7f007e36bec06aba6b3a0f84a64f2abf99edfcd8gstein------------------------------------------------------------------------------
07021d9f405849228b859d9fb4b877f20e4fbba3jerenkrantzREADME file for Open Federation Library
2a6c49cfaef5979a5a06098f3ce987cd76769409manoj------------------------------------------------------------------------------
2a6c49cfaef5979a5a06098f3ce987cd76769409manoj DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
dec8fb7a4d03d8f0f485af9556bbd2b3f385696ejerenkrantzCopyright (c) 2008 Sun Microsystems Inc. All Rights Reserved
4a257be29f8aeab984fe5622fa69e0b2aab204d7jerenkrantzThe contents of this file are subject to the terms
91cacb801f6c0215b38322f6d2fc58cbfedfecfbjerenkrantzof the Common Development and Distribution License
91cacb801f6c0215b38322f6d2fc58cbfedfecfbjerenkrantz(the License). You may not use this file except in
df14f0d3a5191cdd7c4bb5b03acd135d43a6f51brbbcompliance with the License.
ab71b233b3a36489e44a7b061c48293be0b17788jwoolleyYou can obtain a copy of the License at
571760de5e60c0b459cb11be45507b923cd023eejwoolleyhttps://opensso.dev.java.net/public/CDDLv1.0.html or
9180a5933673ffb1af633c255ceee029340f3b1erbbSee the License for the specific language governing
bcb6e1be6041dfeb549c8ea8d37f97ad4e90a0c3rbbpermission and limitations under the License.
2900ab946a2d76b73a14cebfe2985d253f01c967stoddardWhen distributing Covered Code, include this CDDL
a548c09e6a8ca1b059d0e93b5256c6ccb2b3c3cdrbbHeader Notice in each file and include the License file
a548c09e6a8ca1b059d0e93b5256c6ccb2b3c3cdrbbIf applicable, add the following below the CDDL Header,
b876b7bcf0ce3d232da723246d709e8dbbfe8762rbbwith the fields enclosed by brackets [] replaced by
cf6bf6c34c936e6a6fe731dbce4a5c3c8bf8e9a3gsteinyour own identifying information:
35330e0d79ceb8027223bbb8330a381b1f989d6etrawick"Portions Copyrighted [year] [name of copyright owner]"
8dd4618c4709236b4ea297d7250d282e463ce2d8rbbPortions Copyright 2012-2015 ForgeRock AS.
2a6c49cfaef5979a5a06098f3ce987cd76769409manoj%% Contents:
af4c982a7cf4515f124935f99a329744035fc699slive %% 1. Contents of this directory
af4c982a7cf4515f124935f99a329744035fc699slive %% 2. How to use fedlet.war for demo.
af4c982a7cf4515f124935f99a329744035fc699slive %% 3. How to embed Fedlet into existing application
af4c982a7cf4515f124935f99a329744035fc699slive %% 4. How to integrate with existing application after Single Sign-on
af4c982a7cf4515f124935f99a329744035fc699slive %% 5. How to enable Fedlet to support multiple Identity Providers
af4c982a7cf4515f124935f99a329744035fc699slive %% 6. How to enable Identity Provider Discovery service in Fedlet
af4c982a7cf4515f124935f99a329744035fc699slive %% 7. How to perform Fedlet Attribute Query
2a6c49cfaef5979a5a06098f3ce987cd76769409manoj %% 8. How to perform Fedlet XACML Query
c00273b9c51c617ede471e9cb95c22420f1227fbbrianp%% 1. Contents of this directory
c00273b9c51c617ede471e9cb95c22420f1227fbbrianp This README file provides information on Fedlet ZIP file with pre-configured
c00273b9c51c617ede471e9cb95c22420f1227fbbrianp IDP and Fedlet (SP) metadata.
54e1babd5a5a56c576eeeace54110150769cc916coar |- fedlet.war Fedlet WAR file. This is a ready-to-deploy WAR
54e1babd5a5a56c576eeeace54110150769cc916coar | to show the Fedlet features.
7fe18c15b669db9d191859695901dc4fcf3829dawrowe |- README This README file. The file shows how to use Fedlet.
b84f66c93f820824b1d5455181f55598b766319cwrowe%% 2. How to use fedlet.war for demo
7fe18c15b669db9d191859695901dc4fcf3829dawrowe The fedlet.war contains all necessay bits for Fedlet to acting as a
976501adbc040220270f7d1d77c4b8373033be69wrowe light-weighted SAMLv2 Service provider. It also provides convenient ways
976501adbc040220270f7d1d77c4b8373033be69wrowe to setup and validate Fedlet deployment.
976501adbc040220270f7d1d77c4b8373033be69wrowe After deploying fedlet.war into your web container, try access the
b84f66c93f820824b1d5455181f55598b766319cwrowe <SP_PROTOCOL>://<SP_HOST>:<SP_PORT>/<SP_DEPLOY_URI>/index.jsp
bf9acc131271d18db51d30ace549d3c3b6a2b9fbrbb If this is the first time the page is accessed, it will show that the
bf9acc131271d18db51d30ace549d3c3b6a2b9fbrbb Fedlet home directory is not configured yet, and a link will be provided
bf9acc131271d18db51d30ace549d3c3b6a2b9fbrbb for you to create the configuration automatically. After done, you will
bf9acc131271d18db51d30ace549d3c3b6a2b9fbrbb be shown links to start Fedlet(SP) and IDP initiated Single Sign-on.
bf9acc131271d18db51d30ace549d3c3b6a2b9fbrbb Click the link, you will be redirected to IDP for login, then Single
bf9acc131271d18db51d30ace549d3c3b6a2b9fbrbb Sign-on to Fedlet(SP). Upon successful completion, a Fedlet(SP) side JSP
b84f66c93f820824b1d5455181f55598b766319cwrowe will be presented to show the SSO Response, Assertion and
b84f66c93f820824b1d5455181f55598b766319cwrowe AttributeStatement if any.
a601d863bd772fefc4dc82a883589d8be6a44811wrowe%% 3. How to embed Fedlet into your existing application WAR
a601d863bd772fefc4dc82a883589d8be6a44811wrowe a) Extract the fedlet.war into a temporal directory.
