| Main Page
 Services Consumer sample for Liberty Phase II
 
 1. Introduction
    This explains how to deploy and run the WSC sample to query and modify
    Liberty Discovery Service and ID-SIS Personal Profile Service.
     
    There are five parties involved in this sample:
     
 
Liberty Service Provider (SP)
    Liberty Identity Provider (IDP)
    Web Service Consumer (WSC)
    Liberty Discovery Service (DS)
    Liberty ID-SIS Personal Profile Service (ID-SIS-PP)
     
    Here is the general flow of the sample :
     
 
Complete the Liberty Single-Sign-On Process, obtain Discovery
       Service Boot Strapping Resource Offering.
    Register user's Resource Offering at the ID-SIS-PP instance using
       Discovery Service Modification.
    Send Discovery Service Lookup request, discovery service returns
       discovery lookup response to the WSC which contains the resource
       offering for the user's ID-SIS-PP instance.
    Send Data Service Query to the ID-SIS-PP Instance to retrieve user
       attributes.
    Send Data Service Modification to the ID-SIS-PP Instance to modify
       user attributes.
     
    There are five JSP provided in this sample:
     
 
index.jsp : Retrieve boot strapping resource offering for discovery
       service.
    discovery-modify.jsp : Add Resource Offering for a user.
    discovery-query.jsp : Send query to discovery service for service
       resource offering.
    id-sis-pp-modify.jsp : Send Data Service Modify request to modify
       user attributes.
    id-sis-pp-query.jsp : Send Data Service Query Request to retrieve
       user attributes
     
 
 2. Deploy the Sample
    Two machines are required for this sample:
     
 
SP & WSC are deployed on machine1, whose host name is "www.sp1.com".
    IDP, DS & ID-SIS-PP are deployed on machine2, whose host name is
       "www.idp1.com".
     
    
 
    Note : 
 <BEGIN_DIR> refers to the Access Manager installation
    directory:
 
 
    Solaris Sparc/x86: BEGIN_DIR = <install_dir>/SUNWam Linux            : BEGIN_DIR = <install_dir>/sun/identity
 <CONFIG_DIR refers to the Access Manager Configuration Directory.
 
 
    Solaris Sparc/x86: CONFIG_DIR  = /etc/opt/SUNWam/config Linux            : CONFIG DIR  = /etc/opt/sun/identity/config
 
    
 A. Deploy on Machine 1
 
Deploy liberty sample1 SP, follow the instruction on
       <BEGIN_DIR>/samples/liberty/sample1/sp1
    Change protocol support of the remote IDP  to ID-FF 1.2. Login to Access Manager 
	  Administration Console as top level administrator. 
 
	    - Select "Federation" Tab. - Select "Entities" Sub Tab.
 - Click on the Remote Identity Provider Entity ID eg www.idp1.com.
 - Select "Identity Provider" from the drop down View Menu.
 - Edit the "Protocol Support Enum" attribute to set its value to
	      "urn:liberty:iff:2003-08".
 - Set "Cache Duration" Attribute Value eg. to set value to 60 seconds enter
	      PT60S.
 - Select Save to save changes made in the Provider page.
 
Replace tags and hosts in  discovery-modify.jsp and index.jsp.
       
       replace IDP_SERVER_PORT with server port of IDP machine.
       replace SERVICE_DEPLOY_URI with service deployment URI of the IDP machine
       replace www.sp1.com with host name of the SP machine if needed.
       replace www.idp1.com with host name of IDP machine if needed.
       replace userDN value for the IDP user whose personal profile resource 
       offering is to be created.
       Deploy JSPs. Copy all the five jsps to a sub directory of the
       document root of the web container. In case of Sun Java System Web
       Server 6.1, run following command:
       
       mkdir <WEB_SERVER_INSTALL_DIR>/docs/wsc
       cp <BEGIN_DIR>/samples/phase2/wsc/*.jsp
          <WEB_SERVER_INSTALL_DIR>/docs/wsc/
       Login to access manager admin console, create a user called "spUser"
       This user will be used as federated user on the SP side.
     
    
 B. Deploy on Machine 2
 
Deploy liberty sample1 IDP, follow the instruction on
       <BEGIN_DIR>/samples/liberty/sample1/idp1.
    Create a user called "idpUser". This user will be used as the
       federated user on the IDP side, also as storage of Discovery Service
       resource offering and Personal Profile Service attributes. You must
       select "Liberty Personal Profile Service" in the Available Services
       when creating the idpUser (otherwise PP modify will fail).
     
