98N/A------------------------------------------------------------------------------
98N/AREADME file for Open Federation Library
943N/A------------------------------------------------------------------------------
98N/A DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
919N/ACopyright (c) 2009 Sun Microsystems Inc. All Rights Reserved
919N/AThe contents of this file are subject to the terms
919N/Aof the Common Development and Distribution License
919N/A(the License). You may not use this file except in
919N/Acompliance with the License.
919N/AYou can obtain a copy of the License at
919N/ASee the License for the specific language governing
919N/Apermission and limitations under the License.
919N/AWhen distributing Covered Code, include this CDDL
919N/AHeader Notice in each file and include the License file
919N/AIf applicable, add the following below the CDDL Header,
98N/Awith the fields enclosed by brackets [] replaced by
98N/Ayour own identifying information:
98N/A"Portions Copyrighted [year] [name of copyright owner]"
493N/APortions Copyright 2012 ForgeRock AS
970N/A %% 1. Contents of this directory
970N/A %% 2. How to configure and test Fedlet
970N/A %% 3. How to embed Fedlet into existing application
970N/A %% 4. How to integrate with existing application after Single Sign-on
970N/A %% 5. How to enable Fedlet to support multiple Identity Providers
970N/A %% 6. How to enable Identity Provider Discovery service in Fedlet
970N/A %% 7. How to perform Fedlet Attribute Query
970N/A %% 8. How to perform Fedlet XACML Query
98N/A%% 1. Contents of this directory
911N/A This README file provides information on Fedlet ZIP file without
911N/A pre-configured IDP and Fedlet (SP) metadata.
911N/A Manual steps (refer to section 2.1) need to setup Fedlet (SP) to work
156N/A | to show the Fedlet features.
493N/A |- conf Directory containing Fedlet metadata template,
493N/A | COT template and configuration files.
493N/A |- README This README file. The file shows how to use the
493N/A conf files to setup Fedlet configuration.
98N/A%% 2. How to configure and test Fedlet
705N/A not contain pre-configured metadata and COT information, you need
705N/A to follow section 3 to setup Fedlet metadata and COT configuration
606N/A 2.1 Steps to configure Fedlet
967N/A FEDLET_ENTITY_ID : replace with the real entity id (name) for
606N/A FEDLET_PROTOCOL : replace with the protocol of the web container
606N/A FEDLET_HOST : replace with the host name of the web container
606N/A FEDLET_PORT : replace with port number of the web container
606N/A FEDLET_DEPLOY_URI : replace with deployment URI of the web container
606N/A IDP_ENTITY_ID : replace with the real entity id (name) for
606N/A note : If Fedlet
and/or IDP entity ID contain "%" or ",", you need to
970N/A Change "%" to "%25" and "," to "%2C".
970N/A c) Create your fedlet home directory. The "fedlet" subdirectory under
970N/A the web container running user's home (pointed by JVM property
493N/A "
user.home") is the default location for Fedlet to read its metadata,
493N/A COT and configuration properties. For example, assume running user's
647N/A To change this default directory, set the value of a JVM run-time
647N/A d) Copy tag swapped configuration files (done in step b) to the fedlet
98N/A e) Get your IDP standard metadata XML file and copy to the fedlet home
493N/A directory. For example, if the remote IDP is a OpenSSO
493N/A instance, you could use "ssoadm" CLI to export the IDP metadata to a
98N/A XML file. The XML file for IDP standard metadata must be named as
705N/A f) Give the Fedlet metadata XML file "
sp.xml" to your IDP, the metadata
705N/A file must be imported to IDP machine and add it to the same COT as
493N/A The configuration is done, you could continue to section 2.2 to deploy
705N/A NOTE REGARDING MODIFICATIONS TO SAMLv2 METADATA:
970N/A Be sure to convey information regarding any changes made in the service
970N/A provider metadata to the identity provider so it can make the corresponding
970N/A changes to its own configuration. A modified
sp.xml file may be sent to
970N/A be conveyed to the identity provider using a different method. Once the
970N/A identity provider receives the appropriate standard and extended metadata
970N/A values, it can make the changes using the OpenSSO console. Information on
970N/A customizing SAMLv2 providers using the OpenSSO console is available in the
970N/A OpenSSO Enterprise 8.0 documentation.
970N/A * SAMLv2 Service Provider Customization link-
970N/A * SAMLv2 Identity Provider Customization link-
970N/A If the identity provider is using a product other than OpenSSO Enterprise,
970N/A they would make the changes according to their product's documentation.
