Sidharth's blog

A screencast on Fedlets demonstrating;

- An IDP generating Fedlets, SP configuring and using this Fedlet for IDP initiated SSO, SP initiated SSO and transfer of identity attributes as part of the assertions from the IDP.

Here's also the details and a write-up of steps, which I've used for the setup in the screencast.
1. Create 2 Glassfish domains, "idp" and "sp".
2. On the Glassfish instance idp, install opensso. For installing and deploying opensso, follow steps at - http://blogs.sun.com/sid/entry/installing_opensso_b4_on_glassfish1
    (Installation/Configuration UI has changed a little bit since build-4. If you're using a latest periodic build - you can use the embedded opends as the user directory, for this demo/poc.)
3. You can edit the /etc/hosts file (or the corresponding file on other OS), to refer to your localhost as, www.idp.com and www.sp.com  and use either of the FQDNs, as appropriate.

Configure IDP
1. Login to OpenSSO console.
2. In the "Common Tasks" tab, click on the "Create Hosted Identity Provider" link.
3. In the next screen, select the "Signing Key", as "test".
4. Create a new circle of trust - "fedlet_cot". (Alternatively, you could select an existing one, if available.)
5. Click on the "Configure" button.
6. You will see a dialog box with the message that the IDP was configured. Click on the "Fedlet" button. You will be taken to the "Create Fedlet" screen.
7. Enter "http://<fqdn-of-SP-Server>:<port>/fedlet", in the following fields:
    • Name
    • Destination URL
Note: This write-up assumes the fedlet.war is deployed with context-root "/fedlet" on the SP.
8. In the "Attribute Mapping" section, add these mappings:
mail | mail
telephonenumber | telephonenumber
9. Click on the "Create" button. At the end of the process, you will see a message :  Fedlet zip file is created, and the location of the same.

10. Click on the "OK" button. You will be taken back to the "Common Tasks" tab.

Verification - IDP
1. Now if you click on the "Federation" tab, you will see a new entry for SP in the "Entity Providers" and "Circle Of Trust" sections.
2. Also, you should see this file:
<OpenSSO-config-dir>/myfedlets/<fedlet-destination-url>/Fedlet.zip

The "Fedlet.zip" file contains:
    • README - a text file that contains instructions about how to deploy the demo fedlet.war and how to integrate the the fedlet into an existing application.
    • fedlet.war - the fedlet demo
3. Logout from the OpenSSO console.

Configure SP
1. Request the Fedlet.zip file from the IDP. Extract the contents of the zip file into some temporary location and deploy the fedlet.war on the SP web-container.
    Note: This write-up assumes the fedlet.war is deployed with context-root "/fedlet" on the SP.
2. Go to http://<fqdn-of-SP-Server>:<port>/fedlet/index.jsp . You will see a message about the absence of the Fedlet configuration directory.
3. Click on the hyperlink to create the configuration directory.
4. Click on the hyperlink on the webpage, to continue. You will be taken to the "Validate Fedlet Setup" page.

Verification - SP
1. Go to the directory "<user-home-dir>/fedlet", that was automatically created, as part of the setup above. You will find these configuration files in it:
    • Name and Members of Circle Of Trust in which the SP is participating
    • Metadata of the IDP and SP
Note: The reference to “user-home-dir” above, indicates the home directory of the system-user that the SP web-container process is running as.

Demonstration
1. Login as user demo/changeit, at IDP. Provide values for attributes mail and telephonenumber - the two attributes which are passed as part of the assertion from the IDP to the SP.
2. Go to http://<fqdn-of-SP-Server>:<port>/fedlet/index.jsp
3. Click on the hyperlink "Run Fedlet (SP) initiated Single Sign-On".
4. You will be redirected to the IDP login screen. Login as demo / changeit.
5. You will be single-signed-on to the SP, and on the webpage you will see the mapped attributes of the user that you logged in as. You will also be able to see the following SAML communication:
        • SAML2 Response
        • Assertion
        • Authentication Statement
        • Attribute Statement
6. Open  a  new  browser  window  and  go  to  http://<fqdn-of-SP- Server>:<port>/fedlet/index.jsp. This is the "Validate Fedlet Setup" page.
7. Click on the hyperlink "Run Identity Provider initiated Single Sign-On".
8. You will be redirected to the IDP login screen. Login as demo / changeit.
9. You will be single-signed-on to the SP, and on the webpage you will see the mapped attributes of the user that you logged in as. You will also be able to see the following SAML communication:
    • SAML2 Response
    • Assertion
    • Authentication Statement
    • Attribute Statement

Enjoy! and let me know if you could get things working .