Hua Cui

How to get the effective configuration of an agent in OpenSSO 8.0

In OpenSSO 8.0, Agent 3.0 configuration is centralized. The agent configuration data is stored and managed in the OpenSSO server. Often time a user needs to get a copy of the effective configuration of an agent.  The following are the steps to retrieve the agent configuration using a browser.

1. login to opensso console as amadmin user.
2. access /opensso/ssoadm.jsp.
3. click on show-agent link.

4. enter the realm name in which the agent is created; if it is the root realm, enter / as the realm name.

5. enter agent name, click on submit button.

The agent configuration should be displayed in the format of attribute-value pairs.

Posted at 11:48AM Dec 04, 2008 by Hua Cui in Sun  |  Comments[0]

Some details about J2EE Agent property com.sun.identity.agents.config.login.form

The J2EE Agent property com.sun.identity.agents.config.login.form is used in the case of the application is protected by certain form based J2EE policies defined in the web.xml.

The following is a snippet of the web.xml for an application "agentsample" using form based login:
    <login-config>
        <auth-method>FORM</auth-method>
        <form-login-config>
            <form-login-page>/authentication/login.html</form-login-page>
            <form-error-page>/authentication/accessdenied.html</form-error-page>        </form-login-config>
    </login-config>

When a user request comes for this application, the container first checks if this user has been authenticated.
If not, the container sends the user the application login page /agentsample/authentication/login.html.  The user enters the credentials, and upon successful authentication (and/or authorization), the user is granted the access.

Now a j2ee agent is installed to protect the application, and we want to achieve Single Sign-On.  Meaning a user needs to authenticate only once, only to the opensso server.  However since the above form based login is defined in the web.xml, the user would have to login to the application login page as well.

To avoid a user having to login twice, the agent needs to prevent the user being sent the application login page, i.e. in the above example /agentsample/authentication/login.html.  For this, the agent needs to know the URIs for the form based login of the applications. 

The J2EE Agent property com.sun.identity.agents.config.login.form  is used for this purpose.  This is a list property so you can specify more than one URI by using the numeric index.
com.sun.identity.agents.config.login.form[0]=/agentsample/authentication/login.html
com.sun.identity.agents.config.login.form[1]=/agentsample2/authentication/login.html

If the j2ee agent receives a request whose URI matches with one of the URIs listed in the property com.sun.identity.agents.config.login.form, it knows that the request is for a form based login page.  It will suppress it so the end user will not see the login page.

Posted at 12:00PM Nov 10, 2008 by Hua Cui in Sun  |  Comments[1]