OpenAM Written and tested with OpenAM Snapshot 9 the Single Sign-On (SSO) tool for securing your web applications in a fast and easy way Indira Thangasamy [ PUBLISHING 1 open source 1 community experience distilled BIRMINGHAM - MUMBAI
Preface 1 Chapter 1: Getting Started 7 History of OpenSSO 9 OpenSSO vs. OpenAM 10 OpenSSO an overview 11 OpenSSO services 11 Federation services 12 Web Services Security and Secure Token Service 13 OpenSSO Entitlements Service 15 What kind of problems does OpenSSO solve? 16 Access management 16 Federation 16 Securing web services 17 Entitlements 18 Summary 19 Chapter 2: OpenSSO Deployment and Configuration 21 Deployment requirements for OpenSSO web application 22 Containers and operating systems support 22 Java SDK support 23 Disk and memory requirements 23 Browser requirements 24 Configuration store versus Identity Store 24 Configuration store 24 Embedded configuration store 25 External Sun Directory Server Enterprise Edition configuration store 26 Identity store 27 How to obtain OpenSSO 28 Building OpenSSO from source 28 Downloading OpenSSO binary 29
Configuring OpenSSO 31 Installing and configuring Apache Tomcat 6.0.20 31 OpenSSO one click configuration 34 Verifying OpenSSO configuration 37 What just happened? 38 OpenSSO-configuration choices 39 Single server configuration-using embedded configuration store 40 Layout of the configuration directory 46 Single server configuration-using external configuration store 47 Multi-server configuration-embedded configuration store 50 Prerequisites for multi-server configuration 51 Adding OpenSSO to an existing deployment 52 Verification of multi-server deployment 55 Configuring using command line configurator 56 Configuring OpenSSO with SSL/TLS 58 Configuring command line tools 58 Uninstalling OpenSSO 61 OpenSSO release and support model 61 Summary 62 Chapter 3: Administrating OpenSSO 63 Administration interfaces 64 Accessing the administrative console 65 Console views and privileges 66 Console landing page-common tasks 69 Access control tab 70 General 71 Authentication 71 Service 72 Data stores 73 Privileges 74 Policies 77 Subjects 79 Agents 81 Configuration 83 Retrieving all the server properties 84 Updating server configuration properties 84 Removing properties from server configuration 85 Sessions tab 85 Managing sessions using ssoadm 86 Customizing the console 86 Extending LDAP schema 87 Customizing OpenSSO User Service 88 Adding attributes to amllser.xml 88
Removing User Service schema 89 Adding the updated User Service schema 90 Adding the labels 90 Adding the custom attributes to data store configurations 91 Updating privileges 92 Testing the changes 93 Summary 94 Chapter 4: Authentication and Session Service 95 Authentication process 96 Cookies in OpenSSO 97 Authentication types and URL parameters 98 Module 99 Level 100 Service 100 User 101 Role 101 Realm 101 Resource 102 Other authentication URL parameters 103 IDToken parameter 103 goto and gotoonfail parameters 103 locale parameter 104 arg parameter 105 ipspcookie parameter 106 ForceAuth parameter 106 PersistAMCookie parameter 107 Authentication modules, instances, and chains 107 LDAP authentication 108 Creating Updating an authentication instance 109 Reading an authentication instance 109 Using an authentication instance 110 an authentication instance 108 Deleting an authentication instance 110 Authentication chains 111 Creating an authentication chain 112 Updating an authentication chain 112 Reading an authentication chain 113 Using an authentication chain 113 Performing a user-based authentication 113 Deleting an authentication chain 114 Authentication modules 114 LDAP 115 Active Directory 115 Data store 115 Anonymous 116 Certificate (X.509) 116
