This guide takes you through my first test installation of openfm, the open source Federation Manager from Sun, released under the OpenSSO project. I will start with installing the prerequisites. Then

Prerequisites

My test computer was a Powerbook G4 running Mac OS 10.4.8.

Download and install tomcat 6.

Installing openfm

Then download latest nightly build from opensso / Open Federation . Download the openfm.war file and the fmadm.zip.

Put the war file in the tomcat webapps folder.

Configuring openfm

Go to http://localhost:8080/openfm and you will see a configuration web page.

Here is samle data for this installation. Use sensible input, and store alle the values for later use.

After you fill in the data and hit the configure button you are redirected to the login screen. Here you can login to openfm's configuration console with the amadmin user and with the password you supplied in the configuration above.

Installing the fmadm tool

fmadm is a command line tool to load metadata into a installed version of open federation.

Unzip fmadm.zip that you earlier downloaded from the OpenSSO download page.

$ cd

$ wget http://download.java.net/general/opensso/nightly/openfm/20070421/fmadm.zip

$ mkdir /usr/local/fmadm

$ cd /usr/local/fmadm

$ mv ~/fmadm.zip .

$ unzip fmadm.zip

The two property files, AMConfig.properties and FederationConfig.properties needs to be copied or linked from the config directory and into the installation directory of fmadm.

$ cd /usr/local/fmadm/classes

$ ln -s /etc/openfm/AMConfig.properties

$ mv FederationConfig.properties FederationConfig.properties.template

$ ln -s /etc/openfm/FederationConfig.properties

Make the fmadm script executable if it is not.

$ cd /usr/local/fmadm

$ chmod a+x fmadm

Run ./fmadm list-entities -u amadmin -w *PASSWORD* to verify the script is working. The command should output the text: There are no entities..

Configuring SAML 2.0 Meta Data

• Documentation from OpenSSO: FAQ on opensso web page

Generate meta data templates:

./fmadm create-metadata-template --entityid edugain.feide.no -u amadmin -w *PASSWORD* -m edugain.feide.no-spMeta.xml -x edugain.feide.no-spExtended.xml -s sp_meta_alias

Output will be something like:

Hosted entity configuration for realm, / was written to file, edugain.feide.no-spExtended.xml.

Hosted entity descriptor for realm, / was written to file, edugain.feide.no-spMeta.xml.

Now create a circle of trust named feidecot:

./fmadm create-circle-of-trust -t feidecot -u amadmin -w *PASSWORD*

We want to edit the SP extended file (in my example edugain.feide.no-spExtended.xml) to apply two small changes. We want to configure the transientUser attribute and the spAttributeMapper. Below is my example after these two changes are applied:

    

        

            

        

        

            

        

        

            false

        

        

            

        

        

            

        

        

            false

        

        

            

        

        

        

            anonymous

        

        

            com.sun.identity.saml2.plugins.DefaultSPAccountMapper

        

        

        

            

            no.feide.saml2.FeideSPAttributeMapper

        

        

            com.sun.identity.saml2.plugins.DefaultSPAuthnContextMapper

        

        

            PasswordProtectedTransport|0|default

        

        

            exact

        

        

            

        

        

            

        

        

            

        

        

            

        

        

            

        

        

            300

        

        

            

        

        

            

        

        

            

        

        

            

        

        

            

        

        

            

        

        

            

        

        

            

        

         

    

Load the SP Meta data:

./fmadm import-entity -u amadmin -w *PASSWORD* -m edugain.feide.no-spMeta.xml -x edugain.feide.no-spExtended.xml -t feidecot

If you want to modify it you can redo the command above, after removing the entry:

*PASSWORD*

You need the meta data document for the Feide IdP, you can download sam.feide.no-IdP.xml here.

When you have this document, you need to load it into OpenSSO with the fmadm command:

./fmadm import-entity -u amadmin -w *PASSWORD* -m sam.feide.no-IdP.xml -t feidecot

If you want to modify it you can redo the command above, after removing the entry:

./fmadm delete-entity --entity sam.feide.no -u amadmin -w *PASSWORD*

Verify that both entities are related to the COT:

./fmadm list-circle-of-trust-members -t feidecot -u amadmin -w *PASSWORD*

In my example the following was outputted:

List of trusted entities (entity IDs) in the circle of trust, feidecot:

edugain.feide.no

sam.feide.no

Send the SP meta data files to Feide. Before your service provider will be functional, Feide needs to load these SP meta data into the Feide IdP.

Enabling message-level debug logging

Edit /etc/openfm/AMConfig.properties, and modify the following line:

com.iplanet.services.debug.level=message

Set it to message, by default it is set to error. In a production environment, set it to warning or error.

Adding Feide plugins

Feide provides one plugin for OpenSSO that handles Feide-attributes [FeideSPAttributeMapper], and one java library that makes it easy for the service provider to access the attributes of the current session from OpenSSO [FeideSPutils].

To get both the attribute mapper and the attribute library, you can download Feide-OpenSSO.zip. If you unzip this file it will contain the compiled java class files you need. You will need to load these files into the OpenSSO classpath, the right way, so that the SAML2 library is loaded on before these classfiles are loaded. One way, that is tested, and works, is to put the no folder into tomcat-dir/webapps/openfm/WEB-INF/classes/, on your server.

Now, please restart apache tomcat.

Testing your installation

Login url:

• http://edugain.feide.no:8080/openfm/saml2/jsp/spSSOInit.jsp?metaAlias=/sp_meta_alias&idpEntityID=sam.feide.no&NameIDFormat=transient&binding=HTTP-POST (HTTP-POST)
• http://edugain.feide.no:8080/openfm/saml2/jsp/spSSOInit.jsp?metaAlias=/sp_meta_alias&idpEntityID=sam.feide.no&NameIDFormat=transient&vinding=HTTP-Artifact (Artifact)

When accessing these urls, you should be redirected to Feide login page. Ask Feide for test accounts. After entering credentials, you should be redirected back to the SP and get a "Single Sign-on succeeded." message.

Logout url:

• https://sam.feide.no/amserver/IDPSloInit?binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
• https://sam.feide.no/amserver/IDPSloInit?binding=urn:oasis:names:tc:SAML:2.0:bindings:SOAP

Feide also has a demo attribute viewer that can be deployed within the webapps/openfm folder to test attribute release, sso, login and logout from the service provider. Contact Feide to get this example code (which currently is under development, but working).

Common errors

• You get an error message at Feide when you are redirected there: ask Feide, probably meta data is not loaded properly at either IdP or SP.
• You get a service access policy: access denied message after entering credentials: ask Feide, access lists should be updated.
• After entering credentials, you are redirected back to SP, but at SP you will not get a succesfull message, but are asked for entering local credentials: something is wrong with account mapping. Verify that your SP Extended are correct, ask Feide for guidance. Look into the /etc/openfm/openfm/debug/libSAML2 debug file. If you see this SPACSUtils.processResponse: process: userName =[null] , your accountmapping is not working. Did you forget to add a transient user to the SP Extended config?