README.unconfigured revision cee9725efd021d635ce2d0e1712ce1b015ac6887
649fdc0d0502d62d160c150684356fef2c273484Eugen Kuksa------------------------------------------------------------------------------
649fdc0d0502d62d160c150684356fef2c273484Eugen KuksaREADME file for Open Federation Library
649fdc0d0502d62d160c150684356fef2c273484Eugen Kuksa------------------------------------------------------------------------------
649fdc0d0502d62d160c150684356fef2c273484Eugen Kuksa DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
649fdc0d0502d62d160c150684356fef2c273484Eugen KuksaCopyright (c) 2009 Sun Microsystems Inc. All Rights Reserved
649fdc0d0502d62d160c150684356fef2c273484Eugen KuksaThe contents of this file are subject to the terms
649fdc0d0502d62d160c150684356fef2c273484Eugen Kuksaof the Common Development and Distribution License
649fdc0d0502d62d160c150684356fef2c273484Eugen Kuksa(the License). You may not use this file except in
649fdc0d0502d62d160c150684356fef2c273484Eugen Kuksacompliance with the License.
649fdc0d0502d62d160c150684356fef2c273484Eugen KuksaYou can obtain a copy of the License at
649fdc0d0502d62d160c150684356fef2c273484Eugen Kuksahttps://opensso.dev.java.net/public/CDDLv1.0.html or
649fdc0d0502d62d160c150684356fef2c273484Eugen KuksaSee the License for the specific language governing
649fdc0d0502d62d160c150684356fef2c273484Eugen Kuksapermission and limitations under the License.
649fdc0d0502d62d160c150684356fef2c273484Eugen KuksaWhen distributing Covered Code, include this CDDL
649fdc0d0502d62d160c150684356fef2c273484Eugen KuksaHeader Notice in each file and include the License file
649fdc0d0502d62d160c150684356fef2c273484Eugen KuksaIf applicable, add the following below the CDDL Header,
649fdc0d0502d62d160c150684356fef2c273484Eugen Kuksawith the fields enclosed by brackets [] replaced by
649fdc0d0502d62d160c150684356fef2c273484Eugen Kuksayour own identifying information:
649fdc0d0502d62d160c150684356fef2c273484Eugen Kuksa"Portions Copyrighted [year] [name of copyright owner]"
649fdc0d0502d62d160c150684356fef2c273484Eugen KuksaPortions Copyright 2012 ForgeRock AS
649fdc0d0502d62d160c150684356fef2c273484Eugen Kuksa %% 1. Contents of this directory
649fdc0d0502d62d160c150684356fef2c273484Eugen Kuksa %% 2. How to configure and test Fedlet
649fdc0d0502d62d160c150684356fef2c273484Eugen Kuksa %% 3. How to embed Fedlet into existing application
649fdc0d0502d62d160c150684356fef2c273484Eugen Kuksa %% 4. How to integrate with existing application after Single Sign-on
649fdc0d0502d62d160c150684356fef2c273484Eugen Kuksa %% 5. How to enable Fedlet to support multiple Identity Providers
649fdc0d0502d62d160c150684356fef2c273484Eugen Kuksa %% 6. How to enable Identity Provider Discovery service in Fedlet
649fdc0d0502d62d160c150684356fef2c273484Eugen Kuksa %% 7. How to perform Fedlet Attribute Query
649fdc0d0502d62d160c150684356fef2c273484Eugen Kuksa %% 8. How to perform Fedlet XACML Query
649fdc0d0502d62d160c150684356fef2c273484Eugen Kuksa%% 1. Contents of this directory
649fdc0d0502d62d160c150684356fef2c273484Eugen Kuksa This README file provides information on Fedlet ZIP file without
649fdc0d0502d62d160c150684356fef2c273484Eugen Kuksa pre-configured IDP and Fedlet (SP) metadata.
649fdc0d0502d62d160c150684356fef2c273484Eugen Kuksa Manual steps (refer to section 2.1) need to setup Fedlet (SP) to work
649fdc0d0502d62d160c150684356fef2c273484Eugen Kuksa with remote IDP.
649fdc0d0502d62d160c150684356fef2c273484Eugen Kuksa |- fedlet.war Fedlet WAR file. This is a ready-to-deploy WAR
649fdc0d0502d62d160c150684356fef2c273484Eugen Kuksa | to show the Fedlet features.
649fdc0d0502d62d160c150684356fef2c273484Eugen Kuksa |- conf Directory containing Fedlet metadata template,
649fdc0d0502d62d160c150684356fef2c273484Eugen Kuksa | COT template and configuration files.
649fdc0d0502d62d160c150684356fef2c273484Eugen Kuksa |- README This README file. The file shows how to use the
649fdc0d0502d62d160c150684356fef2c273484Eugen Kuksa conf files to setup Fedlet configuration.
649fdc0d0502d62d160c150684356fef2c273484Eugen Kuksa%% 2. How to configure and test Fedlet
649fdc0d0502d62d160c150684356fef2c273484Eugen Kuksa The fedlet.war contains all necessary bits for Fedlet to acting as a
649fdc0d0502d62d160c150684356fef2c273484Eugen Kuksa light-weighted SAMLv2 Service provider. Since this fedlet.war does
649fdc0d0502d62d160c150684356fef2c273484Eugen Kuksa not contain pre-configured metadata and COT information, you need
649fdc0d0502d62d160c150684356fef2c273484Eugen Kuksa to follow section 3 to setup Fedlet metadata and COT configuration
649fdc0d0502d62d160c150684356fef2c273484Eugen Kuksa before using the fedlet.war for demo.
