Sidharth's blog

A screencast on Fedlets demonstrating;

- An IDP generating Fedlets, SP configuring and using this Fedlet for IDP initiated SSO, SP initiated SSO and transfer of identity attributes as part of the assertions from the IDP.

Here's also the details and a write-up of steps, which I've used for the setup in the screencast.
1. Create 2 Glassfish domains, "idp" and "sp".
2. On the Glassfish instance idp, install opensso. For installing and deploying opensso, follow steps at - http://blogs.sun.com/sid/entry/installing_opensso_b4_on_glassfish1
    (Installation/Configuration UI has changed a little bit since build-4. If you're using a latest periodic build - you can use the embedded opends as the user directory, for this demo/poc.)
3. You can edit the /etc/hosts file (or the corresponding file on other OS), to refer to your localhost as, www.idp.com and www.sp.com  and use either of the FQDNs, as appropriate.

Configure IDP
1. Login to OpenSSO console.
2. In the "Common Tasks" tab, click on the "Create Hosted Identity Provider" link.
3. In the next screen, select the "Signing Key", as "test".
4. Create a new circle of trust - "fedlet_cot". (Alternatively, you could select an existing one, if available.)
5. Click on the "Configure" button.
6. You will see a dialog box with the message that the IDP was configured. Click on the "Fedlet" button. You will be taken to the "Create Fedlet" screen.
7. Enter "http://<fqdn-of-SP-Server>:<port>/fedlet", in the following fields:
    • Name
    • Destination URL
Note: This write-up assumes the fedlet.war is deployed with context-root "/fedlet" on the SP.
8. In the "Attribute Mapping" section, add these mappings:
mail | mail
telephonenumber | telephonenumber
9. Click on the "Create" button. At the end of the process, you will see a message :  Fedlet zip file is created, and the location of the same.

10. Click on the "OK" button. You will be taken back to the "Common Tasks" tab.

Verification - IDP
1. Now if you click on the "Federation" tab, you will see a new entry for SP in the "Entity Providers" and "Circle Of Trust" sections.
2. Also, you should see this file:
<OpenSSO-config-dir>/myfedlets/<fedlet-destination-url>/Fedlet.zip

The "Fedlet.zip" file contains:
    • README - a text file that contains instructions about how to deploy the demo fedlet.war and how to integrate the the fedlet into an existing application.
    • fedlet.war - the fedlet demo
3. Logout from the OpenSSO console.

Configure SP
1. Request the Fedlet.zip file from the IDP. Extract the contents of the zip file into some temporary location and deploy the fedlet.war on the SP web-container.
    Note: This write-up assumes the fedlet.war is deployed with context-root "/fedlet" on the SP.
2. Go to http://<fqdn-of-SP-Server>:<port>/fedlet/index.jsp . You will see a message about the absence of the Fedlet configuration directory.
3. Click on the hyperlink to create the configuration directory.
4. Click on the hyperlink on the webpage, to continue. You will be taken to the "Validate Fedlet Setup" page.

Verification - SP
1. Go to the directory "<user-home-dir>/fedlet", that was automatically created, as part of the setup above. You will find these configuration files in it:
    • Name and Members of Circle Of Trust in which the SP is participating
    • Metadata of the IDP and SP
Note: The reference to “user-home-dir” above, indicates the home directory of the system-user that the SP web-container process is running as.

Demonstration
1. Login as user demo/changeit, at IDP. Provide values for attributes mail and telephonenumber - the two attributes which are passed as part of the assertion from the IDP to the SP.
2. Go to http://<fqdn-of-SP-Server>:<port>/fedlet/index.jsp
3. Click on the hyperlink "Run Fedlet (SP) initiated Single Sign-On".
4. You will be redirected to the IDP login screen. Login as demo / changeit.
5. You will be single-signed-on to the SP, and on the webpage you will see the mapped attributes of the user that you logged in as. You will also be able to see the following SAML communication:
        • SAML2 Response
        • Assertion
        • Authentication Statement
        • Attribute Statement
6. Open  a  new  browser  window  and  go  to  http://<fqdn-of-SP- Server>:<port>/fedlet/index.jsp. This is the "Validate Fedlet Setup" page.
7. Click on the hyperlink "Run Identity Provider initiated Single Sign-On".
8. You will be redirected to the IDP login screen. Login as demo / changeit.
9. You will be single-signed-on to the SP, and on the webpage you will see the mapped attributes of the user that you logged in as. You will also be able to see the following SAML communication:
    • SAML2 Response
    • Assertion
    • Authentication Statement
    • Attribute Statement

Enjoy! and let me know if you could get things working .