Configuring Tomcat in SSL using CA signed certificate 117 HTTP basic authentication 120 Membership 120 JDBC HOTP 121 SecurlD 122 SafeWord 122 RADIUS 122 Unix Windows NT Windows Desktop SSO 124 Core User profile requirement 124 Setting user profile attributes in an SSO token 126 Adding custom authentication modules 128 Session Service 129 Session Service schema 130 Updating Session Service 130 Session life cycle 131 Session structuring 131 Session state transition 132 Session properties 133 Session change notification and polling 134 Session persistence and constraints 135 Summary 136 Chapter 5: Password Reset and Account Management 137 Account lockout 138 Configuring account lockout 138 Physical lockout 140 In-memory lockout 141 Applying a password reset 142 Prerequisites 142 Configuring the password reset service in OpenSSO 143 Assigning service and update service attributes 143 Creating and assigning OpenDS password policy 149 Summary 153 Chapter 6: Protecting a Simple Web Application to Provide SSO 155 OpenSSO Policy Framework 156 Protecting a sample application on Tomcat 158 Creating the agent profile 159 Installing and configuring the agents 160 120 123 123 124
Table ofcontents Deploying and configuring the Java application 160 Creating policies and associated identities 161 Testing the SSO 164 Fetching user profile attributes 167 Summary 168 Chapter 7: Integrating Salesforce and Google Apps 169 Integrating OpenSSO with Salesforce applications 170 Configuring hosted identity provider and circle of trust 171 Configuring OpenSSO metadata for Salesforce.com 172 Configuring users for Salesforce.com 174 Verifying the SSO 176 Integrating with Google Apps 177 Configuring the hosted identity provider 178 Configuring SSO parameters at Google Apps 179 Configuring users for Google Apps 180 Verifying SSO 181 Summary 183 Chapter 8: Identity Stores 185 Identity store types 186 Caching and notification 188 Persistent search-based notification 189 Time-to-live based notification 191 TTL-specific properties for Identity Repository cache 191 Supported identity stores 192 User schema 192 Access Manager Repository plugin 193 Creating an Access Manager Repository plugin data store 194 Displaying the data store properties 195 Updating data store properties 196 Deleting data stores 196 Removing the Access Manager Repository plugin 196 Oracle Directory Server Enterprise Edition 197 Creating a data store for Oracle DSEE 197 Updating the data store 198 Deleting the data store 198 Data store for OpenDS 198 Data store for Tivoli DS 199 Data store for Active Directory 199 Data store for Active Directory Application Mode 199 Datastore for OpenLDAP 200 Configuring an OpenLDAP suffix 200
Extending the schema 201 Preparing the suffix with necessary entries 202 Creating an OpenLDAP data store 203 Testing the data store 203 Multiple data stores 204 Summary 205 Chapter 9: RESTful Identity Services 207 Prerequisites 208 Invoking REST interfaces 210 Authentication 210 Authenticating with URL parameters 211 Validating an SSO token 212 Invalidating session (logout) 213 Creating log events 213 Authorization 214 Identity CRUD operations 215 Searching identities 215 Searching for user identities 216 Searching groups 216 Searching for agents 216 Retrieving identity attributes 217 Creating agent identities 218 Creating user identities 219 Creating group identities 219 Updating identities 220 Deleting identities 221 Deleting user identities 221 Deleting group identities 221 Deleting the agent identities 221 Other REST interfaces 222 Summary 222 Chapter 10: Backup, Recovery, and Logging 223 Backing up configuration data 224 Backing up the OpenSSO configuration files 225 Backing up the OpenSSO configuration data 226 Crash recovery and restore 227 Test to production 228 Performing the configuration change 229 Configuring the export test server 229 Configuring OpenSSO on the production server 230 Adapting the test configuration data 231 Importing into the production system 232
OpenSSO audit and logging 232 Enabling debug (trace) level logging 233 Audit logging 234 File-based logging 236 Database logging 237 Remote logging 240 Secure logging 240 Summary 243 Chapter 11: Troubleshooting and Diagnostics 245 OpenSSO diagnostic tools 245 Installing and configuring the tool 246 Invoking the tool 246 Troubleshooting 248 Installation and configuration 249 Scenario 1 249 Scenario 2 250 Scenario 3 250 Scenario 4 251 Authentication and session areas 252 Scenario 1 252 Scenario 2 252 Scenario 3 252 Scenario 4 253 Identity repository and password reset 253 Scenario 1 253 Scenario 2 254 Scenario 3 254 Scenario 4 255 Scenario 5 255 Policy and agents 255 Scenario 1 255 Scenario 2 256 Scenario 3 257 Command line tools 257 Scenario 1 257 Scenario 2 258 Summary 259 Index 261 [vii]