------------------------------------------------------------------------------
README file for Open Federation Library
------------------------------------------------------------------------------
DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
Copyright (c) 2009 Sun Microsystems Inc. All Rights Reserved
The contents of this file are subject to the terms
of the Common Development and Distribution License
(the License). You may not use this file except in
compliance with the License.
You can obtain a copy of the License at
See the License for the specific language governing
permission and limitations under the License.
When distributing Covered Code, include this CDDL
Header Notice in each file and include the License file
If applicable, add the following below the CDDL Header,
with the fields enclosed by brackets [] replaced by
your own identifying information:
"Portions Copyrighted [year] [name of copyright owner]"
Portions Copyright 2012-2015 ForgeRock AS.
%% 1. Contents of this directory
%% 2. How to configure and test Fedlet
%% 3. How to embed Fedlet into existing application
%% 4. How to integrate with existing application after Single Sign-on
%% 5. How to enable Fedlet to support multiple Identity Providers
%% 6. How to enable Identity Provider Discovery service in Fedlet
%% 7. How to perform Fedlet Attribute Query
%% 8. How to perform Fedlet XACML Query
%% 1. Contents of this directory
This README file provides information on Fedlet ZIP file without
pre-configured IDP and Fedlet (SP) metadata.
Manual steps (refer to section 2.1) need to setup Fedlet (SP) to work
|-
fedlet.war Fedlet WAR file. This is a ready-to-deploy WAR
| to show the Fedlet features.
|- conf Directory containing Fedlet metadata template,
| COT template and configuration files.
|- README This README file. The file shows how to use the
conf files to setup Fedlet configuration.
%% 2. How to configure and test Fedlet
The
fedlet.war contains all necessary bits for Fedlet to acting as a
light-weighted SAMLv2 Service provider. Since this
fedlet.war does
not contain pre-configured metadata and COT information, you need
to follow section 3 to setup Fedlet metadata and COT configuration
2.1 Steps to configure Fedlet
FEDLET_ENTITY_ID : replace with the real entity id (name) for
your Fedlet (SP).
e.g. "fedletsp".
FEDLET_PROTOCOL : replace with the protocol of the web container
FEDLET_HOST : replace with the host name of the web container
FEDLET_PORT : replace with port number of the web container
FEDLET_DEPLOY_URI : replace with deployment URI of the web container
IDP_ENTITY_ID : replace with the real entity id (name) for
your remote IDP.
e.g. "myidp".
note : If Fedlet
and/or IDP entity ID contain "%" or ",", you need to
Change "%" to "%25" and "," to "%2C".
c) Create your fedlet home directory. The "fedlet" subdirectory under
the web container running user's home (pointed by JVM property
"
user.home") is the default location for Fedlet to read its metadata,
COT and configuration properties. For example, assume running user's
To change this default directory, set the value of a JVM run-time
d) Copy tag swapped configuration files (done in step b) to the fedlet
e) Get your IDP standard metadata XML file and copy to the fedlet home
directory. For example, if the remote IDP is a OpenAM
instance, you could use "ssoadm" CLI to export the IDP metadata to a
XML file. The XML file for IDP standard metadata must be named as
"
idp.xml" when copied to the fedlet home directory.
f) Give the Fedlet metadata XML file "
sp.xml" to your IDP, the metadata
file must be imported to IDP machine and add it to the same COT as
The configuration is done, you could continue to section 2.2 to deploy
NOTE REGARDING MODIFICATIONS TO SAMLv2 METADATA:
Be sure to convey information regarding any changes made in the service
provider metadata to the identity provider so it can make the corresponding
changes to its own configuration. A modified
sp.xml file may be sent to
be conveyed to the identity provider using a different method. Once the
identity provider receives the appropriate standard and extended metadata
values, it can make the changes using the OpenAM console. Information on
customizing SAMLv2 providers using the OpenAM console is available in the
* SAMLv2 Service Provider Customization link-
* SAMLv2 Identity Provider Customization link-
If the identity provider is using a product other than OpenAM,
they would make the changes according to their product's documentation.
2.2 Test your Fedlet setup
After deploying
fedlet.war into your web container, try access the
<SP_PROTOCOL>://<SP_HOST>:<SP_PORT>/<SP_DEPLOY_URI>/
index.jsp If you have not performed steps described in section 2.1, it will show
that the Fedlet home directory is not configured, you need to follow
README to create the configuration manually.