A screencast of OpenSSO / Federated Access Manager integration with Software As a Service application providers (Google, Salesforce).

Paul wasn't quite convinced, of the power of Fedlet, as I mentioned in my previous post, I thought. Pat weighed in and as Paul clarified later, it was all to do with a missing punctuation in his post.

Here's some more details on the options that SP has in procuring and deploying the Fedlet (and I mentioned this briefly as part of a screencast few days back). There are two ways a Fedlet can be procured and deployed by a Service Provider, in order to be quickly SAML enabled.

I - IDP Workflow generated Fedlet

1. IDP installs and configures FAM / OpenSSO.
2. IDP follows a simple set of FAM workflows to create Fedlet.zip for the Service Provider. The Fedlet.zip contains

• fedlet.war - A ready to deploy war file, for use by SP.
• A README file - A text file with instructions on how the SP can integrate a Fedlet with an existing application.

3. IDP sends the generated zip file (fedlet.zip) to the SP.
4. SP deploys the war file. 5. SP tests the Fedlet deployment by accessing the index.jsp for the two common scenarios

• IDP initiated SSO.
• Fedlet/SP initiated SSO.

(And yes, the SP can edit the metadata in this case to federate with another IDP. However, SP also has the following option - i.e. of using the Pre-packaged Fedlet, available as part of the FAM/OpenSSO distribution in order to do so.)

II - The Pre-built Fedlet

1. SP downloads/procures the unconfigured/pre-built fedlet zip(Fedlet-unconfigured.zip) file via OpenSSO/FAM, which has the following;

• fedlet.war - Fedlet war file.
• conf -  A directory with metadata templates, Circle Of Trust (COT) templates and configuration files.
• README - A file that shows use of conf files with configuration info for setting up the Fedlet.

2. SP edits the conf  files, as appropriate(values for metadata).
3. SP sends it's metadata details to the IDP and requests for IDP metadata info. 4. Tests the deployment for the 2 scenarios

• IDP initiated SSO
• Fedlet initiated SSO

Tags: OpenSSO, FAM, Fedlet

Fedlet is a lightweight Service Provider implementation of SAML2 SSO protocols, embeddable in a Java EE web application. Fedlet is a new feature, which will be part of upcoming Sun Federated Access Manager (OpenSSO) release.

Fedlets are extremely light weight, and they can be easily embedded into a Service Provider application, and enable it to accept SAML POST from an Identity Provider, and use that to pull user attributes into the Service Provider application. The user attributes are part of the SAML Response from the IDP, that the IDP sends to the Fedlet, once an user successfully authenticates at the Identity Provider. Fedlets have many interesting usage in Federation scenarios such as -

• Quick federation enablement of Service Providers, which allows Identity Providers to make them a part of their business circle of trust in no time and to use their feature Offerings.

• Federation enablement at minimal cost and minimal investment in hardware and services.

• Support minimal SSO related needs in business scenarios, without the need for a full fledged Federation product/solution deployment.

Here's a screencast on Fedlets which covers business usage scenario, process flow and some Frequently Asked Questions on Fedlets. In a future post will write more on how to generate Fedlets, and configure them in IDP/SP initiated SSO scenarios.

Federated Access Manager(FAM) introduces a workflow centric approach which makes installation, deployment and administrative tasks simpler, quicker, and easier.

The goal has been to make the product really simple to use and configure, for real time production deployments in different areas such as Federation management, Agents Management, Web Services Security etc. and we're making progress. Federated Access Manager / OpenSSO, is a self-contained J2EE application, which can be deployed on J2EE containers.