649fdc0d0502d62d160c150684356fef2c273484Eugen Kuksa 2.1 Steps to configure Fedlet
649fdc0d0502d62d160c150684356fef2c273484Eugen Kuksa a) Extract the Fedlet-unconfigued.zip to a temporal directory.
649fdc0d0502d62d160c150684356fef2c273484Eugen Kuksa b) Goto "conf" directory, and swap following tags in sp.xml-template,
649fdc0d0502d62d160c150684356fef2c273484Eugen Kuksa sp-extended.xml-template, idp-extended.xml-template and
649fdc0d0502d62d160c150684356fef2c273484Eugen Kuksa FEDLET_ENTITY_ID : replace with the real entity id (name) for
649fdc0d0502d62d160c150684356fef2c273484Eugen Kuksa your Fedlet (SP). e.g. "fedletsp".
649fdc0d0502d62d160c150684356fef2c273484Eugen Kuksa FEDLET_PROTOCOL : replace with the protocol of the web container
649fdc0d0502d62d160c150684356fef2c273484Eugen Kuksa FEDLET_HOST : replace with the host name of the web container
649fdc0d0502d62d160c150684356fef2c273484Eugen Kuksa FEDLET_PORT : replace with port number of the web container
your remote IDP. e.g. "myidp".
note : If Fedlet and/or IDP entity ID contain "%" or ",", you need to
escape them before replacing those in fedlet.cot-template.
"user.home") is the default location for Fedlet to read its metadata,
home directory is "/home/webservd":
% mkdir /home/webservd/fedlet
property "com.sun.identity.fedlet.home" to the desired location.
this will tell Fedlet to read metadata/COT/configuration files from
"/export/fedlet/conf" directory instead.
Also copy FederationConfig.properties under "conf" to the fedlet
"idp.xml" when copied to the fedlet home directory.
f) Give the Fedlet metadata XML file "sp.xml" to your IDP, the metadata
fedlet.war and test your Fedlet setup.
changes to its own configuration. A modified sp.xml file may be sent to
the identity provider but any modifications made to sp-extended.xml should
http://openam.forgerock.org/doc/admin-guide/index.html#configure-idp
After deploying fedlet.war into your web container, try access the
<SP_PROTOCOL>://<SP_HOST>:<SP_PORT>/<SP_DEPLOY_URI>/index.jsp
a) Extract the fedlet.war into a temporal directory.
There is a sample Fedlet application, fedletSampleApp.jsp, bundled
including Response/Assertion/Attributes, is returned to caller for further
processing. The fedletSampleApp.jsp also provides some sample code on
You could either modify fedletSampleApp.jsp to add your application
1. Modify web.xml to set servlet and servlet-mapping for your new servlet
or JSP. You must map your new servlet/JSP to the url-pattern
<jsp-file>/Your-Application.jsp</jsp-file>
2. Copy following code from fedletSampleApp.jsp to your
map = SPACSUtils.processResponseForFedlet(request, response);
the XML file as "idp2.xml" and copy it to the Fedlet home directory.
belong. This IDP could be added to an existing COT (e.g. "saml2cot") or
"entityID" attribute in the "idp2.xml" metadata file) to the
-- create a new file named "fedlet2.cot" and put it under the Fedlet
home directory. Use the existing fedlet.cot as a template, but
the new COT (e.g. "cot2"), and include both the new IDP entity ID
-- edit the sp-extended.xml file, add the new COT name to the value
of "cotlist" attribute, e.g.
c) Create a new "idp2-extended.xml" file as the extended metadata for the
new Identity Provider. Use the existing idp-extended.xml as a template
Now accessing the index.jsp again, it will prompt you with a list of IDPs
d) Access the Fedlet index.jsp page, you will be presented with IDP
c) Access the Fedlet index.jsp page again, and choose the
http://openam.forgerock.org/doc/admin-guide/index.html#changing-signing-key
http://openam.forgerock.org/doc/dev-guide/index.html#fedlet-signing-encryption
inside "sp.xml"
<RoleDescriptor xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
b) In the "sp-extended.xml", specify the correct value for
The XML file for IDP standard metadata must be named as "idp.xml"
http://openam.forgerock.org/doc/admin-guide/index.html#changing-signing-key
http://openam.forgerock.org/doc/dev-guide/index.html#fedlet-signing-encryption
inside "sp.xml"
<RoleDescriptor xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc">
<xenc:KeySize xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">128</xenc:KeySize>
b) In the "sp-extended.xml", specify the correct value for
The XML file for IDP standard metadata must be named as "idp.xml"
When Fedlet-unconfigured.zip is unzipped, under "java" sub-directory,
Map attrMap = AttributeQueryUtil.getAttributeMapForFedlet(
The XML file for IDP standard metadata must be named as "idp.xml"
http://openam.forgerock.org/doc/admin-guide/index.html#changing-signing-key
http://openam.forgerock.org/doc/dev-guide/index.html#fedlet-signing-encryption
element as shown below inside "sp.xml".
<XACMLAuthzDecisionQueryDescriptor WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
b) In the "sp-extended.xml", specify the correct value for
a) Enable the following in "sp-extended.xml" inside
http://openam.forgerock.org/doc/dev-guide/index.html#fedlet-signing-encryption
element as shown below inside "sp.xml".
<XACMLAuthzDecisionQueryDescriptor WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc">
<xenc:KeySize xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">128</xenc:KeySize>
c) In the "sp-extended.xml", specify the correct value for
pdpEntityID, NameID) to fedletXACMLResp.jsp
String policy_decision = XACMLQueryUtil.getPolicyDecisionForFedlet(