If Fedlet configuration is done, you will be shown links to start
Fedlet (SP) and IDP initiated Single Sing-on. Click the link, you will
be redirected to IDP for login, then Single Sign-on to Fedlet(SP).
Upon successful completion, a Fedlet(SP) side JSP will be presented
to show the SSO Response, Assertion and AttributeStatement if any.
%% 3. How to embed Fedlet into your existing application WAR
a) Extract the
fedlet.war into a temporal directory.
b) Follow section 2.1 to setup your Fedlet configuration.
c) Copy all other files to your application WAR staging directory, overlay
them with your existing application WAR structure.
directory from the temporal directory created in step a) before copying.
d) Create the application WAR and redeploy in your web container.
%% 4. How to integrate with existing application after Single Sign-on
to complete SAMLv2 protocol processing. A map containing various data,
how to retrieve data from the returned map.
1. Modify
web.xml to set servlet and servlet-mapping for your new servlet
or JSP. You must map your new
servlet/JSP to the url-pattern
"/fedletapplication" since it is the URI set in the Fedlet metadata
(the assertion consumer URL). For example:
<servlet-name>yourapplication</servlet-name>
<servlet-name>yourapplication</servlet-name>
<url-pattern>/fedletapplication</url-pattern>
application processing code with proper import statement:
// invoke the Fedlet processing logic. this will do all the
// necessary processing conforming to SAMLv2 specifications,
// such as XML signature validation, Audience and Recipient
} catch (SAML2Exception sme) {
} catch (IOException ioe) {
} catch (SessionException se) {
} catch (ServletException se) {
After obtaining the returned "map" object, you could follow the sample
code to retrieve data needed for your business logics.
%% 5. How to enable Fedlet to support multiple Identity Providers
To configure second Identity Provider with this Fedlet:
a) Get the standard metadata XML file for the new Identity Provider, name
the XML file as "
idp2.xml" and copy it to the Fedlet home directory.
b) Decide on the circle-of-trust (COT) the new Identity Provider would
belong. This IDP could be added to an existing COT (
e.g. "saml2cot") or
** To add the Identity Provider to an existing COT, edit the
directory, and append the new IDP entity ID (pointed by the
"entityID" attribute in the "
idp2.xml" metadata file) to the
value of "sun-fm-trusted-providers" attribute using "," as separator.
** To add to a new circle-of-trust:
-- create a new file named "
fedlet2.cot" and put it under the Fedlet
home directory. Use the existing
fedlet.cot as a template, but
change the value of attribute "cot-name" to the actual name of
the new COT (
e.g. "cot2"), and include both the new IDP entity ID
and the Fedlet entity ID as value for "sun-fm-trusted-providers"
attribute (two entity IDs separated by ",").
of "cotlist" attribute,
e.g. <Attribute name="cotlist">
but change the "entityID" to the new IDP entity ID, change the value for
"cotlist" attribute to the COT name if a new COT is created for the IDP.
Note : make sure the second IDP is a remote IDP by setting the "hosted"
attribute in the EntityConfig element to "false".
d) Send the Fedlet metadata XML file (
i.e. "
sp.xml" under your Fedlet home)
to the second IDP, import the metadata in the remote IDP and add it to
the same circle-of-trust as the IDP.
Repeat the same steps for the third, fourth, ... and [x]th IDP, use
name for the new IDP. Restart your Fedlet web container to make the change
Now accessing the
index.jsp again, it will prompt you with a list of IDPs
the Fedlet trusted. You could choose any of the IDP and perform Single
%% 6. How to enable Identity Provider Discovery service in Fedlet
When Fedlet is set up with multiple Identity Providers in a COT, it could be
configured to use IDP Discovery service to find out the preferred IDP.
You need to have the Identity Provider Discovery service set up before
performing following steps. If you installed the OpenAM WAR, the
IDP discovery service is bundled in the products already. Or you could
follow the document to create a separate WAR for the IDP discovery
service using the OpenAM WAR. Please refer to the OpenAM
document set on how to setup and use the Identity Provider
Discovery service. After set up the IDP discovery service, have the
reader service URL (URL to find out preferred IDP) and writer service
URL (URL to write the preferred IDP) ready, they are needed in step
a) and c) below. If you are using OpenAM server instance
or the IDP discovery only WAR instance, the reader service URL is:
<protocol>://<host>:<port>/<deploy_uri>/saml2reader
the writer service URL is :
<protocol>://<host>:<port>/<deploy_uri>/saml2writer
To setup IDP discovery in Fedlet:
a) edit the COT file (
e.g. "
fedlet.cot"), and set the value for attribute
"sun-fm-saml2-readerservice-url" to the SAML2 reader service URL
for attribute "sun-fm-saml2-writerservice-url" to the SAML2 writer
b) Restart your Fedlet web container to make the change to be effective.
