Friday May 08, 2009
An ASP.NET OpenSSO Fedlet? Sign of the Times
In light of the OpenSSO Fedlet's recent award for innovation, here are instructions to configure and test the new ASP.NET Fedlet.
The Fedlet is a small archive that can be embedded into a service provider's web application to allow for SAMLv2 single sign-on between an identity provider instance of OpenSSO and the service provider application - WITHOUT installing OpenSSO on the service provider side. With the upcoming release of OpenSSO Enterprise 8.0 Update 1, the Fedlet technology has been extended to the ASP.NET platform. The code is currently available in the nightly builds. OpenSSO Enterprise 8.0 Update 1 includes theFedlet.dll, template metadata files, and a sample ASP.NET application for testing the communications. The Fedlet.dll initiates single sign-on with an identity provider and enables the receipt of an authentication response by the service provider using an HTTP-POST binding.
To configure the Sample Application for communications with the ASP.NET Fedlet, follow these first three procedures. The final procedure has the ASP.NET code to use in an existing application.
- To Configure the Identity Provider
- To Configure the Service Provider and the ASP.NET Fedlet
- To Configure the Sample Application and Test the ASP.NET Fedlet
- To Integrate the ASP.NET Fedlet with an Existing Application
- Create the hosted identity provider using the Common Tasks work flow in the OpenSSO Enterprise console. You will need the name of the circle of trust in To Configure the Service Provider and the ASP.NET Fedlet.
- Export the identity provider's standard metadata file.
idp.xmlcan be exported by accessing the export metadata page athttp://idp-machine.domain:8080/opensso/saml2/jsp/exportmetadata.jsp - Register the remote service provider using the modified standard metadata file
sp.xmland the Register Remote Service Provider work flow in the OpenSSO Enterprise console. This standard metadata is modified in To Configure the Service Provider and the ASP.NET Fedlet thus, registering the service provider on the identity provider machine is the last step of that procedure.
- Download the OpenSSO Enterprise ZIP archive to the service provider machine and unzip it.
- Unzip the
Fedlet-unconfigured.zipin the/opensso/fedlet/folder. - Move the
/opensso/fedlet/asp.net/folder to a temporary directory. - Change to the
/tmp/asp.net/confdirectory. - Make copies of the template files.
- Copy
sp.xml-templatetosp.xml. - Copy
sp-extended.xml-templatetosp-extended.xml. - Copy
idp-extended.xml-templatetoidp-extended.xml. - Copy
fedlet.cot-templatetofedlet.cot. - Swap out the following tags in the copied metadata files.
- Replace FEDLET_COT with the name of the circle of trust of which the remote identity provider and the local service provider are members.
- Replace FEDLET_ENTITY_ID with a unique identifier used to locate the Fedlet. This value is analogous to the service provider EntityID. The
EntityIDattribute is under theEntityDescriptorelement that is passed to the service provider as part of the XML exchange. The Name attribute of a configured entity provider when looking in the OpenSSO console is the value of the EntityID. - Replace FEDLET_URL with the URL of the Fedlet; for example,
http://sp-machine.domain/SampleApp/fedletapplication.aspx. - Replace IDP_ENTITY_ID with the entity ID of the remote identity provider. The
EntityIDattribute is under theEntityDescriptorelement that is passed to the service provider as part of the XML exchange. The Name attribute of a configured entity provider in the OpenSSO console is the value of the EntityID.
- Return to the identity provider machine to register the service provider using the modified
sp.xmlfile and making sure to associate the service provider and the identity provider with the same circle of trust.
- Navigate to the
/tmp/asp.net/conffolder on the service provider machine. - Copy the modified metadata files
idp-extended.xml,sp.xml,sp-extended.xml, andfedlet.cot) to/tmp/asp.net/SampleApp/App_Data/. - Copy the remote identity provider's standard metadata file to the service provider machine.
Be sure the file is named
idp.xml. - Place
idp.xmlin/tmp/asp.net/SampleApp/App_Data/. - Confirm that the
Fedlet.dllis in the Sample Application's/tmp/asp.net/SampleApp/bin/folder. - Within Internet Information Server (IIS), create a virtual directory using the
/tmp/asp.net/SampleApp/directory.- IIS 6 (Windows 2003) has Add Virtual Directory. Be sure to have Read and Script permissions set for the application.
- IIS 7 (Windows 2008 and Vista) has Add Application with no additional options required to be set.
- Open the Sample Application in your browser using the URL,
http://sp-machine.domain/SampleApp - Click the IDP Initiated SSO link to perform identity provider-initiated single sign-on.
- Enter the appropriate user credentials.
The OpenSSO user
demowith a password ofchangeitwill work. After a successful authentication, thefedletapplication.aspxpage is displayed with access to theAuthnResponseinformation.
AuthnResponse object. The following code can be integrated in custom applications to do the same. It is expected to be placed in an aspx page or ASP.NET URI to receive the authentication response in an HTTP-POST binding.
AuthnResponse authnResponse = null;
try
{
ServiceProviderUtility spu = new ServiceProviderUtility(Context);
authnResponse = spu.GetAuthnResponse(Request);
}
catch (Saml2Exception se)
{
// invalid AuthnResponse received
}
catch (ServiceProviderUtilityException spue)
{
// issues with deployment (reading metadata)
}
More information on the Fedlet is in The Fedlet Cyrkle of Information.
And now for another Sign of the Times with the Belle Stars.
Posted at 09:59AM May 08, 2009 by Michael Teger in Sun | Comments[0]
Comments: