4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster Copyright (c) 2007 Sun Microsystems Inc. All Rights Reserved
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster The contents of this file are subject to the terms
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster of the Common Development and Distribution License
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster (the License). You may not use this file except in
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster compliance with the License.
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster You can obtain a copy of the License at
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster https://opensso.dev.java.net/public/CDDLv1.0.html or
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster See the License for the specific language governing
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster permission and limitations under the License.
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster When distributing Covered Code, include this CDDL
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster Header Notice in each file and include the License file
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster If applicable, add the following below the CDDL Header,
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster with the fields enclosed by brackets [] replaced by
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster your own identifying information:
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster "Portions Copyrighted [year] [name of copyright owner]"
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster $Id: Readme.html,v 1.7 2008/08/19 19:12:15 veiming Exp $
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster<title>Setting up Multi-Federation Protocols demo sample</title>
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster<link rel="stylesheet" type="text/css" href="/com_sun_web_ui/css/css_ns6up.css" />
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster<div class="MstDiv"><table width="100%" border="0" cellpadding="0" cellspacing="0" class="MstTblTop" title="">
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster<table width="100%" border="0" cellpadding="0" cellspacing="0" class="MstTblBot" title="">
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster<div class="MstDivTtl"><img name="ProdName" src="/console/images/PrimaryProductName.png" alt="" /></div></td><td class="MstTdLogo" width="1%"><img name="RMRealm.mhCommon.BrandLogo" src="/com_sun_web_ui/images/other/javalogo.gif" alt="Java(TM) Logo" border="0" height="55" width="31" /></td></tr></tbody></table>
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster<table class="MstTblEnd" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td><img name="RMRealm.mhCommon.EndorserLogo" src="/com_sun_web_ui/images/masthead/masthead-sunname.gif" alt="Sun(TM) Microsystems, Inc." align="right" border="0" height="10" width="108" /></td></tr></tbody></table></div><div class="SkpMedGry1"><a name="SkipAnchor2089" id="SkipAnchor2089"></a></div>
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster<div class="SkpMedGry1"><a href="#SkipAnchor4928"><img src="/com_sun_web_ui/images/other/dot.gif" alt="Jump Over Tab Navigation Area. Current Selection is: Access Control" border="0" height="1" width="1" /></a></div>
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster<h1 style="text-align: center;">Multi-Federation Protocol demo sample</h1>
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan FosterThis sample illustrates the following use cases in a
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Fosterof trust having one hub Identity Provider and multiple
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan FosterService Providers speaking different federation protocols, namely
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan FosterSAMLv2, ID-FF and WS-Federation.
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan FosterThe sample demonstrates following scenarios among different federation protocols (namely ID-FF, SAMLv2 and WS-Federation):
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster <li>SP initiated Single Sign On/Federation cross different federation protocols<br></li>
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster <li>SP initiated Single Log out cross different federation protocols</li>
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster <li>IDP initiated Single Log out cross different federation protocols</li>
b93185b577f7150fec37f9999b95b246d73bf63cjeff.schenkThis document assumes that you have four OpenAM instances configured: <br>
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster <li>SAMLv2/ID-FF/WS-Federation Identity Providers configured at http://idp-host/idp/</li>
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster <li>SAMLv2 Service Provider configured at http://samlv2-sp-host/sp/. </li>
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster <li>ID-FF Service Provider configured at http://idff-sp-host/sp/. </li>
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster <li>WS-Federation Service Provider configured at http://wsfed-sp-host/sp/. </li>
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan FosterPlease correct the URLs used in the following text to reflect your actual
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Fosterinstallation URLs.
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan FosterYou also need to create one user on each instance to be used as demo user for each protocol. For example, "idpuser" on the IDP instance, "saml2spuser" on the SAMLv2 SP instance, "idffspuser" on the ID-FF SP instance, "idpuser" on the WS-Federation SP instance (<b>Note</b> : demo user id on the IDP and the WS-Federation SP must be the same unless a non-default SP account mapper is provided on the WS-Federation side).
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster<h3>SAMLv2 Service Provider initiated Single Sign-on and Single Logout</h3>
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster <li>Point your browser at
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster<a class="named" href="home.jsp">http://saml2-sp-host/sp/samples/multiprotocol/demo/home.jsp</a>.</li>
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster <li>Click on link "Login, provided by SAMLv2 Identity Provider (Multi-Federation Protocol Identity Provider)". This link would initiate Single Sign-on Request to the IDP. </li>
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster <li>IDP would prompt you to authenticate. Enter your user name (e.g. "idpuser") and password.</li>
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster <li>SP would prompt you to login locally if you have not yet federated accounts at IDP and SP. Enter your user name (e.g. "saml2spuser") and password.</li>
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster <li>SP would then automatically log you in based on the Assertion from
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan FosterIDP and you would be shown the sample demo page by SP.</li>
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster <li>This completes SP initiated Single Sign On and Federation.</li>
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster <li>You would see links allowing you to Logout.</li>
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster <li>Click on "Logout" link.