79d5106a9b65b956d646f5daae4b94bc79e315b8trawick b) Copy files inside "conf" directory to a sub directory named "fedlet"
dc96a5e6f9af3c514df4c61ab9468fcf97f9846fwrowe under your web container running user's home directory (pointed by
dc96a5e6f9af3c514df4c61ab9468fcf97f9846fwrowe JVM property "user.home"). For example, assume running user's home
dc96a5e6f9af3c514df4c61ab9468fcf97f9846fwrowe directory is "/home/webservd":
1b3f48fd6b1ccb8745f908e40156c5a85ca3c347jerenkrantz The "fedlet" subdirectory under the web container running user's home
1b3f48fd6b1ccb8745f908e40156c5a85ca3c347jerenkrantz is the default location for Fedlet to read its metadata, COT and
1b3f48fd6b1ccb8745f908e40156c5a85ca3c347jerenkrantz configuration properties. To change this default directory, set the
924c8dd40352ca7775704a31a7a77ab86dc951b4ianh value of a JVM run-time property "com.sun.identity.fedlet.home" to the
852271d782b83c92c4581c9f1bafe342169edc89jerenkrantz desired location. For example:
852271d782b83c92c4581c9f1bafe342169edc89jerenkrantz -Dcom.sun.identity.fedlet.home=/export/fedlet/conf
852271d782b83c92c4581c9f1bafe342169edc89jerenkrantz this will tell Fedlet to read metadata/COT/configuration files from
1b3f48fd6b1ccb8745f908e40156c5a85ca3c347jerenkrantz "/export/fedlet/conf" directory instead.
1b3f48fd6b1ccb8745f908e40156c5a85ca3c347jerenkrantz c) Copy all other files to your application WAR staging directory, overlay
1b3f48fd6b1ccb8745f908e40156c5a85ca3c347jerenkrantz them with your existing application WAR structure.
1b3f48fd6b1ccb8745f908e40156c5a85ca3c347jerenkrantz Optionally you could remove index.jsp, fedletEncode.jsp and "conf"
1b3f48fd6b1ccb8745f908e40156c5a85ca3c347jerenkrantz directory from the temporal directory created in step a) before copying.
1b3f48fd6b1ccb8745f908e40156c5a85ca3c347jerenkrantz d) Create the application WAR and redeploy in your web container.
1b3f48fd6b1ccb8745f908e40156c5a85ca3c347jerenkrantz%% 4. How to integrate with existing application after Single Sign-on
39cf872a6df49bd5affe2ca6eaf683918184fbb4trawick There is a sample Fedlet application, fedletSampleApp.jsp, bundled
39cf872a6df49bd5affe2ca6eaf683918184fbb4trawick with fedlet.war. The fedletSampleApp.jsp first invokes a util method
39cf872a6df49bd5affe2ca6eaf683918184fbb4trawick to complete SAMLv2 protocol processing. A map containing various data,
39cf872a6df49bd5affe2ca6eaf683918184fbb4trawick including Response/Assertion/Attributes, is returned to caller for further
39cf872a6df49bd5affe2ca6eaf683918184fbb4trawick processing. The fedletSampleApp.jsp also provides some sample code on
1b3f48fd6b1ccb8745f908e40156c5a85ca3c347jerenkrantz how to retrieve data from the returned map.
1b3f48fd6b1ccb8745f908e40156c5a85ca3c347jerenkrantz You could either modify fedletSampleApp.jsp to add your application
54e1babd5a5a56c576eeeace54110150769cc916coar specific logic or replace fedletSampleApp.jsp with your own servlet/jsp.
54e1babd5a5a56c576eeeace54110150769cc916coar 1. Modify web.xml to set servlet and servlet-mapping for your new servlet
54e1babd5a5a56c576eeeace54110150769cc916coar or JSP. You must map your new servlet/JSP to the url-pattern
54e1babd5a5a56c576eeeace54110150769cc916coar "/fedletapplication" since it is the URI set in the Fedlet metadata
54e1babd5a5a56c576eeeace54110150769cc916coar (the assertion consumer URL). For example:
54e1babd5a5a56c576eeeace54110150769cc916coar <servlet-name>yourapplication</servlet-name>
54e1babd5a5a56c576eeeace54110150769cc916coar <jsp-file>/Your-Application.jsp</jsp-file>
54e1babd5a5a56c576eeeace54110150769cc916coar </servlet>
54e1babd5a5a56c576eeeace54110150769cc916coar <servlet-mapping>
54e1babd5a5a56c576eeeace54110150769cc916coar <servlet-name>yourapplication</servlet-name>
54e1babd5a5a56c576eeeace54110150769cc916coar <url-pattern>/fedletapplication</url-pattern>
949aa7bba7f804faa8e6b08cad42a98fc0255d85jerenkrantz </servlet-mapping>
949aa7bba7f804faa8e6b08cad42a98fc0255d85jerenkrantz 2. Copy following code from fedletSampleApp.jsp to your
949aa7bba7f804faa8e6b08cad42a98fc0255d85jerenkrantz application processing code with proper import statement:
949aa7bba7f804faa8e6b08cad42a98fc0255d85jerenkrantz // invoke the Fedlet processing logic. this will do all the
07021d9f405849228b859d9fb4b877f20e4fbba3jerenkrantz // necessary processing conforming to SAMLv2 specifications,
07021d9f405849228b859d9fb4b877f20e4fbba3jerenkrantz // such as XML signature validation, Audience and Recipient
07021d9f405849228b859d9fb4b877f20e4fbba3jerenkrantz // validation etc.
07021d9f405849228b859d9fb4b877f20e4fbba3jerenkrantz map = SPACSUtils.processResponseForFedlet(request, response, new PrintWriter(out, true));
07021d9f405849228b859d9fb4b877f20e4fbba3jerenkrantz} catch (SAML2Exception sme) {
07021d9f405849228b859d9fb4b877f20e4fbba3jerenkrantz response.sendError(response.SC_INTERNAL_SERVER_ERROR, sme.getMessage());
07021d9f405849228b859d9fb4b877f20e4fbba3jerenkrantz} catch (IOException ioe) {
949aa7bba7f804faa8e6b08cad42a98fc0255d85jerenkrantz response.sendError(response.SC_INTERNAL_SERVER_ERROR, ioe.getMessage());
4ca13a5e126946272f02637e268a8e09193c553ecoar} catch (SessionException se) {
4ca13a5e126946272f02637e268a8e09193c553ecoar response.sendError(response.SC_INTERNAL_SERVER_ERROR, se.getMessage());
4ca13a5e126946272f02637e268a8e09193c553ecoar} catch (ServletException se) {
480e89b14b2c407bb2e8b8a918e6a183e4573c6crbb response.sendError(response.SC_BAD_REQUEST, se.getMessage());
480e89b14b2c407bb2e8b8a918e6a183e4573c6crbb After obtaining the returned "map" object, you could follow the sample
480e89b14b2c407bb2e8b8a918e6a183e4573c6crbb code to retrieve data needed for your business logics.
480e89b14b2c407bb2e8b8a918e6a183e4573c6crbb%% 5. How to enable Fedlet to support multiple Identity Providers
4ca13a5e126946272f02637e268a8e09193c553ecoar To configure second Identity Provider with this Fedlet:
123c13eb1384c256a66438ca2110750baba7eef8wrowe a) Get the standard metadata XML file for the new Identity Provider, name
38b116de532efb28defc6a0aaa71fb8c46487190gstein the XML file as "idp2.xml" and copy it to the Fedlet home directory.
38b116de532efb28defc6a0aaa71fb8c46487190gstein b) Decide on the circle-of-trust (COT) the new Identity Provider would
38b116de532efb28defc6a0aaa71fb8c46487190gstein belong. This IDP could be added to an existing COT (e.g. "saml2cot") or
38b116de532efb28defc6a0aaa71fb8c46487190gstein a brand new COT.
38b116de532efb28defc6a0aaa71fb8c46487190gstein ** To add the Identity Provider to an existing COT, edit the
38b116de532efb28defc6a0aaa71fb8c46487190gstein corresponding COT file (e.g. "fedlet.cot") under your Fedlet home
38b116de532efb28defc6a0aaa71fb8c46487190gstein directory, and append the new IDP entity ID (pointed by the
38b116de532efb28defc6a0aaa71fb8c46487190gstein "entityID" attribute in the "idp2.xml" metadata file) to the
e2979c854f6ff7c056d75f6f1ae49767ce3b6d37jerenkrantz value of "sun-fm-trusted-providers" attribute using "," as separator.
abf9f8824312153040e1ee588a50058c67a4081ajerenkrantz ** To add to a new circle-of-trust:
abf9f8824312153040e1ee588a50058c67a4081ajerenkrantz -- create a new file named "fedlet2.cot" and put it under the Fedlet
d90f6d052b76ed4cf5e27e8292a22c2c97bb5134jerenkrantz home directory. Use the existing fedlet.cot as a template, but
d90f6d052b76ed4cf5e27e8292a22c2c97bb5134jerenkrantz change the value of attribute "cot-name" to the actual name of
d90f6d052b76ed4cf5e27e8292a22c2c97bb5134jerenkrantz the new COT (e.g. "cot2"), and include both the new IDP entity ID
d90f6d052b76ed4cf5e27e8292a22c2c97bb5134jerenkrantz and the Fedlet entity ID as value for "sun-fm-trusted-providers"
d90f6d052b76ed4cf5e27e8292a22c2c97bb5134jerenkrantz attribute (two entity IDs separated by ",").
d90f6d052b76ed4cf5e27e8292a22c2c97bb5134jerenkrantz -- edit the sp-extended.xml file, add the new COT name to the value
d90f6d052b76ed4cf5e27e8292a22c2c97bb5134jerenkrantz of "cotlist" attribute, e.g.
d90f6d052b76ed4cf5e27e8292a22c2c97bb5134jerenkrantz <Attribute name="cotlist">
d90f6d052b76ed4cf5e27e8292a22c2c97bb5134jerenkrantz <Value>saml2cot</Value>
d90f6d052b76ed4cf5e27e8292a22c2c97bb5134jerenkrantz <Value>cot2</Value>
d90f6d052b76ed4cf5e27e8292a22c2c97bb5134jerenkrantz </Attribute>
d90f6d052b76ed4cf5e27e8292a22c2c97bb5134jerenkrantz c) Create a new "idp2-extended.xml" file as the extended metadata for the
d90f6d052b76ed4cf5e27e8292a22c2c97bb5134jerenkrantz new Identity Provider. Use the existing idp-extended.xml as a template
d90f6d052b76ed4cf5e27e8292a22c2c97bb5134jerenkrantz but change the "entityID" to the new IDP entity ID, change the value for
d90f6d052b76ed4cf5e27e8292a22c2c97bb5134jerenkrantz "cotlist" attribute to the COT name if a new COT is created for the IDP.
d90f6d052b76ed4cf5e27e8292a22c2c97bb5134jerenkrantz Note : make sure the second IDP is a remote IDP by setting the "hosted"
38b116de532efb28defc6a0aaa71fb8c46487190gstein attribute in the EntityConfig element to "false".
38b116de532efb28defc6a0aaa71fb8c46487190gstein d) Send the Fedlet metadata XML file (i.e. "sp.xml" under your Fedlet home)
38b116de532efb28defc6a0aaa71fb8c46487190gstein to the second IDP, import the metadata in the remote IDP and add it to
38b116de532efb28defc6a0aaa71fb8c46487190gstein the same circle-of-trust as the IDP.
38b116de532efb28defc6a0aaa71fb8c46487190gstein Repeat the same steps for the third, fourth, ... and [x]th IDP, use
38b116de532efb28defc6a0aaa71fb8c46487190gstein idpx.xml/idpx-extended.xml/fedletx.cot as standard meta/extended meta/COT
38b116de532efb28defc6a0aaa71fb8c46487190gstein name for the new IDP. Restart your Fedlet web container to make the change
38b116de532efb28defc6a0aaa71fb8c46487190gstein Now accessing the index.jsp again, it will prompt you with a list of IDPs
38b116de532efb28defc6a0aaa71fb8c46487190gstein the Fedlet trusted. You could choose any of the IDP and perform Single
38b116de532efb28defc6a0aaa71fb8c46487190gstein%% 6. How to enable Identity Provider Discovery service in Fedlet
e2979c854f6ff7c056d75f6f1ae49767ce3b6d37jerenkrantz When Fedlet is setup with multiple Identity Providers in a COT, it could be
e2979c854f6ff7c056d75f6f1ae49767ce3b6d37jerenkrantz configured to use IDP Discovery service to find out the preferred IDP.
b84f66c93f820824b1d5455181f55598b766319cwrowe You need to have the Identity Provider Discovery service set up before
b84f66c93f820824b1d5455181f55598b766319cwrowe performing following steps. If you installed the OpenAM WAR, the
b84f66c93f820824b1d5455181f55598b766319cwrowe IDP discovery service is bundled in the products already. Or you could
b84f66c93f820824b1d5455181f55598b766319cwrowe follow the document to create a separate WAR for the IDP discovery
7fe18c15b669db9d191859695901dc4fcf3829dawrowe service using the OpenAM WAR. Please refer to the OpenAM
7fe18c15b669db9d191859695901dc4fcf3829dawrowe document set on how to setup and use the Identity Provider
7fe18c15b669db9d191859695901dc4fcf3829dawrowe Discovery service. After set up the IDP discovery service, have the
7fe18c15b669db9d191859695901dc4fcf3829dawrowe reader service URL (URL to find out preferred IDP) and writer service
b84f66c93f820824b1d5455181f55598b766319cwrowe URL (URL to write the preferred IDP) ready, they are needed in step
60d567a0c2aae815ee6fc20c0d65032bea52c92cwrowe a) and c) below. If you are using OpenAM server instance
60d567a0c2aae815ee6fc20c0d65032bea52c92cwrowe or the IDP discovery only WAR instance, the reader service URL is:
60d567a0c2aae815ee6fc20c0d65032bea52c92cwrowe <protocol>://<host>:<port>/<deploy_uri>/saml2reader
7fe18c15b669db9d191859695901dc4fcf3829dawrowe (e.g : http://discovery.common.com/openam/saml2reader)
60d567a0c2aae815ee6fc20c0d65032bea52c92cwrowe the writer service URL is :
60d567a0c2aae815ee6fc20c0d65032bea52c92cwrowe <protocol>://<host>:<port>/<deploy_uri>/saml2writer
60d567a0c2aae815ee6fc20c0d65032bea52c92cwrowe (e.g : http://discovery.common.com/openam/saml2writer)
60d567a0c2aae815ee6fc20c0d65032bea52c92cwrowe To setup IDP discovery in the Fedlet:
7239216999e746bb4fc7671621becea33c5c1c87stoddard a) edit the COT file (e.g. "fedlet.cot"), and set the value for attribute
d180ec1b29106f4fec480ef7fcdb04df078010cerse "sun-fm-saml2-readerservice-url" to the SAML2 reader service URL
d180ec1b29106f4fec480ef7fcdb04df078010cerse (e.g. http://discovery.common.com/openam/saml2reader), set the value
3913a3b7e7c72ea11d05da36275db39c2dc39b68jwoolley for attribute "sun-fm-saml2-writerservice-url" to the SAML2 writer
3913a3b7e7c72ea11d05da36275db39c2dc39b68jwoolley service URL (e.g. http://discovery.common.com/openam/saml2writer).
3913a3b7e7c72ea11d05da36275db39c2dc39b68jwoolley b) Restart your Fedlet web container to make the change to be effective.
3913a3b7e7c72ea11d05da36275db39c2dc39b68jwoolley c) Setup IDP discovery on each of your IDPs. If your IDP is an OpenAM
3913a3b7e7c72ea11d05da36275db39c2dc39b68jwoolley server instance, need to goto console, find the COT for
3913a3b7e7c72ea11d05da36275db39c2dc39b68jwoolley the IDP and Fedlet, and specify the SAML2 reader service URL and
3913a3b7e7c72ea11d05da36275db39c2dc39b68jwoolley SAML2 writer service URL.
3913a3b7e7c72ea11d05da36275db39c2dc39b68jwoolley d) Access the Fedlet index.jsp page, you will be presented with IDP
5fcdb40a60e9819e5fb192f7ea97a4c29d350ecbjerenkrantz selection page. Don't click the "use IDP discovery service ..."
5fcdb40a60e9819e5fb192f7ea97a4c29d350ecbjerenkrantz link yet, as your preferred IDP has not been set yet. Choose one
5fcdb40a60e9819e5fb192f7ea97a4c29d350ecbjerenkrantz of the IDPs, and complete the Single Sign-on process. The preferred IDP
5fcdb40a60e9819e5fb192f7ea97a4c29d350ecbjerenkrantz is set right now by the IDP discovery service.
5fcdb40a60e9819e5fb192f7ea97a4c29d350ecbjerenkrantz c) Access the Fedlet index.jsp page again, and choose the
5fcdb40a60e9819e5fb192f7ea97a4c29d350ecbjerenkrantz "use IDP discovery service to find out preferred IDP" link.
5fcdb40a60e9819e5fb192f7ea97a4c29d350ecbjerenkrantz You will be redirected to the IDP discovery service to find out
d180ec1b29106f4fec480ef7fcdb04df078010cerse the preferred IDP and send back to Fedlet side with the chosen
e32adabcbf3bf5b69ba2e8b163b971839efc94dbtrawick IDP to start the Fedlet initiated single sign-on.
e32adabcbf3bf5b69ba2e8b163b971839efc94dbtrawick%% 7. How to perform Fedlet Attribute Query:
49facccad3f5c3e9e49311487b5069699c3bf3fdjwoolley II. Signing and Encryption
7bce59d998f2e5ca1cb60038ef6c1d0817605d62stoddard III. Testing
1b9744b72f26e9a0e935f9c08d49feb1fcce72f9jwoolley Following steps need to be performed on hosted IDP:
1b9744b72f26e9a0e935f9c08d49feb1fcce72f9jwoolley a) When creating the IDP entity metadata, make sure that you specify that
1b9744b72f26e9a0e935f9c08d49feb1fcce72f9jwoolley particular entity with Attribute Authority role. Also the reponse from
1b9744b72f26e9a0e935f9c08d49feb1fcce72f9jwoolley Attribute Authority needs to be signed. Enable signing for Attribute
1b9744b72f26e9a0e935f9c08d49feb1fcce72f9jwoolley Authority role.
1b9744b72f26e9a0e935f9c08d49feb1fcce72f9jwoolley b) Specify the list of attributes to be fetched in the Attribute Map
1b9744b72f26e9a0e935f9c08d49feb1fcce72f9jwoolley IDP Entity -> Assertion Processing -> Attribute Map
7bce59d998f2e5ca1cb60038ef6c1d0817605d62stoddard ex : CommonName=cn
19cbe4d7b7c931723e7249de6829bf965a1fee72stoddard GivenName=sn
19cbe4d7b7c931723e7249de6829bf965a1fee72stoddard UserStatus=inetUserStatus
93db592309ba9e5ab230f67611a2c74fece9cdb2marc c) Create the Fedlet.
93db592309ba9e5ab230f67611a2c74fece9cdb2marc Following steps need to be performed on Fedlet side:
93db592309ba9e5ab230f67611a2c74fece9cdb2marc a) Deploy fedlet.war and configure the fedlet
b187d568e1507d75139ebc13ca945b38fc05d55cstoddard b) The Attribute Query needs to be signed. Please follow the links
b187d568e1507d75139ebc13ca945b38fc05d55cstoddard below on creating a key store and using the certificate.
