« Fedlet or Policy... | Main | A Ray of Light in a... »
Friday Jan 23, 2009

Testing The Sweet OpenSSO SAMLv2 Name Identifiers

The SAMLv2 Name Identifier Management Profile documents how an identity provider and a service provider might inform each other of changes to the identifier that they reference when communicating about a particular identity. The various OpenSSO ManageNameID (MNI) JSP provide a way to change SAMLv2 name identifiers or terminate mappings between identity provider accounts and service provider accounts. For example, after establishing a name identifier for use between providers when referring to an identity in SAMLv2 communications, an identity provider may want to change the value and/or format. The identity provider will notify service providers of the change by sending them a ManageNameIDRequest. A service provider might also use this message type to register or change the SPProvidedID value (included when the underlying name identifier is used to communicate with it) or to terminate the use of a name identifier between itself and the identity provider.

Following is a procedure that can be used to test the profile using OpenSSO. In the example procedure, maple.sun.com is the identity provider and honey.sun.com is the service provider.

  1. Initiate single sign-on and account linking (federation) from the service provider side using http://honey.sun.com:80/opensso/saml2/jsp/spSSOInit.jsp?
    metaAlias=/sp&idpEntityID=maple.sun.com    .

    spSSOInit.jsp is used to initiate single sign-on and federation on the service provider side. Because metaAlias and idpEntityID are defined, the request is created and sent to the identity provider. This links the two accounts and creates a name identifier to be used by the providers to refer to the identity during communications. Both providers keep the name identifier in the user's profile which makes the format persistent.

  2. Log in to the identity provider host machine and the service provider host machine as root.

  3. Run
    ldapsearch -h maple -D "cn=directory manager" -w password -p 389 -b "dc=sun,dc=com" "uid=*" sun-fm-saml2-nameid-info sun-fm-saml2-nameid-infokey
    on each host machine to view the values for the sun-fm-saml2-nameid-info and sun-fm-saml2-nameid-infokey properties.

    • On the identity provider side, sun-fm-saml2-nameid-info will have a value similar to

      sun-fm-saml2-nameid-info=maple.sun.com|honey.sun.com|
      KFXSFabPdkOOhRpkkW8Aj5Etnq2o|maple.sun.com|
      urn:oasis:names:tc:SAML:2.0:nameid-format:persistent|
      null|honey.sun.com|IDPRole|false

      On the service provider side, sun-fm-saml2-nameid-info will have a value similar to

      sun-fm-saml2-nameid-info=honey.sun.com|maple.sun.com|
      KFXSFabPdkOOhRpkkW8Aj5Etnq2o|maple.sun.com|
      urn:oasis:names:tc:SAML:2.0:nameid-format:persistent|
      null|honey.sun.com|SPRole|false

      sun-fm-saml2-nameid-info is used to store all information related to the name identifier. The value is formatted as:

      hosted_entity_id|remote_entity_id|idp_nameid|
      idp_nameid_qualifier|idp_nameid_format|
      sp_nameid|sp_nameid_qualifier|
      hosted_entity_role|is_affiliation

      where 

              hosted_entity_id    : entity id for this hosted entity
        remote_entity_id    : entity id for the remote entity
        idp_nameid          : name identifier for the IDP
        idp_nameid_qualifier: nameid qualifier for the IDP
        idp_nameid_format   : nameid format for the IDP
        sp_nameid           : name identifier for the SP/Affiliation
        sp_nameid_qualifier : nameid qualifier for the SP/Affiliation
        hosted_entity_role  : SPRole or IDPRole, useful when one entity could be IDP and SP at same time.
        is_affiliation      : true for affiliation, false otherwise

    • On the identity provider side, sun-fm-saml2-nameid-infokey will have a value similar to

      sun-fm-saml2-nameid-infokey=maple.sun.com|honey.sun.com|
      KFXSFabPdkOOhRpkkW8Aj5Etnq2o

      On the service provider side, sun-fm-saml2-nameid-infokey will have a value similar to

      sun-fm-saml2-nameid-infokey=honey.sun.com|maple.sun.com|
      KFXSFabPdkOOhRpkkW8Aj5Etnq2o

      sun-fm-saml2-nameid-infokey is used to search an LDAP data store for better performance, when that type of data store is used. The user that binds to the LDAP data store must have read/write/search/compare permission to this attribute. You must also must make sure that the equality type index is added to the data store. The value is formatted as:

      hosted_entity_id|remote_entity_id|idp_nameid

      where 

              hosted_entity_id    : entity id for this hosted entity
        remote_entity_id    : entity id for the remote entity
        idp_nameid          : name identifier for the IDP

  4. Terminate the link (defederate) between the user's service provider and identity provider accounts using one of the following URLs referencing spMNIRequestInit.jsp.