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster <li>SP would initiate a Single Log
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan FosterOut and log you out SAMLv2 SP, IDP and any other service provider sessions which share the same IDP session. <br>You could verify
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Fosterthat you are logged out by visiting demo home page at the IDP and each every SP.
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan FosterThe pages would show you "Login" link.</li>
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster<h3>ID-FF Service Provider initiated Single Sign-on and Single Logout</h3>
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster <li>Point your browser at
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster<a class="named" href="home.jsp">http://idff-sp-host/sp/samples/multiprotocol/demo/home.jsp</a>.</li> Two links will be shown, one for Local Login, one for Single Sign-on throw remote ID-FF IDP.
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster <li>If federation is not done yet between the ID-FF SP and IDP:
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster <li>You will be presented the local login page. Enter your user name (e.g. "idffspuser") and password. Click "Log In", you will be brought to the home page.</li>
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster <li>This time, click the "Federate with ID-FF Identity Provider (Multi-Federation Protocol Identity Provider)" link.</li>
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster <li>You will be presented with IDP side login page. Enter your user name (e.g. "idpuser") and password. Click "Login In" again, this will complete the federation process.</li>
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster <li>If federation is done already, click on link "Login, provided by ID-FF Identity Provider (Multi-Federation Protocol Identity Provider)". This link would initiate Single Sign-on Request to the IDP. </li>
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster <li>IDP would prompt you to authenticate. Enter your user name (e.g. "idpuser") and password.</li>
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster <li>SP would then automatically log you in based on the Assertion from
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan FosterIDP and you would be shown the sample demo page by SP.</li>
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster <li>This completes SP initiated Single Sign On and Federation.</li>
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster <li>You would see links allowing you to Logout.</li>
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster <li>Click on "Logout" link.
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster <li>SP would initiate a Single Log
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan FosterOut and log you out ID-FF SP, IDP and any other service provider sessions which share the same IDP session. <br>You could verify
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Fosterthat you are logged out by visiting demo home page at the IDP and each every SP.The pages would show you "Login" link.</li>
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster<h3>WS-Federation Service Provider Initiated Single Sign-on and Single Logout</h3>
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster <li>Point your browser at
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster<a class="named" href="home.jsp">http://wsfed-sp-host/sp/samples/multiprotocol/demo/home.jsp</a>.</li>
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster <li>Click on link " Login provided by WS-Federation Identity Provider (Multi-Federation Protocol Identity Provider)". This link would initiate Single Sign-on Request to the IDP. </li>
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster <li>IDP would prompt you to authenticate. Enter your user name (e.g. "idpuser") and password.</li>
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster <li>SP would complete the single sign-on process, and automatically log you in based on the Assertion from IDP and you would be shown the sample demo page by SP. This completes the SP initiated Single Sign-on process.</li>
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster <li>You would see links allowing you to Logout.</li>
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster <li>Click on "Logout" link.
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster <li>SP would initiate a Single Log
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan FosterOut and log you out WS-Federation SP, IDP and any other service provider sessions which share the same IDP session. <br>You could verify
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Fosterthat you are logged out by visiting demo home page at the IDP and each every SP.
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan FosterThe pages would show you "Login" link.<br>
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster<b>Note:</b> you will see a framed JSP page showing that you have signed out WS-Federation, SAMLv2 and ID-FF service providers, you must click the link which is displayed as "Click here to continue". This is needed until issue 800 is fixed.
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster<h3>Multi-Federation Protocol Identity Provider Initiated Single Logout</h3>
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster <li>Complete Service Provider initiated Single Sign-on using SAMLv2, ID-FF and WS-Federation respectively by following this readme without performing Single Logout task.
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster <li>Point your browser at
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster<a class="named" href="home.jsp">http://idp-host/idp/samples/multiprotocol/demo/home.jsp</a>.</li>
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster <li>Three links will be shown:
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster <li>Logout initiated using SAMLv2 protocol.</li>
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster <li>Logout initiated using ID-FF protocol.</li>
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster <li>Logout initiated using WS-Federation protocol.</li>
4fe4e4f798a84a46e567f64ceadd3648eb0582d4Allan Foster <li>Click any of the logout links will initiated single logout using the selected protocol, and continue to logout rest of sessions in all other service provider instances using corresponding federation protocols.</li>