Here's a screencast of installation on Glassfish(steps are also here).

Tags: OpenSSO, FAM, GlassFish

"OpenSSO Workshop: Creating Federated Relationships with Software as a Service, Social Networking, and Web 2.0 Applications" is on Monday May 5 at 4pm in Hall E 135, at Moscone Center.

 

There will be some nice new OpenSSO/FAM demos, which you wouldn't want to miss. The team will also be there to help those new to OpenSSO get started with a deployment on their laptops. Register, if you haven't already. C ya there...
 

OpenSSO is a self-contained J2EE application and the installation is a breeze. Here's the detailed steps.

1.  Create a base directory. "/opensso_bits"

2.  Install GlassFish. If you already have GlassFish running, go to step-4.

3.  Create a GlassFish domain - "fam".

To Create new GlassFish domain.  
Create "/tmp/passfile" with following content,
AS_ADMIN_ADMINPASSWORD=adminadmin
AS_ADMIN_MASTERPASSWORD=changeit

Create glassfish domain with the following commandline
./asadmin create-domain --adminuser admin --passwordfile /tmp/passfile --portbase 7000 fam

4.  Start Glassfish instance and make the following changes to the instance on which opensso is being deployed (fam)

cd <GLASSFISH_HOME>/bin
./asadmin start-domain fam

./asadmin delete-jvm-options  --port 7048 --user admin "\\-client"
./asadmin create-jvm-options  --port 7048 --user admin "\\-server"

./asadmin delete-jvm-options  --port 7048 --user admin "\\-Xmx512m"
./asadmin create-jvm-options  --port 7048 --user admin "\\-Xmx1G"

5.  Important (Optional for first time opensso install on a system).

If you already have opensso deployed and configured on the GlassFish instance,

- Undeploy opensso (via GlassFish admin console)
- Delete the configuration directory, as used during the previous configuration. (e.g. rm -rf /opensso)
- Delete the Access Manager directory (Usually in the users home directory). (e.g. rm -rf /AccessManager)

6.  Restart the glassfish instance.

cd <GLASSFISH_HOME>/bin
./asadmin stop-domain fam
./asadmin start-domain fam

7.  Deploy OpenSSO on the Glassfish domain "fam".

- Go to Glassfish admin console. (http://<host>.<domain>:7048)
- Login as admin/adminadmin
- On left nav bar, click on "Web Applications"
- Click on "Deploy".
- Browse and locate opensso.war ( "/opensso_bits/opensso/deployable_war/opensso.war" )
- Under "General"
- Application Name - opensso
- Context Root - opensso

- Click "Ok"

8.  Go to the deoployed opensso instance.

- Under "Custom Configuration", select "Create New Configuration".
- General
- Password - <password for amadmin>
- Confirm Password - <same as above>

Server Settings (Most of the following are populated by the installer and can be left as it is.)

- Server URL - <e.g. http://sid.opensso.com:8080>
- Cookie Domain - <e.g. .opensso.com>
- Platform Locale - <e.g. en_US>
- Configuration Directory </openssoconfig>

Configuration Store - (e.g. Use all Defaults, as populated by installer).

- Data Store Type - <e.g. Embedded (Open DS)>
- Port - <e.g. 50389>
- Encryption Key - <e.g. as populated by installer>
- Root Suffix - <e.g. dc=opensso,dc=java,dc=net>

User Store Settings (e.g. Use Defaults, as populated by installer)

- Embedded.

Site Configuration (e.g. Use Defaults, as populated by installer)

- Will this instance be deployed behind a load balancer as part of a site configuration? <No>

Agent Information

- Default Agent [amldapuser]
- Password - <select password, should be different from the password for amadmin>
- Confirm - <same as above>

Click "Next".

Summary

Click "Create Configuration".

9.  You'll see a message "Configuration Complete", "Proceed to Login".

Click on "Proceed to Login"

10.  Login as amadmin with the corresponding password.