    • Initiate defederation from the service provider using either HTTP-Redirect binding or SOAP binding respectively:

      http://honey.sun.com:80/opensso/saml2/jsp/spMNIRequestInit.jsp?
      metaAlias=/sp&idpEntityID=maple.sun.com&requestType=Terminate&
      binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect

      http://honey.sun.com:80/opensso/saml2/jsp/spMNIRequestInit.jsp?
      metaAlias=/sp&idpEntityID=maple.sun.com&requestType=Terminate&
      binding=urn:oasis:names:tc:SAML:2.0:bindings:SOAP

    • Initiate defederation from the identity provider using either HTTP-Redirect binding or SOAP binding respectively:

      http://maple.sun.com:80/opensso/saml2/jsp/idpMNIRequestInit.jsp?
      metaAlias=/idp&spEntityID=honey.sun.com&requestType=Terminate&
      binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect

      http://maple.sun.com:80/opensso/saml2/jsp/idpMNIRequestInit.jsp?
      metaAlias=/idp&spEntityID=honey.sun.com&requestType=Terminate&
      binding=urn:oasis:names:tc:SAML:2.0:bindings:SOAP

  5. After defederation, run the previous ldapsearch command again.

    The two properties have no values on both the identity provider and service provider sides.

  6. Federate the user's service provider account and identity provider account again using the URL that references spSSOInit.jsp.

    http://honey.sun.com:80/opensso/saml2/jsp/spSSOInit.jsp?
    metaAlias=/sp&idpEntityID=maple.sun.com    .

  7. Run the previous ldapsearch command again.
    The two properties have values on both the identity provider and service provider sides again; the value of the name identifier is different from the previous value.

  8. Initiate the creation of a new name identifier using one of the following:

    • Initiate the creation of a new name identifier from the service provider side using spMNIRequestInit.jsp and the following URL:

      http://honey.sun.com:80/opensso/saml2/jsp/spMNIRequestInit.jsp?
      metaAlias=/sp&idpEntityID=maple.sun.com&requestType=NewID&
      binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect

    • Initiate the creation of a new name identifier from the identity provider side using idpMNIRequestInit.jsp and the following URL:

      http://maple.sun.com:80/opensso/saml2/jsp/idpMNIRequestInit.jsp?
      metaAlias=/idp&spEntityID=honey.sun.com&requestType=NewID&
      binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect

  9. Run the previous ldapsearch command for a third time.
    The two properties have values on both the identity provider and service provider sides; the value of the new name identifier is different from both of the previous values.

More information on the JSP can be found in the OpenSSO Enterprise 8.0 Administration Guide.

And, in keeping with the sweet theme of the host machine names, here's The Sweet with Fox on the Run. I still smell hamburgers when I hear this song - high school lunches at the coffee shop with a jukebox.

Posted at 02:28PM Jan 23, 2009 by Michael Teger in Sun  |  Comments[5]

Comments:

Well, it's all Greek to me...

However, I think now that my hair is good and long, I'm going to go out and get a hair style JUST LIKE the lead singer in The Sweet. And then I'm going to hit the DAV and see if I can get some slick polyester pants like him, too!

Posted by Sam on January 25, 2009 at 09:03 AM PST #

Please set the SEO keywords for anchor text yourself, as appropriate.  Please keep in mind that we need to be in top 10 in google in next 1 month on major keywords.  I am trying here my best and you also help us.  Keywords I am focusing on SEO Company in India, SEO Services in India

Posted by SEO Services in India on February 09, 2009 at 07:53 AM PST #

Hi Mike,

One thing I couldn't find in any of the OpenSSO documentation was why the 'sun-fm-saml2-nameid-info' and 'sun-fm-saml2-nameid-infokey' attributes are needed (or some other attributes you configure to hold those values). The user identifier attribute mappings seems more metadata information as it relates to an IDP and SP (e.g. for this SP, use the 'mail' attribute as the identifier to map accounts). Why does this mapping info wind up being persisted the first time the user successfully authenticates to the service provider with the particular user's account? Thanks in advance!

Posted by Paul Spinelli on October 26, 2009 at 03:58 PM PDT #

Good question, Paul. My 'guess' is that since the value of those attributes can be changed in the configuration at any time, it needs to be defined for consistency. You could also send this question on to the users@opensso.dev.java.net alias as there may be more to it than that.

Posted by Michael Teger on October 30, 2009 at 07:27 AM PDT #

Thanks, Mike. Hope you have a Happy Halloween!

Posted by Paul Spinelli on October 30, 2009 at 08:46 AM PDT #

Post a Comment:
  • HTML Syntax: NOT allowed