urn:oasis:names:tc:SAML:2.0:ac:classes:Level1.
   ALTERNATIVES: You can single sign-on with different authentication levels by changing Level1 to Level3, Level5, Level7, and Level9. You can also use a different browser which would change the value of sessionIndex. Following this, the user will have had multiple assertions created.
8. To test your configuration, copy authnQuery.jsp to the service provider deploy root and customize it by changing the following attributes (located between // customization starts here and // customization ends here in the file).
   • sessionIndex
   • RequestedAuthnContext
   • Comparison
9. Run the JSP by typing the following URL in a browser.
   http://ear.red.sun.com/fam/authnQuery.jsp?spMetaAlias=/sp&authnAuthorityEntityID=eye.red.sun.com
   The results will change based on the different customizations.

See, when you have a query, just ask - like the Smiths said.

Posted at 06:54AM Jun 23, 2008 by Michael Teger in Sun  |  Comments[2]