| Main Page >
    Liberty Sample Page
 Liberty Samples
 
 1. Introduction
    This sample includes a Service Provider and an Identity Provider. The
    Service Provider's resources are deployed on a webcontainer and protected by a policy web agent. Apart from highlighting the different 
    Liberty protocols such as Account Federation, Single Sign On, Single
    Logout and Federation Termination, this sample also demonstrates the
    configuration of different authentication levels for different resources.
     
    
SP1is the Service Provider andIDP1is the
    Identity Provider. 
This sample assumes thata. SUN Java System Web Server 6.1 is installed on machine1.
 Sun Java System Access Manager Policy Agent 2.0 protects this server
 
 SP1is deployed on this server.This installation can be on any of the following Access Manager
	  machines as well, but here it will be  assumed on a different machine
	  for better understanding.
 b. Access Manager used by the web agent is installed on
 machine2.c.
 IDP1is deployed on an Access Manager installed onmachine3.For Solaris Spars/x86
        <BEGIN_DIR> = <INSTALL_DIR>/SUNWam <CONFIG_DIR> = /etc/opt/SUNWam/configFor Linux
       <BEGIN_DIR> = <INSTALL_DIR>/identity <CONFIG_DIR> = /etc/opt/sun/identity/config
<BEGIN_DIR>/samples/liberty/sample2/sp1/will be referred to as<sp1_sample_dir>.
<BEGIN_DIR>/samples/liberty/sample2/idp1/will be referred to as<idp1_sample_dir>. 
 
 2. Instructions
    
 A. Deploy and Configure SP1(on machine1):
 
Replace the following tags in AMClient.properties(available in<sp1_sample_dir>/WEB-INF/classes)
       SERVER_PROTO - protocol (https/http)
       SERVER_HOST - fully qualified hostname for your Access Manager setup,
       eg: www.sp1.com
       SERVER_PORT - port number where Access Manager is running
       SERVICE_DEPLOY_URI - Access Manager services' deployment URI
       (By Default amserver)
       META_ALIAS - metaAlias for SP1 (In given sp1Metadata.xml it is entered
       as www.sp1.com)
       Create war file for SP1
       cd <sp1_sample_dir>
       jar -cvf sp1.warMake sure that the server_root/bin/HTTPS/HTTPsadmin/bindirectory is
       in your path and that theIWS_SERVER_HOMEenvironment variable is set
       to yourserver_rootdirectory.Enter the following command
       
       wdeploy deploy -u uri_path -i instance -v vs_id [-d directory] war_file
       where:
       uri_path is the URI prefix for the web application.           
       instance is the server instance name.
       vs_id is the virtual server ID.         
       directory is the directory to which the application is deployed, or
       from which the application is deleted. If not specified for deployment,
       the application is deployed to the document root directory.
       war_file is the WAR file name.
       Change AMAgent.propertiesfile entrycom.sun.am.policy.am.library.loginURLto point to login URL of the Access
       Manager installed onmachine2.For example:
 
       com.sun.am.policy.am.library.loginURL=http://www.sp1.com:58080/amserver/UI/LoginAdd http://www.agentHost.com:80/sp1/index.htmlto thecom.sun.am.policy.agents.notenforcedListproperty ofAMAgent.propertiesfile. In case there is no such entry in theAMAgent.properties, add the
       following:
       com.sun.am.policy.agents.notenforcedList=http://www.agentHost.com:80/sp1/index.htmlAssumption: Thehostnamefor the web server protected by the web agent iswww.agentHost.comand it is running on port 80.Restart the Web Server. 
     
    
 B. Upload the policy xml file on machine2:
 
Update sp1Policy.xml(available in<sp1_sample_dir>)
       The following assumptions are made insp1Policy.xml:a.
 SP1Access Manager's root suffix is"dc=sp1,dc=com"(attribute
 "DN"for element"OrganizationRequests"and attribute"createDN"for element"CreatePolicy")
       b. Host name for the web server protected by the web agent iswww.agentHost.comand it is running on port 80.Update above values in
 sp1Policy.xmlas per your deployment.Load sp1Policy.xmlusing following command.<BEGIN_DIR>/bin/amadmin -u amadmin -w password -t SP1 Policy.xmlTwo policies will be created, for all the users belonging to the
       organization, dc=sp1,dc=com- corresponding to two different
       authentication levels, by loading this XML. 
    