c) Setup IDP discovery on each of your remote IDPs. If the IDP is an OpenAM
server instance, you need go to the administration console,
find the COT for the IDP and Fedlet, and specify the SAML2 reader
service URL and SAML2 writer service URL, and Save.
d) Access the Fedlet
index.jsp page, you will be presented with IDP
selection page. Don't click the "use IDP discovery service ..."
link yet, as your preferred IDP has not been set yet. Choose one
of the IDPs, and complete the Single Sign-on process. The preferred IDP
is set right now by the IDP discovery service.
c) Access the Fedlet
index.jsp page again, and choose the
"use IDP discovery service to find out preferred IDP" link.
You will be redirected to the IDP discovery service to find out
the preferred IDP and send back to Fedlet side with the chosen
IDP to start the Fedlet initiated single sign-on.
%% 7. How to perform Fedlet Attribute Query:
II. Signing and Encryption
Following steps need to be performed on Fedlet:
a) The Attribute Query needs to be signed. Please follow the links
below on creating a key store and using the certificate.
Add the certificate to the "RoleDescriptor" element as shown below
xmlns:query="urn:oasis:names:tc:SAML:metadata:ext:query"
xsi:type="query:AttributeQueryDescriptorType"
protocolSupportEnumeration= "urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing">
"signingCertAlias" inside the AttributeQueryConfig element as follows:
<Attribute name="signingCertAlias">
Following steps need to be performed on hosted IDP:
a) When creating the IDP entity metadata, make sure that you specify that
particular entity has Attribute Authority role. Also the response from
Attribute Authority needs to be signed. Enable signing for Attribute
b) Specify the list of attributes to be fetched in the Attribute Map
IDP Entity -> Assertion Processing -> Attribute Map
UserStatus=inetUserStatus
c) Obtain the standard metadata from Fedlet(
i.e sp.xml) and
d) Goto Step (1) (Fedlet side)
e) Get your IDP standard metadata XML file and copy to the fedlet home
directory. For example, if the remote IDP is a OpenAM instance,
you could use "ssoadm" CLI to export the IDP metadata to a XML file.
The XML file for IDP standard metadata must be named as "
idp.xml"
when copied to the fedlet home directory.
II. Signing and Encryption
==========================
Following steps need to be performed on Fedlet:
a) The Attribute Query needs to be signed. Please follow the links
below on creating a key store and using the certificate.
Add the certificate to the "RoleDescriptor" element as shown below
xmlns:query="urn:oasis:names:tc:SAML:metadata:ext:query"
xsi:type="query:AttributeQueryDescriptorType"
protocolSupportEnumeration= "urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing">
<KeyDescriptor use="encryption">
"encryptionCertAlias". If you want Assertion to be encrypted by IDP,
the NameID from Fedlet needs to be encrypted. Please specify the
value of "true" to the attribute "wantNameIDEncrypted" in
AttributeQueryConfig element as follows:
<Attribute name="encryptionCertAlias">
<Attribute name="wantNameIDEncrypted">
Following steps need to be performed on hosted IDP:
a) When creating the IDP entity metadata, make sure that you specify that
particular entity with Attribute Authority role. Also the response from
Attribute Authority needs to be signed. Enable signing for Attribute
Authority role. Enable encryption for the IDP Attribute Authority
b) Specify the list of attributes to be fetched in the Attribute Map
IDP Entity -> Assertion Processing -> Attribute Map
UserStatus=inetUserStatus
c) Specify the Attribute Authority Mapper.
IDP Entity -> Attribute Authority -> Subject Data Store
Specify the Attribute name which contains X.509 Subject DN.
d) Obtain the standard metadata from Fedlet(
i.e sp.xml) and
e) Goto Step (1) (Fedlet side)
f) Get your IDP standard metadata XML file and copy to the fedlet home
directory. For example, if the remote IDP is a OpenAM instance,
you could use "ssoadm" CLI to export the IDP metadata to a XML file.