b187d568e1507d75139ebc13ca945b38fc05d55cstoddard http://openam.forgerock.org/doc/admin-guide/index.html#change-signing-key
1c6fb1e726ce22694de0e9a957adb67b929e5d4fstoddard http://openam.forgerock.org/doc/dev-guide/index.html#fedlet-signing-encryption
8bed76428f56e5c643174a2d6807c3f18016af5cbjh Add the certificate to the "RoleDescriptor" element as shown below
d2f8b010487ffa990a9c268df5a25579e7291bcdrbb <RoleDescriptor xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
d2f8b010487ffa990a9c268df5a25579e7291bcdrbb xmlns:query="urn:oasis:names:tc:SAML:metadata:ext:query"
a5ed555df952c85bc1b179f5981e8a6c54ba16e6stoddard xsi:type="query:AttributeQueryDescriptorType"
0bff2f28ef945280c17099c142126178a78e1e54manoj protocolSupportEnumeration= "urn:oasis:names:tc:SAML:2.0:protocol">
0bff2f28ef945280c17099c142126178a78e1e54manoj <KeyDescriptor use="signing">
0bff2f28ef945280c17099c142126178a78e1e54manoj <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
1e585ba09ea32272e63c4c39c35491e975d21d98stoddard <ds:X509Data>
0bff2f28ef945280c17099c142126178a78e1e54manoj <ds:X509Certificate>
35330e0d79ceb8027223bbb8330a381b1f989d6etrawick --certificate--
0bff2f28ef945280c17099c142126178a78e1e54manoj </ds:X509Certificate>
9c09943bad734ebd5c7cc10bd6d63b75c4c6e056stoddard </ds:X509Data>
ff849e4163ed879288f0df15f78b6c9d278ec804fanf </ds:KeyInfo>
ff849e4163ed879288f0df15f78b6c9d278ec804fanf </KeyDescriptor>
447c6ce3ff08073c44f6785d5256271fcb877512wrowe </RoleDescriptor>
447c6ce3ff08073c44f6785d5256271fcb877512wrowe c) In the "sp-extended.xml", specify the correct value for
447c6ce3ff08073c44f6785d5256271fcb877512wrowe "signingCertAlias" inside the AttributeQueryConfig element as follows:
447c6ce3ff08073c44f6785d5256271fcb877512wrowe <Attribute name="signingCertAlias">
7fe18c15b669db9d191859695901dc4fcf3829dawrowe <Value>test</Value>
7fe18c15b669db9d191859695901dc4fcf3829dawrowe </Attribute>
7fe18c15b669db9d191859695901dc4fcf3829dawrowe d) Goto Step (1) i.e to Hosted IDP side
cf6bf6c34c936e6a6fe731dbce4a5c3c8bf8e9a3gstein e) Delete existing fedlet metadata and obtain the standard metadata
3bb28269556842ebf8888208fd0c7a7f3e343186jerenkrantzII. Signing and Encryption
3bb28269556842ebf8888208fd0c7a7f3e343186jerenkrantz==========================
20db975063c58c8fadf72656a8cbd869554e6bfbwrowe Following steps need to be performed on hosted IDP:
20db975063c58c8fadf72656a8cbd869554e6bfbwrowe a) When creating the IDP entity metadata, make sure that you specify that
20db975063c58c8fadf72656a8cbd869554e6bfbwrowe particular entity with Attribute Authority role. Also the response from
615618f97c8870e6d62b9ad417632c19302c08c0ianh Attribute Authority needs to be signed. Enable signing for Attribute
615618f97c8870e6d62b9ad417632c19302c08c0ianh Authority role. Enable encryption for the IDP Attribute Authority
20db975063c58c8fadf72656a8cbd869554e6bfbwrowe b) Specify the list of attributes to be fetched in the Attribute Map
db3ccce11afac4fc1d4f51a65424412f7480c46cgstein IDP Entity -> Assertion Processing -> Attribute Map
dd4713dc5b186f4d1be7b88f86608fdb84cbe5d5gstein ex : CommonName=cn
0eb7ca6cf812d98c534661ac474e873a32bf6325gstein GivenName=sn
cf6bf6c34c936e6a6fe731dbce4a5c3c8bf8e9a3gstein UserStatus=inetUserStatus
8d07897b52e3b7055874501f8a499e75800db206gstein c) Specify the Attribute Authority Mapper.
8d07897b52e3b7055874501f8a499e75800db206gstein IDP Entity -> Attribute Authority -> Subject Data Store
db3ccce11afac4fc1d4f51a65424412f7480c46cgstein Specify the Attribute name which contains X.509 Subject DN.
79d5106a9b65b956d646f5daae4b94bc79e315b8trawick d) Create the Fedlet.
cf6bf6c34c936e6a6fe731dbce4a5c3c8bf8e9a3gstein Following steps need to be performed on hosted SP:
6fa71a1bd8c61518b05f5798a7a1594c270e78afrbb a) Deploy fedlet.war and configure the fedlet
14cccaddba3a9263cf0d0ddc311e18f3e3dc9b0fgstein b) For signing and encryption, please follow the links
14cccaddba3a9263cf0d0ddc311e18f3e3dc9b0fgstein below on creating a key store and using the certificate.
14cccaddba3a9263cf0d0ddc311e18f3e3dc9b0fgstein http://openam.forgerock.org/doc/admin-guide/index.html#change-signing-key
14cccaddba3a9263cf0d0ddc311e18f3e3dc9b0fgstein http://openam.forgerock.org/doc/dev-guide/index.html#fedlet-signing-encryption
14cccaddba3a9263cf0d0ddc311e18f3e3dc9b0fgstein Add the certificate to the "RoleDescriptor" element as shown below
e636eba7474e0010b5c7198af1c2fe5ad8652dbbmanoj <RoleDescriptor xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
e636eba7474e0010b5c7198af1c2fe5ad8652dbbmanoj xmlns:query="urn:oasis:names:tc:SAML:metadata:ext:query"
e636eba7474e0010b5c7198af1c2fe5ad8652dbbmanoj xsi:type="query:AttributeQueryDescriptorType"
281da4c02cf40c663298ded7e4e5b913a8f8b814gstein protocolSupportEnumeration= "urn:oasis:names:tc:SAML:2.0:protocol">
281da4c02cf40c663298ded7e4e5b913a8f8b814gstein <KeyDescriptor use="signing">
2f728b2e8555fee1b7cc11e886488692f2575fbddougm <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
2f728b2e8555fee1b7cc11e886488692f2575fbddougm <ds:X509Data>
2f728b2e8555fee1b7cc11e886488692f2575fbddougm <ds:X509Certificate>
60d567a0c2aae815ee6fc20c0d65032bea52c92cwrowe --certificate--
60d567a0c2aae815ee6fc20c0d65032bea52c92cwrowe </ds:X509Certificate>
60d567a0c2aae815ee6fc20c0d65032bea52c92cwrowe </ds:X509Data>
60d567a0c2aae815ee6fc20c0d65032bea52c92cwrowe </ds:KeyInfo>
60d567a0c2aae815ee6fc20c0d65032bea52c92cwrowe </KeyDescriptor>