970N/A 2.2 Test your Fedlet setup
970N/A If you have not performed steps described in section 2.1, it will show
970N/A that the Fedlet home directory is not configured, you need to follow
970N/A README to create the configuration manually.
970N/A If Fedlet configuration is done, you will be shown links to start
970N/A Fedlet (SP) and IDP initiated Single Sing-on. Click the link, you will
970N/A be redirected to IDP for login, then Single Sign-on to Fedlet(SP).
970N/A Upon successful completion, a Fedlet(SP) side JSP will be presented
970N/A to show the SSO Response, Assertion and AttributeStatement if any.
970N/A%% 3. How to embed Fedlet into your existing application WAR
970N/A b) Follow section 2.1 to setup your Fedlet configuration.
970N/A c) Copy all other files to your application WAR staging directory, overlay
970N/A them with your existing application WAR structure.
970N/A directory from the temporal directory created in step a) before copying.
970N/A d) Create the application WAR and redeploy in your web container.
970N/A%% 4. How to integrate with existing application after Single Sign-on
970N/A to complete SAMLv2 protocol processing. A map containing various data,
970N/A how to retrieve data from the returned map.
970N/A 1. Modify
web.xml to set servlet and servlet-mapping for your new servlet
970N/A "/fedletapplication" since it is the URI set in the Fedlet metadata
970N/A (the assertion consumer URL). For example:
970N/A <servlet-name>yourapplication</servlet-name>
970N/A <servlet-name>yourapplication</servlet-name>
970N/A <url-pattern>/fedletapplication</url-pattern>
970N/A application processing code with proper import statement:
970N/A // invoke the Fedlet processing logic. this will do all the
970N/A // necessary processing conforming to SAMLv2 specifications,
970N/A // such as XML signature validation, Audience and Recipient
970N/A} catch (SAML2Exception sme) {
970N/A} catch (IOException ioe) {
970N/A} catch (SessionException se) {
970N/A} catch (ServletException se) {
970N/A After obtaining the returned "map" object, you could follow the sample
970N/A code to retrieve data needed for your business logics.
%% 5. How to enable Fedlet to support multiple Identity Providers
To configure second Identity Provider with this Fedlet:
a) Get the standard metadata XML file for the new Identity Provider, name
the XML file as "
idp2.xml" and copy it to the Fedlet home directory.
b) Decide on the circle-of-trust (COT) the new Identity Provider would
belong. This IDP could be added to an existing COT (
e.g. "saml2cot") or
** To add the Identity Provider to an existing COT, edit the
directory, and append the new IDP entity ID (pointed by the
"entityID" attribute in the "
idp2.xml" metadata file) to the
value of "sun-fm-trusted-providers" attribute using "," as separator.
** To add to a new circle-of-trust:
-- create a new file named "
fedlet2.cot" and put it under the Fedlet
home directory. Use the existing
fedlet.cot as a template, but
change the value of attribute "cot-name" to the actual name of
the new COT (
e.g. "cot2"), and include both the new IDP entity ID
and the Fedlet entity ID as value for "sun-fm-trusted-providers"
attribute (two entity IDs separated by ",").
of "cotlist" attribute,
e.g. <Attribute name="cotlist">
but change the "entityID" to the new IDP entity ID, change the value for
"cotlist" attribute to the COT name if a new COT is created for the IDP.
Note : make sure the second IDP is a remote IDP by setting the "hosted"
attribute in the EntityConfig element to "false".
d) Send the Fedlet metadata XML file (
i.e. "
sp.xml" under your Fedlet home)
to the second IDP, import the metadata in the remote IDP and add it to
the same circle-of-trust as the IDP.
Repeat the same steps for the third, fourth, ... and [x]th IDP, use
name for the new IDP. Restart your Fedlet web container to make the change
Now accessing the
index.jsp again, it will prompt you with a list of IDPs
the Fedlet trusted. You could choose any of the IDP and perform Single
%% 6. How to enable Identity Provider Discovery service in Fedlet
When Fedlet is set up with multiple Identity Providers in a COT, it could be
configured to use IDP Discovery service to find out the preferred IDP.
