« Which OpenSSO Versio... | Main | Give Him OpenSSO... »
Friday Jan 09, 2009

SAMLv2 Assertion Failover in OpenSSO

SAMLv2 Assertion Failover, when enabled, redirects a request for an assertion to a second identity provider if the identity provider that initially created the assertion is out of commission. The feature piggybacks on OpenSSO Session Failover configuration by using the same databases. Here is the procedure to configure and test SAMLv2 Assertion Failover.

  1. Deploy 2 instances of OpenSSO Enterprise to act as identity providers and 1 load balancer in front of them.

  2. Set up the entities as a site with servers (using the OpenSSO console) and confirm that the configurations work.

  3. Install and setup session failover as documented in the Sun OpenSSO Enterprise 8.0 Installation and Configuration Guide.

  4. Deploy 1 instance of OpenSSO Enterprise to act as service provider.

  5. On all three provider instances of OpenSSO, enable SAMLv2 Assertion Failover.
    1. Log in to the OpenSSO console as administrator.
    2. Click the Configuration tab.
    3. Click the Global tab.
    4. Click the SAMLv2 Service Configuration link.
    5. Check the box next to Enable SAMLv2 Failover.
    6. Click Save.
    7. Log out of the console.

  6. Configure each server instance of OpenSSO as the appropriate entity provider and member of the same SAMLv2 circle of trust.

  7. Export the entity provider metadata from all three server instances of OpenSSO.

  8. Load the service provider and identity provider metadata on the respective instances of OpenSSO and on the load balancer.

    You need to create the metadata for the load balancer. See your load balancer's documentation for more information. Make sure you change the URL values in the load balancer metadata from the OpenSSO instances behind the load balancer to the load balancer URL itself.

  9. Modify the spAssertionConsumer.jsp on the service provider machine to add sleep that allows enough time to shutdown the identity provider on which the request will land. (See step 11.) 

    Object newSession = null;
SAML2Utils.debug.error("Before sleep Assertion Failover");
SAML2Utils.debug.message("Before sleep Asserion Failover");
Thread.sleep(50000);
SAML2Utils.debug.error("After sleep Assertion Failover");
SAML2Utils.debug.message("After sleep Asserion Failover");

  10. Initiate single sign-on using the following URL: http://host-machine.domain:port/opensso/saml2/jsp/spSSOInit.jsp?metaAlias=
    /sp&idpEntityID=LB-host-machine.LB-domain

    Before proceeding to the next step, run tail on the SAMLv2 debug logs (located in OpenSSO-install-directory/opensso/debug) on the identity provider host machines to see where the single sign-on request lands.

  11. After providing the service provider user credentials, monitor the log and shutdown the identity provider on which the initial single sign-on request landed.

    Make sure the user is not federated before shutting down the identity provider. The sleep time added to spAssertionConsumer.jsp in the previous step should allow enough time for this. (See step 9.)

  12. Verify that federation successfully occurs after the identity provider is shutdown. This confirms that assertion failover was successful.

  13. Initiate single logout using the following URL:

    http://host-machine.domain:port/opensso/saml2/jsp/spSingleLogoutInit.jsp?metaAlias=
    /sp&idpEntityID=LB-host-machine.LB-domain

  14. Bring the previously shutdown identity provider back up and, once again, initiate single sign-on again using the following URL:

    http://host-machine.domain:port/opensso/saml2/jsp/spSSOInit.jsp?metaAlias=
    /sp&idpEntityID=LB-host-machine.LB-domain

  15. Monitor the log and shutdown the identity provider on which this second single sign-on request landed.

  16. Initiate single logout using the following URL:

    http://host-machine.domain:port/opensso/saml2/jsp/spSingleLogoutInit.jsp?metaAlias=
    /sp&idpEntityID=LB-host-machine.LB-domain

    17. A successful logout confirms assertion failover is working.

And now that Assertion Failover has been correctly configured, put your footsies up and check out this live version of The Killers' latest hit - are we Human or are we dancer?

Posted at 12:25PM Jan 09, 2009 by Michael Teger in Sun  |  Comments[4]

Comments:

The Killer's should be The Killers' :-)

Cool song, though - my boys love it - they sing alternate lines like a duet - very cute!

Posted by Pat Patterson on January 09, 2009 at 01:02 PM PST #

You are so right, Pat. Thanks. I've always liked The Killers but this song sounds so much like the 80s band Alphaville (with a little ELO thrown in) that it took my fandom to a new level. Nice to read your kids are learning the good stuff too. ;>

Posted by Michael Teger on January 09, 2009 at 01:24 PM PST #

Is session failover for saml assertion always necessary ? Considering the scenario where both IDP servers are up, but a SP hits the second server ( the one that does not hold the assertion ) for artifact resolution. Would this scenario work WITHOUT session failover activated ?

Posted by Jane on August 12, 2009 at 12:39 PM PDT #

As long as all servers are up it is not needed.

Posted by Michael Teger on August 13, 2009 at 11:34 AM PDT #

Post a Comment:
  • HTML Syntax: NOT allowed