 C. Upload the Metadata on machine2forSP1:
 
Update sp1MetaData.xml(available in<sp1_sample_dir>)
       The following assumptions are made insp1MetaData.xml.
       a. Access Manager is running in HTTP mode.
       b. Hostname for SP1 is www.sp1.com
       c. Hostname for IDP1 is www.idp1.com
       d. Access Manager is running on port 58080
       e. Access Manager services are deployed under URI: amserver
       f. SP1 Access Manager's root suffix is "dc=sp1,dc=com" (attribute "DN"
          for element "OrganizationRequests")
       g. SP1 Certificate Alias is SP1_SECURITY_KEY
       h. IDP1 Certificate Alias is IDP1_SECURITY_KEY
       i. SP1 metaAlias is www.sp1.com
       j. IDP1 metaAlias is www.idp1.com
       k. SP1's homepage is http://www.agentHost.com:80/sp1/homepage.jsp
       Update above values insp1MetaData.xmlas per your deployment.Load sp1MetaData.xmlusing following command.
       <BEGIN_DIR>/bin/amadmin -u amadmin -w password -t SP1MetaData.xml 
    
 D. Upload the Metadata on machine3 for IDP1:
 
Update idp1Metadata.xml(available in<idp1_sample_dir>)
       The following assumptions are made inidp1Metadata.xml:
       a. Access Manager is running in HTTP mode.
       b. Hostname for SP1 is www.sp1.com
       c. Hostname for IDP1 is www.idp1.com
       d. Access Manager is running on port 58080
       e. Access Manager services are deployed under URI: amserver
       f. IDP1 Access Manager's root suffix is "dc=idp1,dc=com" (attribute "DN"
          for element "OrganizationRequests")
       g. SP1 Certificate Alias is SP1_SECURITY_KEY
       h. IDP1 Certificate Alias is IDP1_SECURITY_KEY
       i. SP1 metaAlias is www.sp1.com
       j. IDP1 metaAlias is www.idp1.com
       Update above values inidp1Metadata.xmlas per your deployment.Load idp1Metadata.xmlusing following command.<BEGIN_DIR>/bin/amadmin -u amadmin -w password -t idp1Metadata.xml 
    
 E. Deploy and Configure IDP1(on machine3):
 
Replace the following tags in AMClient.properties(available in<sp1_sample_dir>/WEB-INF/classes)
       SERVER_PROTO - protocol (https/http)
       SERVER_HOST - fully qualified hostname for your Access Manager setup
       eg: www.sp1.com
       SERVER_PORT - port number where Access Manager is running
       SERVICE_DEPLOY_URI - Access Manager services' deployment URI
       (By Default amserver)
       META_ALIAS - metaAlias for SP1 (In given sp1Metadata.xml it is
       entered as www.sp1.com)
       Create war file for SP1
       cd <idp1_sample_dir>
       jar -cvf idp1.warMake sure that the server_root/bin/HTTPS/HTTPsadmin/bindirectory is
       in your path and that theIWS_SERVER_HOMEenvironment variable is set
       to yourserver_rootdirectory.Enter the following command
       
       wdeploy deploy -u uri_path -i instance -v vs_id [-d directory] war_file
       where:
       uri_path is the URI prefix for the web application.
       instance is the server instance name.
       vs_id is the virtual server ID.
       directory is the directory to which the application is deployed, or
       from which the application is deleted.  If not specified for deployment,
       the application is deployed to the document root directory.
       war_file is the WAR file name.
       Restart the web server.
     
    
 F. Federate user account at SP1with an account atIDP1
 
Access the following URL in a web browser 	             
       
       SERVER_PROTO://SERVER_HOST:SERVER_PORT/sp1/index.html
       For example http://www.agentHost.com:80/sp1/index.htmlNote: Hereindex.htmlis not a protected page.  Hence it
       will not prompt for authentication.Now, click on the Organization Home Page link in
 index.htmland you will
       be prompted for authentication.It will check for the valid user session and if session is invalid it
       will redirect to the preLoginservice running at the Access
       Manager, used by this agent.preLoginservice will redirect to common
       login page.Click on "Local Login", it will redirect to SP1's Login page.After successful authentication at SP1, it will redirect tohomepage.jsp.
       This Organization Home Page (homepage.jsp) has following three links:a. Federate : will initiate the federation process.
 b. Logout : will initiate the single logout process.
 c. Terminate Federation : will initiate the federation termination
          process.
 
When you choose federate, you will be taken to Federate page where you
       can select your preferred Identity Provider to federate with. Select IDP1as your preferred Identity Provider.Now you will be taken to IDP1login page. Provide authentication
       credentials for yourIDP1account. If the authentication is successful,
       you will get "Federation Done".At this point you have succesfully federated your account between SP1andIDP1.Note: When the account is already federated, you will be redirected to
 IDPLogin page first. 
    
