tags:

views:

1685

answers:

1

I'm implementing a SAML 2.0 Service Provider and need to install a SAML 2.0 Identity Provider for testing. Given this need, the Identity Provider should ideally be free (or have a trial period) and be easy to set up and configure.

I'm looking for basic single sign on and single log out functionality.

I've tried Sun Opensso Enterprise. The price is right, but so far it's been a nightmare to configure. Also, its error messaging and logging leaves a lot to be desired and I'm often troubleshooting an issue that basically boils down to a misconfiguration or a counterintuitive default setting.

+4  A: 

What problems are you having configuring OpenSSO? I found OpenSSO to be the easiest setup!

My notes on getting the basic IDP up and running are below - hopefully they help you get up and running.

Michael


I've found that the best (i.e. most painless) way is...

  1. Use Glassfish - this is a well supported container for OpenSSO - use the developer profile to make your life even easier - use the quick setup steps as documented on the download page
  2. Deploy OpenSSO as per the basic instructions (unpack the zip - deploy the war file to the default domain)

I've used the following as my setup steps (I use OpenSSO build 7):

  • Under "Custom Configuration", click "Create New Configuration".
  • Type the password "adminadmin" in the Password and Confirm fields. Click Next.
  • In Server Settings, leave the defaults alone (or edit if if needed) and choose Next.
  • In Configuration Data Store, leave the defaults alone (or edit if needed) and choose Next.
  • In User Data Store, choose "OpenSSO User Data Store". Click Next.
  • In Site Configuration, choose No (this installation will not use a load balancer). Click Next.
  • In Default Agent User, enter admin123 as the password and confirmed password. Click Next.
  • Click "Create Configuration".
  • Click "Proceed to Login".
  • Log in as "amadmin" with the password "adminadmin".

The instructions above are based on http://developers.sun.com/identity/reference/techart/opensso-glassfish.html

You've now got your basics up and running. Create a subrealm under / called users, and create an account or two in there.

Now prep your SP metadata. Don't put too much in your metadata to start with - keep it simple.

In the default page of the GUI, choose to create a hosted IDP. This is a pretty basic workflow. You should specify your /users realm and choose to use the test key alias for signing. The circle of trust you create can be called petty much anything.

When you complete the workflow you'll be asked if you want to import metadata for an SP - say yes and choose to import from your prepared metadata file.

At this stage you should be pretty much set up.

You'll want to grab your IDP metadata next. There are a few ways to do this. You could use "http://servername:8080/opensso/ssoadm.jsp?cmd=export-entity" or "http://servername:8080/opensso/saml2/jsp/exportmetadata.jsp?realm=/users".

... and that's pretty much it for setup.

If you run into issues interoperating with OpenSSO you can look in the OpenSSO data directory (~/opensso by default). There's debugging and logging information in the subdirectories under there. You can cross reference that information with the OpenSSO Wiki, which has some pretty good troubleshooting information.

Michael van der Westhuizen
I guess my biggest problems with OpenSSO so far have either been with accepting my SP metadata or in my inability to track down the root of authentication failures when they happen.On the first, OpenSSO has complained about elements in my metadata that should be ok but it doesn't expect. SingleLogoutService and some other Organization metadata for example.I'll check out the logs in ~/opensso and the wiki as well. Thanks for that.
Steve Reed
Hi Steve,You should be able to go to http://servername:8080/amserver/Debug.jsp to bump up debug levels if you're not finding enough information under ~/opensso.I had quite a few metadata problems too - that's why I suggested starting (very) simply. Once I got my head around what the metadata and the configs in OpenSSO were supposed to look like things started making a lot more sense.
Michael van der Westhuizen
Have you sought help on the OpenSSO mailing list, Steve?To subscribe:1. Go to https://www.dev.java.net/servlets/Join and register for a java.net account.2. Go to https://opensso.dev.java.net/servlets/ProjectMembershipRequest and request 'Observer' role on OpenSSO.3. Go to https://opensso.dev.java.net/servlets/ProjectMailingListList and subscribe to '[email protected]'.
metadaddy
Good suggestions, both. Thanks.
Steve Reed