Multi-Federation Protocol demo sample
Introduction
This sample illustrates the following use cases in a
circle
of trust having one hub Identity Provider and multiple
Service Providers speaking different federation protocols, namely
SAMLv2, ID-FF and WS-Federation.
The sample demonstrates following scenarios among different federation protocols (namely ID-FF, SAMLv2 and WS-Federation):
- SP initiated Single Sign On/Federation cross different federation protocols
- SP initiated Single Log out cross different federation protocols
- IDP initiated Single Log out cross different federation protocols
Trying demo use cases
This document assumes that you have four OpenAM instances configured:
- SAMLv2/ID-FF/WS-Federation Identity Providers configured at http://idp-host/idp/
- SAMLv2 Service Provider configured at http://samlv2-sp-host/sp/.
- ID-FF Service Provider configured at http://idff-sp-host/sp/.
- WS-Federation Service Provider configured at http://wsfed-sp-host/sp/.
Please correct the URLs used in the following text to reflect your actual
installation URLs.
You also need to create one user on each instance to be used as demo user for each protocol. For example, "idpuser" on the IDP instance, "saml2spuser" on the SAMLv2 SP instance, "idffspuser" on the ID-FF SP instance, "idpuser" on the WS-Federation SP instance (Note : demo user id on the IDP and the WS-Federation SP must be the same unless a non-default SP account mapper is provided on the WS-Federation side).
SAMLv2 Service Provider initiated Single Sign-on and Single Logout
- Point your browser at
http://saml2-sp-host/sp/samples/multiprotocol/demo/home.jsp.
- Click on link "Login, provided by SAMLv2 Identity Provider (Multi-Federation Protocol Identity Provider)". This link would initiate Single Sign-on Request to the IDP.
- IDP would prompt you to authenticate. Enter your user name (e.g. "idpuser") and password.
- SP would prompt you to login locally if you have not yet federated accounts at IDP and SP. Enter your user name (e.g. "saml2spuser") and password.
- SP would then automatically log you in based on the Assertion from
IDP and you would be shown the sample demo page by SP.
- This completes SP initiated Single Sign On and Federation.
- You would see links allowing you to Logout.
- Click on "Logout" link.
- SP would initiate a Single Log
Out and log you out SAMLv2 SP, IDP and any other service provider sessions which share the same IDP session.
You could verify
that you are logged out by visiting demo home page at the IDP and each every SP.
The pages would show you "Login" link.
ID-FF Service Provider initiated Single Sign-on and Single Logout
- Point your browser at
http://idff-sp-host/sp/samples/multiprotocol/demo/home.jsp.
Two links will be shown, one for Local Login, one for Single Sign-on throw remote ID-FF IDP.
- If federation is not done yet between the ID-FF SP and IDP:
- Click on the "local Login" link.
- You will be presented the local login page. Enter your user name (e.g. "idffspuser") and password. Click "Log In", you will be brought to the home page.
- This time, click the "Federate with ID-FF Identity Provider (Multi-Federation Protocol Identity Provider)" link.
- You will be presented with IDP side login page. Enter your user name (e.g. "idpuser") and password. Click "Login In" again, this will complete the federation process.
- If federation is done already, click on link "Login, provided by ID-FF Identity Provider (Multi-Federation Protocol Identity Provider)". This link would initiate Single Sign-on Request to the IDP.
- IDP would prompt you to authenticate. Enter your user name (e.g. "idpuser") and password.
- SP would then automatically log you in based on the Assertion from
IDP and you would be shown the sample demo page by SP.
- This completes SP initiated Single Sign On and Federation.
- You would see links allowing you to Logout.
- Click on "Logout" link.
- SP would initiate a Single Log
Out and log you out ID-FF SP, IDP and any other service provider sessions which share the same IDP session.
You could verify
that you are logged out by visiting demo home page at the IDP and each every SP.The pages would show you "Login" link.
WS-Federation Service Provider Initiated Single Sign-on and Single Logout
- Point your browser at
http://wsfed-sp-host/sp/samples/multiprotocol/demo/home.jsp.
- Click on link " Login provided by WS-Federation Identity Provider (Multi-Federation Protocol Identity Provider)". This link would initiate Single Sign-on Request to the IDP.
- IDP would prompt you to authenticate. Enter your user name (e.g. "idpuser") and password.
- SP would complete the single sign-on process, and automatically log you in based on the Assertion from IDP and you would be shown the sample demo page by SP. This completes the SP initiated Single Sign-on process.
- You would see links allowing you to Logout.
- Click on "Logout" link.
- SP would initiate a Single Log
Out and log you out WS-Federation SP, IDP and any other service provider sessions which share the same IDP session.
You could verify
that you are logged out by visiting demo home page at the IDP and each every SP.
The pages would show you "Login" link.
Note: you will see a framed JSP page showing that you have signed out WS-Federation, SAMLv2 and ID-FF service providers, you must click the link which is displayed as "Click here to continue". This is needed until issue 800 is fixed.
Multi-Federation Protocol Identity Provider Initiated Single Logout
- Complete Service Provider initiated Single Sign-on using SAMLv2, ID-FF and WS-Federation respectively by following this readme without performing Single Logout task.
- Point your browser at
http://idp-host/idp/samples/multiprotocol/demo/home.jsp.
- Three links will be shown:
- Logout initiated using SAMLv2 protocol.
- Logout initiated using ID-FF protocol.
- Logout initiated using WS-Federation protocol.
- Click any of the logout links will initiated single logout using the selected protocol, and continue to logout rest of sessions in all other service provider instances using corresponding federation protocols.