60d567a0c2aae815ee6fc20c0d65032bea52c92cwrowe <KeyDescriptor use="encryption">
60d567a0c2aae815ee6fc20c0d65032bea52c92cwrowe <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
60d567a0c2aae815ee6fc20c0d65032bea52c92cwrowe <ds:X509Data>
60d567a0c2aae815ee6fc20c0d65032bea52c92cwrowe <ds:X509Certificate>
60d567a0c2aae815ee6fc20c0d65032bea52c92cwrowe --certificate--
60d567a0c2aae815ee6fc20c0d65032bea52c92cwrowe </ds:X509Certificate>
60d567a0c2aae815ee6fc20c0d65032bea52c92cwrowe </ds:X509Data>
fdff4ace2701177219fe1c444f69242372423354aaron </ds:KeyInfo>
fdff4ace2701177219fe1c444f69242372423354aaron <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc">
fdff4ace2701177219fe1c444f69242372423354aaron <xenc:KeySize xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">128</xenc:KeySize>
fdff4ace2701177219fe1c444f69242372423354aaron </EncryptionMethod>
fdff4ace2701177219fe1c444f69242372423354aaron </KeyDescriptor>
fdff4ace2701177219fe1c444f69242372423354aaron </RoleDescriptor>
fdff4ace2701177219fe1c444f69242372423354aaron c) In the "sp-extended.xml", specify the correct value for
1d6142cc1486017d9bf11197334f78553fcb4244trawick "encryptionCertAlias". If you want Assertion to be encrypted by IDP,
1d6142cc1486017d9bf11197334f78553fcb4244trawick the NameID from Fedlet needs to be encrypted. Please specify the
3aa695e9167454052468be6add86a3353bd75fbfaaron value of "true" to the attribute "wantNameIDEncrypted" in
8994e02113efd866944bcc476b86fb88685f07a5jwoolley AttributeQueryConfig element as follows:
1d6142cc1486017d9bf11197334f78553fcb4244trawick <Attribute name="encryptionCertAlias">
27757f6699a924d4b493a1b6cceb27df27a43287dreid <Value>test</Value>
27757f6699a924d4b493a1b6cceb27df27a43287dreid </Attribute>
27757f6699a924d4b493a1b6cceb27df27a43287dreid <Attribute name="wantNameIDEncrypted">
64ad864fa0f4493eebb181e393b40a8a90beccb9coar <Value>true</Value>
64ad864fa0f4493eebb181e393b40a8a90beccb9coar </Attribute>
64ad864fa0f4493eebb181e393b40a8a90beccb9coar d) Goto Step (1) i.e to Hosted IDP side
28d1da9ca818f831ea491f110dafcc10f7f07050coar e) Delete existing fedlet metadata and obtain the standard metadata
64ad864fa0f4493eebb181e393b40a8a90beccb9coarIII. Testing:
28d1da9ca818f831ea491f110dafcc10f7f07050coar===========
64ad864fa0f4493eebb181e393b40a8a90beccb9coarTwo JSP files are bundled along inside fedlet.war. fedletAttrQuery.jsp and
28d1da9ca818f831ea491f110dafcc10f7f07050coar Gets the list of attributes from the form whose values needs to be
64ad864fa0f4493eebb181e393b40a8a90beccb9coar fetched from IDP. Please make sure you define the correct mapping in the IDP.
64ad864fa0f4493eebb181e393b40a8a90beccb9coar Retrieves the attribute names from the previous jsp and invokes the
28d1da9ca818f831ea491f110dafcc10f7f07050coar below method to get the attribute values and display the same.
64ad864fa0f4493eebb181e393b40a8a90beccb9coar Map attrMap = AttributeQueryUtil.getAttributeMapForFedlet(
64ad864fa0f4493eebb181e393b40a8a90beccb9coar spEntityID,
28d1da9ca818f831ea491f110dafcc10f7f07050coar idpEntityID,
64ad864fa0f4493eebb181e393b40a8a90beccb9coar newNameIDValue,
64ad864fa0f4493eebb181e393b40a8a90beccb9coar attrsList,
64ad864fa0f4493eebb181e393b40a8a90beccb9coar attrQueryProfile ,
28d1da9ca818f831ea491f110dafcc10f7f07050coar subjectDN);
64ad864fa0f4493eebb181e393b40a8a90beccb9coarc) Select either the "Default" or "X.509" profile. If "X.509" profile is
64ad864fa0f4493eebb181e393b40a8a90beccb9coar selected, specify the right value for the "X.509 Subject DN".
28d1da9ca818f831ea491f110dafcc10f7f07050coar%% 8. How to perform Fedlet XACML Query
64ad864fa0f4493eebb181e393b40a8a90beccb9coar I. General Information
64ad864fa0f4493eebb181e393b40a8a90beccb9coar II. Signing
64ad864fa0f4493eebb181e393b40a8a90beccb9coar III. Encryption
28d1da9ca818f831ea491f110dafcc10f7f07050coar IV. Testing
64ad864fa0f4493eebb181e393b40a8a90beccb9coarI. General Information
64ad864fa0f4493eebb181e393b40a8a90beccb9coar======================
28d1da9ca818f831ea491f110dafcc10f7f07050coarFollowing steps are common for all the scenarios (including Signing and
64ad864fa0f4493eebb181e393b40a8a90beccb9coarEncryption). Unlike Fedlet Attribute Query which required query signing
64ad864fa0f4493eebb181e393b40a8a90beccb9coarto be done on the Fedlet side, no such requirement is there for Fedlet
64ad864fa0f4493eebb181e393b40a8a90beccb9coarXACML Query. Signing and Encryption are optional.
64ad864fa0f4493eebb181e393b40a8a90beccb9coar Following steps need to be performed on hosted IDP:
28d1da9ca818f831ea491f110dafcc10f7f07050coar a) When creating the IDP entity metadata, make sure that you specify that
64ad864fa0f4493eebb181e393b40a8a90beccb9coar particular entity with XACML PDP role.
64ad864fa0f4493eebb181e393b40a8a90beccb9coar b) Specify the Request Handler for SAMLv2 SOAP Binding. Log into
64ad864fa0f4493eebb181e393b40a8a90beccb9coar the OpenAM console.
28d1da9ca818f831ea491f110dafcc10f7f07050coar Configuration tab -> Global -> SAMLv2 SOAP Binding -> New
64ad864fa0f4493eebb181e393b40a8a90beccb9coar Key = /pdp (This should be the same metaAlias specified while
64ad864fa0f4493eebb181e393b40a8a90beccb9coar creating the IDP)
64ad864fa0f4493eebb181e393b40a8a90beccb9coar class = com.sun.identity.xacml.plugins.XACMLAuthzDecisionQueryHandler
28d1da9ca818f831ea491f110dafcc10f7f07050coar Click the "Save" button.
64ad864fa0f4493eebb181e393b40a8a90beccb9coar c) Create the Fedlet.