You need to have the Identity Provider Discovery service set up before
performing following steps. If you installed the OpenSSO WAR, the
IDP discovery service is bundled in the products already. Or you could
follow the document to create a separate WAR for the IDP discovery
service using the OpenSSO WAR. Please refer to the OpenSSO
document set on how to setup and use the Identity Provider
Discovery service. After set up the IDP discovery service, have the
reader service URL (URL to find out preferred IDP) and writer service
URL (URL to write the preferred IDP) ready, they are needed in step
a) and c) below. If you are using OpenSSO server instance
or the IDP discovery only WAR instance, the reader service URL is:
<protocol>://<host>:<port>/<deploy_uri>/saml2reader
the writer service URL is :
<protocol>://<host>:<port>/<deploy_uri>/saml2writer
To setup IDP discovery in Fedlet:
a) edit the COT file (
e.g. "
fedlet.cot"), and set the value for attribute
"sun-fm-saml2-readerservice-url" to the SAML2 reader service URL
for attribute "sun-fm-saml2-writerservice-url" to the SAML2 writer
b) Restart your Fedlet web container to make the change to be effective.
c) Setup IDP discovery on each of your remote IDPs. If the IDP is an OpenSSO
server instance, you need go to the administration console,
find the COT for the IDP and Fedlet, and specify the SAML2 reader
service URL and SAML2 writer service URL, and Save.
d) Access the Fedlet
index.jsp page, you will be presented with IDP
selection page. Don't click the "use IDP discovery service ..."
link yet, as your preferred IDP has not been set yet. Choose one
of the IDPs, and complete the Single Sign-on process. The preferred IDP
is set right now by the IDP discovery service.
c) Access the Fedlet
index.jsp page again, and choose the
"use IDP discovery service to find out preferred IDP" link.
You will be redirected to the IDP discovery service to find out
the preferred IDP and send back to Fedlet side with the chosen
IDP to start the Fedlet initiated single sign-on.
%% 7. How to perform Fedlet Attribute Query:
II. Signing and Encryption
Following steps need to be performed on Fedlet:
a) The Attribute Query needs to be signed. Please follow the links
below on creating a key store and using the certificate.
Add the certificate to the "RoleDescriptor" element as shown below
xmlns:query="urn:oasis:names:tc:SAML:metadata:ext:query"
xsi:type="query:AttributeQueryDescriptorType"
protocolSupportEnumeration= "urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing">
"signingCertAlias" inside the AttributeQueryConfig element as follows:
<Attribute name="signingCertAlias">
Following steps need to be performed on hosted IDP:
a) When creating the IDP entity metadata, make sure that you specify that
particular entity has Attribute Authority role. Also the response from
Attribute Authority needs to be signed. Enable signing for Attribute
b) Specify the list of attributes to be fetched in the Attribute Map
IDP Entity -> Assertion Processing -> Attribute Map
UserStatus=inetUserStatus
c) Obtain the standard metadata from Fedlet(
i.e sp.xml) and
d) Goto Step (1) (Fedlet side)
e) Get your IDP standard metadata XML file and copy to the fedlet home
directory. For example, if the remote IDP is a OpenSSO instance,
you could use "ssoadm" CLI to export the IDP metadata to a XML file.
The XML file for IDP standard metadata must be named as "
idp.xml"
when copied to the fedlet home directory.
II. Signing and Encryption
==========================
Following steps need to be performed on Fedlet:
a) The Attribute Query needs to be signed. Please follow the links
below on creating a key store and using the certificate.
Add the certificate to the "RoleDescriptor" element as shown below
xmlns:query="urn:oasis:names:tc:SAML:metadata:ext:query"
xsi:type="query:AttributeQueryDescriptorType"
protocolSupportEnumeration= "urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing">
<KeyDescriptor use="encryption">
"encryptionCertAlias". If you want Assertion to be encrypted by IDP,
the NameID from Fedlet needs to be encrypted. Please specify the
value of "true" to the attribute "wantNameIDEncrypted" in
AttributeQueryConfig element as follows:
<Attribute name="encryptionCertAlias">
<Attribute name="wantNameIDEncrypted">
Following steps need to be performed on hosted IDP:
a) When creating the IDP entity metadata, make sure that you specify that
particular entity with Attribute Authority role. Also the response from
Attribute Authority needs to be signed. Enable signing for Attribute
Authority role. Enable encryption for the IDP Attribute Authority
b) Specify the list of attributes to be fetched in the Attribute Map
IDP Entity -> Assertion Processing -> Attribute Map
UserStatus=inetUserStatus
c) Specify the Attribute Authority Mapper.
IDP Entity -> Attribute Authority -> Subject Data Store
Specify the Attribute name which contains X.509 Subject DN.
d) Obtain the standard metadata from Fedlet(
i.e sp.xml) and
e) Goto Step (1) (Fedlet side)
f) Get your IDP standard metadata XML file and copy to the fedlet home
directory. For example, if the remote IDP is a OpenSSO instance,
you could use "ssoadm" CLI to export the IDP metadata to a XML file.