 G. Single Sign On:
 
After successful federation start a new browser session and try to
       access SP1protected page (homepage.jsp). For this access the
       following URL in a web browser:
       SERVER_PROTO://SERVER_HOST:SERVER_PORT/sp1/homepage.jsp
       For example
            http://www.agentHost.com:80/sp1/homepage.jspNow you will be taken to IDP1login page. Provide authentication
       credentials for yourIDP1account. If authentication is successful you
       will be directly taken to the initially accessedSP1protected page
       without being asked forSP1authentication credentials. 
    
 H. Single Logout:
 
On SP1's protected page (homepage.jspclick on the "Logout" link.You will be logged out from both SP1andIDP1and then shown the"LogoutDone"page.Alternatively, you can start the logout process from IDPprotected page
       (index.jsp) too accomplishing the same result. 
    
 I. Federation Termination:
 
On SP1protected page (homepage.jspclick on
       "Terminate federation" link.You will be taken to the termination page. Here you can select a
       provider to defederate with. Select IDP1for federation termination.On successful defederation you will be taken to TerminationDonepage.Alternatively, you can initiate federation termination from IDPside too. 
    
 J. Configuring Third Level Domain:This sample application does not require the use of a third level domain.
    If you want to configure third level domain:
 
Access Manager Administration Console.
    Select Federation tab.
    Select Authentication Domain sub tab.
    Click on sample1Alliancelink, to edit the Authentication Domain Profile.Enter the Reader Service URL and Writer Service
       URL as per your common domain services installation. For example if
       common domain services are installed on machine3with hostname iswww.machine3.comfor default installation:
       Writer Service URL: http://www.machine3.com:80/amcommon/writer
       Reader Service URL: http://www.machine3.com:80/amcommon/transferThis completes third level domain setup.
     
    
 K. Demonstrating different authentication levels:
 
For Unix authentication to be a success, create an Unix account with
       user id (unixID) and password (abcde12) - on theIDPside.Assuming that your account on SP-SP1Acctis federated with
       accountidp1AcctonIDP, in the user profile ofidp1Acct,
       addunixIDto the user alias list attribute using Access Manager Console
       IdentityManagement -> Users -> idp1Acct -> user alias listNow access homepage.jsp. You will be prompted for authentication. Given
       that the account is already federated withidp1Acct, log in withidp1Acctcredentials and you will be taken to thehomepage.jsp.Try accessing the Financials Page linkin thehomepage.jsp. You
       will be prompted for Unix authentication, which is configured to be a
       higher level of authentication.Log in with the Unix user id (unixID) and password (abcde12)
       and you would be taken to the Financials page. 
    
 NOTE:
 
In case, the Web Server is the same as the one used by Access
       Manager, deploy SP1under<BEGIN_DIR>/web-appsand include
       the URI mapping inweb-apps.xml(available in<BEGIN_DIR>/servers/https-<HOST_NAME>/config/).In case, the Web server is on the same machine as the Access Manager,
       then the following should be appended to
       com.sun.am.policy.agents.notenforcedListproperty ofAMAgent.propertiesfile:
       http://www.sp1.com:58080/amserver/config/federation*
       http://www.sp1.com:58080/amserver/IntersiteTransferService*
       http://www.sp1.com:58080/amserver/AssertionConsumerService*
       http://www.sp1.com:58080/amserver/preLogin*
       http://www.sp1.com:58080/amserver/postLogin*
       http://www.sp1.com:58080/amserver/SOAPReceiver*
       http://www.sp1.com:58080/amserver/ReturnTermination*
       http://www.sp1.com:58080/amserver/ProcessLogout*
       http://www.sp1.com:58080/amserver/ReturnLogout*
       http://www.sp1.com:58080/amserver/liberty-logout*
       http://www.sp1.com:58080/amserver/consentHandler*
       http://www.sp1.com:58080/amserver/SingleSignOnService*
       http://www.sp1.com:58080/amserver/federation-terminate*
       http://www.sp1.com:58080/amserver/ProcessTermination*In case, SPandIDPare installed in the same domain, then
       change the cookie name on the IDP side by doing the following:
 Change the
 com.iplanet.am.cookie.domainentry in<CONFIG_DIR>/AMConfig.propertiesto anything other thaniPlanetDirectoryPro. For examplecom.iplanet.am.cookie.domain=iPlanetPro |