64ad864fa0f4493eebb181e393b40a8a90beccb9coar d) Specify the right URL policies for the resources for which the Fedlet
64ad864fa0f4493eebb181e393b40a8a90beccb9coar is issuing a XACML query. Right URL policies with right actions
28d1da9ca818f831ea491f110dafcc10f7f07050coar (GET or POST) should be specified for the XACML query to get the
64ad864fa0f4493eebb181e393b40a8a90beccb9coar policy decisions for the resoruce.
64ad864fa0f4493eebb181e393b40a8a90beccb9coar Access Control -> Realm Name -> Policies -> New Policy
64ad864fa0f4493eebb181e393b40a8a90beccb9coar Following steps need to be performed on Fedlet side:
64ad864fa0f4493eebb181e393b40a8a90beccb9coar a) Deploy fedlet.war and configure the fedlet
64ad864fa0f4493eebb181e393b40a8a90beccb9coar b) If Signing or Encryption is enabled, please make sure when you
28d1da9ca818f831ea491f110dafcc10f7f07050coar create PDP on IDP, signing cert or encryption cert should have a
64ad864fa0f4493eebb181e393b40a8a90beccb9coar valid value. Also the updated Fedlet metadata is loaded on IDP
64ad864fa0f4493eebb181e393b40a8a90beccb9coar c) If Signing and Encryption are not enabled, skip to Step IV.
64ad864fa0f4493eebb181e393b40a8a90beccb9coarII. Signing
64ad864fa0f4493eebb181e393b40a8a90beccb9coar Please follow the links below on creating a key store and using the
28d1da9ca818f831ea491f110dafcc10f7f07050coar certificate.
64ad864fa0f4493eebb181e393b40a8a90beccb9coar http://openam.forgerock.org/doc/admin-guide/index.html#change-signing-key
64ad864fa0f4493eebb181e393b40a8a90beccb9coar http://openam.forgerock.org/doc/dev-guide/index.html#fedlet-signing-encryption
28d1da9ca818f831ea491f110dafcc10f7f07050coar Add the certificate to the "XACMLAuthzDecisionQueryDescriptor"
64ad864fa0f4493eebb181e393b40a8a90beccb9coar element as shown below inside "sp.xml".
64ad864fa0f4493eebb181e393b40a8a90beccb9coar <XACMLAuthzDecisionQueryDescriptor WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
28d1da9ca818f831ea491f110dafcc10f7f07050coar <KeyDescriptor use="signing">
64ad864fa0f4493eebb181e393b40a8a90beccb9coar <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
64ad864fa0f4493eebb181e393b40a8a90beccb9coar <ds:X509Data>
64ad864fa0f4493eebb181e393b40a8a90beccb9coar <ds:X509Certificate>
28d1da9ca818f831ea491f110dafcc10f7f07050coar --certificate--
64ad864fa0f4493eebb181e393b40a8a90beccb9coar </ds:X509Certificate>
64ad864fa0f4493eebb181e393b40a8a90beccb9coar </ds:X509Data>
64ad864fa0f4493eebb181e393b40a8a90beccb9coar </ds:KeyInfo>
28d1da9ca818f831ea491f110dafcc10f7f07050coar </KeyDescriptor>
64ad864fa0f4493eebb181e393b40a8a90beccb9coar </XACMLAuthzDecisionQueryDescriptor>
28d1da9ca818f831ea491f110dafcc10f7f07050coar a) In the "sp-extended.xml", specify the correct value for
64ad864fa0f4493eebb181e393b40a8a90beccb9coar "signingCertAlias" inside the XACMLAuthzDecisionQueryConfig element as
64ad864fa0f4493eebb181e393b40a8a90beccb9coar <Attribute name="signingCertAlias">
28d1da9ca818f831ea491f110dafcc10f7f07050coar <Value>test</Value>
64ad864fa0f4493eebb181e393b40a8a90beccb9coar </Attribute>
64ad864fa0f4493eebb181e393b40a8a90beccb9coar b) If Fedlet wants have the Authorization Decision Response signed, it
28d1da9ca818f831ea491f110dafcc10f7f07050coar will specify the following.
64ad864fa0f4493eebb181e393b40a8a90beccb9coar 1) On the Fedlet side, specify the value for
64ad864fa0f4493eebb181e393b40a8a90beccb9coar "wantXACMLAuthzDecisionResponseSigned" inside the
28d1da9ca818f831ea491f110dafcc10f7f07050coar XACMLAuthzDecisionQueryConfig as shown below:
64ad864fa0f4493eebb181e393b40a8a90beccb9coar <Attribute name="wantXACMLAuthzDecisionResponseSigned">
64ad864fa0f4493eebb181e393b40a8a90beccb9coar <Value>true</Value>
28d1da9ca818f831ea491f110dafcc10f7f07050coar </Attribute>
64ad864fa0f4493eebb181e393b40a8a90beccb9coar c) Goto to Hosted IDP side
28d1da9ca818f831ea491f110dafcc10f7f07050coar d) If IDP wants the XACML Query signed, it will enable the below
64ad864fa0f4493eebb181e393b40a8a90beccb9coar property on the XACML PDP tab for the IDP Entity
64ad864fa0f4493eebb181e393b40a8a90beccb9coar Authorization Decision Query Signed
28d1da9ca818f831ea491f110dafcc10f7f07050coar e) Specify the below value for the attribute
64ad864fa0f4493eebb181e393b40a8a90beccb9coar "wantXACMLAuthzDecisionQuerySigned" in "idp-extended.xml" on the Fedlet
64ad864fa0f4493eebb181e393b40a8a90beccb9coar side for this change to happen.
64ad864fa0f4493eebb181e393b40a8a90beccb9coar <Attribute name="wantXACMLAuthzDecisionQuerySigned">
28d1da9ca818f831ea491f110dafcc10f7f07050coar <Value>true</Value>
64ad864fa0f4493eebb181e393b40a8a90beccb9coar </Attribute>
64ad864fa0f4493eebb181e393b40a8a90beccb9coar f) Delete existing fedlet metadata and obtain the standard metadata
6694e265e9a71ceaedbe1f1aa4db4d9ba42fb866wrowe g) If Authorization Decision Response Signed is required (Step b), click
64ad864fa0f4493eebb181e393b40a8a90beccb9coar on the XACML PEP entity that was added. Enable the attribute
28d1da9ca818f831ea491f110dafcc10f7f07050coar "Authorization Decision Response Signed".
64ad864fa0f4493eebb181e393b40a8a90beccb9coarIII. Encryption
64ad864fa0f4493eebb181e393b40a8a90beccb9coar===============
64ad864fa0f4493eebb181e393b40a8a90beccb9coar In addition to above section, the Fedlet might want to get the Assertion
64ad864fa0f4493eebb181e393b40a8a90beccb9coar from IDP to be encrypted. It will do the following.