The XML file for IDP standard metadata must be named as "
idp.xml"
when copied to the fedlet home directory.
Gets the list of attributes from the form whose values needs to be
fetched from IDP. Please make sure you define the correct mapping in the IDP.
Retrieves the attribute names from the previous jsp and invokes the
below method to get the attribute values and display the same.
c) Select either the "Default" or "X.509" profile. If "X.509" profile is
selected, specify the right value for the "X.509 Subject DN".
%% 8. How to perform Fedlet XACML Query
Following steps are common for all the scenarios (including Signing and
Encryption). Unlike Fedlet Attribute Query which required query signing
to be done on the Fedlet side, no such requirement is there for Fedlet
XACML Query. Signing and Encryption are optional.
Following steps need to be performed on hosted IDP:
a) When creating the IDP entity metadata, make sure that you specify that
particular entity with XACML PDP role.
b) Need to specify the Request Handler for SAMLv2 SOAP Binding. Log into
Configuration tab -> Global -> SAMLv2 SOAP Binding -> New
Key = /pdp (This should be the same metaAlias specified while
c) Specify the right URL policies for the resources for which the Fedlet
is issuing a XACML query. Right URL policies with right actions
(GET or POST) should be specified for the XACML query to get the
policy decisions for the resoruce.
Access Control -> Realm Name -> Policies -> New Policy
d) Get your IDP standard metadata XML file and copy to the fedlet home
directory. For example, if the remote IDP is a OpenSSO instance,
you could use "ssoadm" CLI to export the IDP metadata to a XML file.
The XML file for IDP standard metadata must be named as "
idp.xml"
when copied to the fedlet home directory. issuing a XACML query.
Following steps need to be performed on Fedlet side:
a) If Signing or Encryption is enabled, please make sure when you
create PDP on IDP, signing cert or encryption cert should have a
valid value. Also the updated Fedlet metadata is loaded on IDP
b) If Signing and Encryption are not enabled, skip to Step IV.
a) On the Fedlet Side, please follow the links
below on creating a key store and using the certificate.
Add the certificate to the "XACMLAuthzDecisionQueryDescriptor"
element as shown below inside "
sp.xml".
<XACMLAuthzDecisionQueryDescriptor WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing">
</XACMLAuthzDecisionQueryDescriptor>
"signingCertAlias" inside the XACMLAuthzDecisionQueryConfig element as
<Attribute name="signingCertAlias">
c) Also the Fedlet might want to have the Authorization Decision Response
1) On the Fedlet side, specify the value for
"wantXACMLAuthzDecisionResponseSigned" inside the
XACMLAuthzDecisionQueryConfig as shown below:
<Attribute name="wantXACMLAuthzDecisionResponseSigned">
d) Goto to Hosted IDP side
e) IDP might want to get the XACML Query signed. It will enable the below
property on the XACML PDP tab for the IDP Entity
Authorization Decision Query Signed
f) Also specify the below value for the attribute
"wantXACMLAuthzDecisionQuerySigned".
<Attribute name="wantXACMLAuthzDecisionQuerySigned">
g) Delete existing fedlet metadata and obtain the standard metadata
h) If Authorization Decision Response Signed is required (Step d),
click on the XACML PEP entity that was added. Enable the attribute
"Authorization Decision Response Signed".
In addition to above section, the Fedlet might want to get the Assertion
from IDP to be encrypted.
XACMLAuthzDecisionQueryConfig element.
<Attribute name="wantAssertionEncrypted">
b) For signing and encryption follow the below link:
Add the certificate to the "XACMLAuthzDecisionQueryDescriptor"
element as shown below inside "
sp.xml".
<XACMLAuthzDecisionQueryDescriptor WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing">
<KeyDescriptor use="signing">
<KeyDescriptor use="encryption">
</XACMLAuthzDecisionQueryDescriptor>
<Attribute name="encryptionCertAlias">
d) Goto to Hosted IDP side
e) Delete existing fedlet metadata and obtain the standard metadata
f) Click on the XACML PEP entity that was added. Enable the attribute
Prompts the user to enter the Resource URL, Action (GET or POST). Fedlet
then passes this information along with other parameters (pepEntityID,
Retrieves the Resource URL from the previous jsp and invokes the
below method to get the policy decision for the Resource URL and display the
same. The decision can be either "Permit" (if the right policy decision is
provided", else "Deny" (if no policy is found) or "Indeterminate"
(if the user session has expired).