Fedlet Enhancments

The Purpose of this page is to show how to extend an OpenSSO Fedlet to provide even more advanced SAML 2.0 features. This will be a work and progress as more features are added in so keep checking back.

What is it?

Fedlet is a lightweight Service Provider implementation of SAML2 SSO protocols, embeddable in a Java EE web application.

These Fedlet extensions build on the power of generating a preconfigured lightweight Service Provider that can be embedded into the target applications.  The extensions include concepts such as Authorization (XACML) Attribute Queries (SAML) and leverage of X.509 tokens in addition to SAML tokens.

Replacement JSPs

Download the below JSPs and place them in the deployed fedlet location.

After doing this you should NOT redeploy the fedlet, as it will overwrite the just copied JSPs. You can repackage the fedlet WAR with the new JSPs so you can perform future fedlet re-deploys.

Click herefor to download the pages.

The rest of this page has a summary of each of the new Fedlet features listed. You can get implementation details of each of this embeded in the respective summary topic.

XACML - eXtensible Access Control Markup Language

A Fedlet can query OpenSSO for Access Control Policy over standard XACML 2.0 calls. This can be used to model Role Based Access Control (RBAC) and/or Attribute Based Access Control (ABAC) for applications

http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml

Example Fedlet XACML Request

<xacml-context:Request xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance/" xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os http://docs.oasis-open.org/xacml/access_control-xacml-2.0-context-schema-os.xsd">
<Subject SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="urn:oasis:names:tc:xacml:1.0:data-type:x500Name" >
<AttributeValue>id=demo,ou=user,dc=opensso,dc=java,dc=net</AttributeValue>
</Attribute>
</Subject>
<xacml-context:Resource>
<Attribute AttributeId="ResourceId" DataType="http://www.w3.org/2001/XMLSchema#string" >
<AttributeValue>http://identity.office-on-the.net:5080/fedlet/page2.jsp</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:sun:names:xacml:2.0:resource:target-service" DataType="http://www.w3.org/2001/XMLSchema#string" >
<AttributeValue>iPlanetAMWebAgentService</AttributeValue>
</Attribute>
</xacml-context:Resource>
<xacml-context:Action>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string" >
<AttributeValue>GET</AttributeValue>
</Attribute>
</xacml-context:Action>
<xacml-context:Environment></xacml-context:Environment>
</xacml-context:Request>

Example OpenSSO XACML Reponse

<xacml-context:Response xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os" >
<xacml-context:Result ResourceId="http://identity.office-on-the.net:5080/fedlet/page2.jsp">
<xacml-context:Decision>Deny</xacml-context:Decision>
<xacml-context:Status>
<xacml-context:StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"></xacml-context:StatusCode>
<xacml-context:StatusMessage>ok</xacml-context:StatusMessage>
<xacml-context:StatusDetail xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:cd:04"><xacml-context:StatusDetail/></xacml-context:StatusDetail>
</xacml-context:Status>
</xacml-context:Result>
</xacml-context:Response>

How to Guide

XACML Fedlet

XASP - X.509 Attribute Sharing Profile

A set of flexible approaches to providing SAML services to X.509 enabled identity populations.   These include software X.509 digital certificates and SmartCards such as CAC or HSPD-12 PIV.

http://www.oasis-open.org/committees/download.php/11323/sstc-saml-x509-authn-based-attribute-protocol-profile-2.0-draft-02.pdf

http://wiki.oasis-open.org/security/SstcSamlX509AuthnAttribProfile

The advantage with this approach is that a Service Provider (SP) intiated request will not need to login to the Identity Provider (IDP) since the authentication would have just occured at the (SP) VIA the X.509 certificate.  Now that authentication has occured, the Fedlet can simply ask an Attribute Authority (AA) for attributes referencing the subject DN.

This has other technical advantages such as being less chatty on the network (no redirects) and less demand on the Federation server as a session does not need to be instantiated for the transaction to occur.

Once configured a Fedlet can request an attribute using the built in AttributeQuery object

       AttributeQuery attrQuery = protocolFactory.createAttributeQuery();

Example Fedlet XASP Request

HERE

Example OpenSSO XASP Reponse

HERE

XSPA - Cross-Enterprise Security and Privacy Authorization

http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xspa

More detail to come...

Labels

saml saml Delete
fedlet fedlet Delete
opensso opensso Delete
xacml xacml Delete
x509 x509 Delete
xasp xasp Delete
attribute attribute Delete
sharing sharing Delete
profile profile Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.

Sign up or Log in to add a comment or watch this page.


The individuals who post here are part of the extended Sun Microsystems community and they might not be employed or in any way formally affiliated with Sun Microsystems. The opinions expressed here are their own, are not necessarily reviewed in advance by anyone but the individual authors, and neither Sun nor any other party necessarily agrees with them.

Copyright 1994-2009 Sun Microsystems, Inc.
Powered by Atlassian Confluence Sun Guidelines on Public Discourse Privacy Policy Terms of Use Trademarks Site Map Employment Investor Relations Contact