28d1da9ca818f831ea491f110dafcc10f7f07050coar a) Enable the following in "sp-extended.xml" inside
64ad864fa0f4493eebb181e393b40a8a90beccb9coar XACMLAuthzDecisionQueryConfig element.
64ad864fa0f4493eebb181e393b40a8a90beccb9coar <Attribute name="wantAssertionEncrypted">
64ad864fa0f4493eebb181e393b40a8a90beccb9coar <Value>true</Value>
28d1da9ca818f831ea491f110dafcc10f7f07050coar </Attribute>
64ad864fa0f4493eebb181e393b40a8a90beccb9coar b) For signing and encryption, please follow the links
64ad864fa0f4493eebb181e393b40a8a90beccb9coar below on creating a key store and using the certificate.
28d1da9ca818f831ea491f110dafcc10f7f07050coar http://openam.forgerock.org/doc/admin-guide/index.html#change-signing-key
64ad864fa0f4493eebb181e393b40a8a90beccb9coar http://openam.forgerock.org/doc/dev-guide/index.html#fedlet-signing-encryption
64ad864fa0f4493eebb181e393b40a8a90beccb9coar Add the certificate to the "XACMLAuthzDecisionQueryDescriptor"
64ad864fa0f4493eebb181e393b40a8a90beccb9coar element as shown below inside "sp.xml".
64ad864fa0f4493eebb181e393b40a8a90beccb9coar <XACMLAuthzDecisionQueryDescriptor WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
64ad864fa0f4493eebb181e393b40a8a90beccb9coar <KeyDescriptor use="signing">
64ad864fa0f4493eebb181e393b40a8a90beccb9coar <KeyDescriptor use="signing">
64ad864fa0f4493eebb181e393b40a8a90beccb9coar <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
28d1da9ca818f831ea491f110dafcc10f7f07050coar <ds:X509Data>
64ad864fa0f4493eebb181e393b40a8a90beccb9coar <ds:X509Certificate>
64ad864fa0f4493eebb181e393b40a8a90beccb9coar --certificate--
64ad864fa0f4493eebb181e393b40a8a90beccb9coar </ds:X509Certificate>
28d1da9ca818f831ea491f110dafcc10f7f07050coar </ds:X509Data>
64ad864fa0f4493eebb181e393b40a8a90beccb9coar </ds:KeyInfo>
64ad864fa0f4493eebb181e393b40a8a90beccb9coar </KeyDescriptor>
64ad864fa0f4493eebb181e393b40a8a90beccb9coar <KeyDescriptor use="encryption">
28d1da9ca818f831ea491f110dafcc10f7f07050coar <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
64ad864fa0f4493eebb181e393b40a8a90beccb9coar <ds:X509Data>
64ad864fa0f4493eebb181e393b40a8a90beccb9coar <ds:X509Certificate>
64ad864fa0f4493eebb181e393b40a8a90beccb9coar --certificate--
28d1da9ca818f831ea491f110dafcc10f7f07050coar </ds:X509Certificate>
64ad864fa0f4493eebb181e393b40a8a90beccb9coar </ds:X509Data>
64ad864fa0f4493eebb181e393b40a8a90beccb9coar </ds:KeyInfo>
64ad864fa0f4493eebb181e393b40a8a90beccb9coar <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc">
28d1da9ca818f831ea491f110dafcc10f7f07050coar <xenc:KeySize xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">128</xenc:KeySize>
64ad864fa0f4493eebb181e393b40a8a90beccb9coar </EncryptionMethod>
64ad864fa0f4493eebb181e393b40a8a90beccb9coar </KeyDescriptor>
64ad864fa0f4493eebb181e393b40a8a90beccb9coar </XACMLAuthzDecisionQueryDescriptor>
28d1da9ca818f831ea491f110dafcc10f7f07050coar c) In the "sp-extended.xml", specify the correct value for
64ad864fa0f4493eebb181e393b40a8a90beccb9coar "encryptionCertAlias".
64ad864fa0f4493eebb181e393b40a8a90beccb9coar <Attribute name="encryptionCertAlias">
64ad864fa0f4493eebb181e393b40a8a90beccb9coar <Value>test</Value>
28d1da9ca818f831ea491f110dafcc10f7f07050coar </Attribute>
64ad864fa0f4493eebb181e393b40a8a90beccb9coar d) Goto to Hosted IDP side
28d1da9ca818f831ea491f110dafcc10f7f07050coar e) Delete existing fedlet metadata and obtain the standard metadata
64ad864fa0f4493eebb181e393b40a8a90beccb9coar f) Click on the XACML PEP entity that was added. Enable the attribute
64ad864fa0f4493eebb181e393b40a8a90beccb9coar "Assertion Encrypted".
64ad864fa0f4493eebb181e393b40a8a90beccb9coarIV. Testing:
64ad864fa0f4493eebb181e393b40a8a90beccb9coar===========
64ad864fa0f4493eebb181e393b40a8a90beccb9coarTwo JSP files are bundled along inside fedlet.war. fedletXACMLQuery.jsp and
64ad864fa0f4493eebb181e393b40a8a90beccb9coar Prompts the user to enter the Resource URL, Action (GET or POST). Fedlet
28d1da9ca818f831ea491f110dafcc10f7f07050coar then passes this information along with other parameters (pepEntityID,
64ad864fa0f4493eebb181e393b40a8a90beccb9coar pdpEntityID, NameID) to fedletXACMLResp.jsp
28d1da9ca818f831ea491f110dafcc10f7f07050coar Retrieves the Resource URL from the previous jsp and invokes the
64ad864fa0f4493eebb181e393b40a8a90beccb9coar below method to get the policy decision for the Resource URL and display the
64ad864fa0f4493eebb181e393b40a8a90beccb9coar same. The decision can be either "Permit" (if the right policy decision is
64ad864fa0f4493eebb181e393b40a8a90beccb9coar provided", else "Deny" (if no policy is found) or "Indeterminate"
28d1da9ca818f831ea491f110dafcc10f7f07050coar (if the user session has expired).
64ad864fa0f4493eebb181e393b40a8a90beccb9coar String policy_decision = XACMLQueryUtil.getPolicyDecisionForFedlet(
28d1da9ca818f831ea491f110dafcc10f7f07050coar pepEntityID,
64ad864fa0f4493eebb181e393b40a8a90beccb9coar pdpEntityID,
64ad864fa0f4493eebb181e393b40a8a90beccb9coar nameIDValue,
64ad864fa0f4493eebb181e393b40a8a90beccb9coar serviceName,