 
 3. Run the Sample
    
 Basic Flow
    Here is the steps to run the sample:
     
 
Federate user "spUser" and "idpUser" follow Liberty sample1, and 
       logout.
    Single-sign-on again from SP to IDP using "idpUser".
    Use your browser, connect to
       "http://<machine1>:<server_port>/wsc/index.jsp". You will see the
       boot strapping resource offering for Discovery Service, also two
       buttons, one for "Send Discovery Lookup", one for "Add PP Resource
       Offering"
    Click "Add PP Resource Offering", this will lead to
       discovery-modify.jsp page, the PP resource offering has been computed
       based on the boot strapping Discovery Service Resource Offering.
    Click "Send Discovery Update Request", the user's Personal Profile
       resource offering will be registered in "idpUser" on machine2.
    Click "Return to index.jsp" link, this will bring you back to
       index.jsp page with boot strapping resource offering.
    Click "Send Discovery Lookup" button, this will lead to
       discovery-query.jsp page.  Fill in "ServiceType to look for" field if
       needed. Click "Send Discovery Lookup Request", the PP resource offering
       added in step 4 will be displayed.
    Two options in this page :
       
 a. Click "Send PP Query" will lead to id-sis-pp-query.jsp page,  which
          will query Personal Profile Service in machine 2 for user attributes.
	  Pick "urn:liberty:security:2003-08:null:null" in Authentication
	  Mechanism field.  You could change the "XPath Expression" field
	  (default to /PP/CommonName) for different XPath expression for
	  attribute selection.
 
 b. Click "Send PP Modify" will lead to id-sis-pp-modify.jsp page,
          which will send Modify request to Personal Profile Service in
	  machine 2 to modify user's personal profile attributes. Pick
	  "urn:liberty:security:2003-08:null:null" in Authentication Mechanism
	  field.  You could modify "XPath Expression" field (default to
	  /PP/CommonName/AnalyzedName/FN) for attribute selection, and
	  "Value" field for new values for the attribute.
 
    You could repeat above process for discovery/id-sis-pp query and modify
    cases.
     
    
 User Interaction with Personal Profile Service
 
Login to the administration console of Machine 2 (IDP) as top level
       administrator.
       
 * Create a policy for Personal Profile service to require user
         interaction for Query and/or Modify.
 
 
		- Select Access Control Tab. - Click on the realm to which policy is to be added.
 - Select the "Policies" sub tab.
 - Click on "New Policy" to create a Policy. This will
		  display the "Add Policy" page.
 - Enter the Policy Name in the "Name" field.
 - Click on "New" under the Rules section on the same page to
		  add a new Rule.
 - In the "Add Rule" page select choice value
		  "Liberty Personal Profile Service (with resource name)".
 - Click on "Next" to go to Step 2 of Adding New Rule.
 - Enter Rule Name in the "Name" field.
 - Enter "*" for Resource Name.
 - Select Actions MODIFY and/or QUERY check boxes and their values
		  could be either "Interact for Consent" OR "Interact for Value",
		  which can be selected from the drop down menu for these actions.
 - Select "Finish" to save the Rule and return to "Add Policy" Page.
 - Select New in the "Subjects" section to add subjects for the policy.This
		  will display the Add Subjects Page.
 - Select choice value "Authenticated Users".
 - Select Next to Continue.
 - Enter value for "Name" Field and select Finish.
 
 
 * Enable policy evaluation for Personal Profile Service Query and/or
         Modify.In Access Manager Administration Console :
 
 
		- Select "Web Services" Tab. - Select "Personal Profile Service" Sub Tab.
 - Click on "Enable" Check box for attribute  "Require Query Policy Eval" 
		  and/or "Require Modify Policy Eval".
 - Select "Save" to save changes.
 
 
Follow the same steps as in Basic Flow
       section to run the sample. In Step 8, after clicking "Send PP Query"
       or "Send PP Modify", you will be asked for consent or attribute value
       for the operation performed. Make the choice or enter value to complete
       the flow. You may change the policy defined in step 1 to see different
       behavior for user interaction.
     
    
 X.509 Message Authentication
 
Follow instruction in SAML xmlsig sample to set up JKS signing key
       store (instruction could be found at
       <BEGIN_DIR>/samples/saml/xmlsig) in both machines. Edit
       <CONFIG_DIR>/AMConfig.properties to reflect the key store,
       password and cert alias. The properties to edit are :
	
		com.sun.identity.saml.xmlsig.keystore  com.sun.identity.saml.xmlsig.storepass
 com.sun.identity.saml.xmlsig.keypass
 com.sun.identity.saml.xmlsig.certalias
 
At both machine 1 (SP) and machine 2 (IDP), edit
       <CONFIG_DIR>/AMConfig.properties, set the
       "com.sun.identity.liberty.ws.wsc.certalias" property to the alias of
       the signing certification.
    To test X.509 Message Authentication in discovery service, login to
       Access Manager administration console as top level administrator:
	
		-  Select "Web Services" Tab. -  Select "Discovery Service" Sub Tab.
 -  Click on Service Type "urn:liberty:disco:2003-08" in the 
		   "Resource Offerings for Bootstrapping Resources Section.
 -  In Service Description Section, Select Edit to change 
		   the Security Mechanism ID.
 -  Select Remove to remove Security Mechanism ID, 
		   "urn:liberty:security:2003-08:null:null".
 -  Select Security Mechanism ID "urn:liberty:security:2003-08:null:X509" and
		   click on Add to add it as the Security Mechanism.
 
 Follow the steps as in Basic Flow section to run the
       sample.
To test X.509 Message Authentication in Personal Profile Service,
       follow the steps in  Basic Flow section,
       choose "urn:liberty:security:2003-08:null:X509" as Authentication
       Mechanism when perform PP query or modify.
    To test SSL (urn:liberty:security:2003-08:TLS:X509), you must import
       the CA for the web server certification of machine 2 (IDP) to the web
       server certificate database of machine 1 (SP).
     |