The XML file for IDP standard metadata must be named as "
idp.xml"
when copied to the fedlet home directory.
Gets the list of attributes from the form whose values needs to be
fetched from IDP. Please make sure you define the correct mapping in the IDP.
Retrieves the attribute names from the previous jsp and invokes the
below method to get the attribute values and display the same.
c) Select either the "Default" or "X.509" profile. If "X.509" profile is
selected, specify the right value for the "X.509 Subject DN".
%% 8. How to perform Fedlet XACML Query
Following steps are common for all the scenarios (including Signing and
Encryption). Unlike Fedlet Attribute Query which required query signing
to be done on the Fedlet side, no such requirement is there for Fedlet
XACML Query. Signing and Encryption are optional.
Following steps need to be performed on hosted IDP:
a) When creating the IDP entity metadata, make sure that you specify that
particular entity with XACML PDP role.
b) Need to specify the Request Handler for SAMLv2 SOAP Binding. Log into
Configuration tab -> Global -> SAMLv2 SOAP Binding -> New
Key = /pdp (This should be the same metaAlias specified while
c) Specify the right URL policies for the resources for which the Fedlet
is issuing a XACML query. Right URL policies with right actions
(GET or POST) should be specified for the XACML query to get the
policy decisions for the resoruce.
Access Control -> Realm Name -> Policies -> New Policy
d) Get your IDP standard metadata XML file and copy to the fedlet home
directory. For example, if the remote IDP is a OpenAM instance,
you could use "ssoadm" CLI to export the IDP metadata to a XML file.
The XML file for IDP standard metadata must be named as "
idp.xml"
when copied to the fedlet home directory. issuing a XACML query.
Following steps need to be performed on Fedlet side:
a) If Signing or Encryption is enabled, please make sure when you
create PDP on IDP, signing cert or encryption cert should have a
valid value. Also the updated Fedlet metadata is loaded on IDP
b) If Signing and Encryption are not enabled, skip to Step IV.
a) On the Fedlet Side, please follow the links
below on creating a key store and using the certificate.
Add the certificate to the "XACMLAuthzDecisionQueryDescriptor"
element as shown below inside "
sp.xml".
<XACMLAuthzDecisionQueryDescriptor WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing">
</XACMLAuthzDecisionQueryDescriptor>
"signingCertAlias" inside the XACMLAuthzDecisionQueryConfig element as
<Attribute name="signingCertAlias">
c) Also the Fedlet might want to have the Authorization Decision Response
1) On the Fedlet side, specify the value for
"wantXACMLAuthzDecisionResponseSigned" inside the
XACMLAuthzDecisionQueryConfig as shown below:
<Attribute name="wantXACMLAuthzDecisionResponseSigned">
d) Goto to Hosted IDP side
e) IDP might want to get the XACML Query signed. It will enable the below
property on the XACML PDP tab for the IDP Entity
Authorization Decision Query Signed
f) Also specify the below value for the attribute
"wantXACMLAuthzDecisionQuerySigned".
<Attribute name="wantXACMLAuthzDecisionQuerySigned">
g) Delete existing fedlet metadata and obtain the standard metadata
h) If Authorization Decision Response Signed is required (Step d),
click on the XACML PEP entity that was added. Enable the attribute
"Authorization Decision Response Signed".
In addition to above section, the Fedlet might want to get the Assertion
from IDP to be encrypted.
XACMLAuthzDecisionQueryConfig element.
<Attribute name="wantAssertionEncrypted">
b) For signing and encryption follow the below link:
Add the certificate to the "XACMLAuthzDecisionQueryDescriptor"
element as shown below inside "
sp.xml".
<XACMLAuthzDecisionQueryDescriptor WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing">
<KeyDescriptor use="signing">
<KeyDescriptor use="encryption">
</XACMLAuthzDecisionQueryDescriptor>
<Attribute name="encryptionCertAlias">
d) Goto to Hosted IDP side
e) Delete existing fedlet metadata and obtain the standard metadata
f) Click on the XACML PEP entity that was added. Enable the attribute
Prompts the user to enter the Resource URL, Action (GET or POST). Fedlet
then passes this information along with other parameters (pepEntityID,
Retrieves the Resource URL from the previous jsp and invokes the
below method to get the policy decision for the Resource URL and display the
same. The decision can be either "Permit" (if the right policy decision is
provided", else "Deny" (if no policy is found) or "Indeterminate"
(if the user session has expired).