SourceID Release Notes - ID-FF 1.2 Java Toolkit 2.0

Release Notes

ID-FF 1.2 Java Toolkit 2.0

This project is the release of Ping Identity's ID-FF 1.2 implementation, codenamed "Castle Peak". This implementation of ID-FF 1.2 supports the core profiles necessary for conformance, including:

SSO (Artifact & POST)
Single Logout
Register Name Identifier
Federation Termination Notification
Identity Provider Introduction

Profiles not included in the list above are not implemented or supported at this time.

This release of the ID-FF 1.2 Java Toolkit 2.0 has been certified for conformance for the IDP and SP Basic profiles by the Liberty conformance process. This certification was achieved during the Liberty conformance event that occurred during the week of June 14, 2004.

Change Log

Release 2.0 Final (April, 2005)

Updated sourceid.keystore to have longer lived demo keys
Upgraded to newer xml-security library that fixes a resource leak
Added alternative driver for OBE that fixes a resource leak

2.0 Beta (June, 2004)

Added the ability to select profiles at runtime via the UI.
Fixed the handling of NameQualifier attributes in SubjectType elements.
Added an InResponseTo parameter to LogoutResponse query strings.
Added servlet API jar to simplify the build process.
Fixed signature on the RequestDocument when requesting an assertion via the artifact profile.
Added a metadata import tool.
Added support for protocol endpoints to accept messages via POST.
Added a servlet filter to the Demo to set no-cache headers on all responses.
Various other minor bug fixes.

Setup / Installation

To build the ID-FF 1.2 Java Toolkit 2.0, you'll need:

Windows XP or Linux (kernel 2.4.2+)
Java JDK 1.4.2
JBoss 3.2.4
Ant 1.5 (or higher)

Unzip the source archive into a work directory
Go to the CastlePeak directory:
1. Edit the "build.local.properties" file; set the "jboss.dir" property to point to the directory where JBoss is installed
2. After editing "build.local.properties" file, copy it to the Infrastructure directory
3. Copy the servlet-api.jar file from ${jboss.server.dir}deployjbossweb-tomcat50.sar to ${jboss.server.dir}lib
Go to the Demo directory:
1. Edit the "build.local.properties" file; set the "jboss.dir" property to point to the directory where JBoss is installed
2. Run "ant deploy"
Enable SSL in JBoss. In ${jboss.server.dir}deployjbossweb-tomcat50.sarserver.xml uncomment the SSL connector and add/change the keystore and truststore parameters as follows:
<Connector port="8443" address="${jboss.bind.address}" maxThreads="100" minSpareThreads="5" maxSpareThreads="15" scheme="https" secure="true" clientAuth="false" keystoreFile="${jboss.server.home.dir}/conf/sourceid.keystore" keystorePass="changeit" truststoreFile="${jboss.server.home.dir}/conf/sourceid.keystore" truststorePass="changeit" sslProtocol="TLS"/>
Optionally disable the verbose logging of the SourceID workflow engine by adding the following to the ${jboss.server.dir}/conf/log4j.xml file right above the configuration for the root logger:
<category name="org.obe"> <priority value="WARN"/"> </category">
Start JBoss.

At this point, the Demo application using the CastlePeak toolkit should be deployed and ready to use (assuming JBoss is running). You can access the Demo application by going to:

https://localhost:8443/demo/sp/ (SP side)
https://localhost:8443/demo/idp/ (IDP side)

On the SP login you can use the following username/password: joe / test

On the IDP login you can use the following username/password: joe123 / test

Please note that default deployment of the CastlePeak server acts as both SP and IDP.

Known Defects

There is no option to selectively enable the IDP or the SP functionality.
On the SP side you cannot initiate some Liberty functions after a local login (only after an SSO).
There are some ways an end user can interact with the system that could result in orphaned session state data or workflow process instance data - in general this occurs when a Liberty transaction is started but not completed. Examples of this include, but are not limited to, a user doing a SSO but not ending the session with a SLO, or a user attempting to federate but abandoning the process when prompted to authenticate at the IDP. It is the responsibility of the calling application to clean up these stranded references and avoid a potential memory leak.

Additional Notes:

Deploying Multiple Servers In order to deploy this demonstration application across multiple machines (such as having one machine configured as the IDP, and one as the SP), you will need to update some configuration files and ensure that they are in the ${jboss.server.home.dir}/conf directory before starting each server. Some sample configuration files have been provided to help in getting started with deploying to multiple machines. In //Demo/example-2server-config there are two subdirectories, one contains a sample configuration for an IDP and the other contains sample configuration for an SP. Each directory contains all the files that need to be copied to each server's jboss conf directory, however, only sourceid-core-config.xml, sourceid-soap-auth.xml, sourceid-provider-directory.xml differ between the two deployments. In both of the sourceid-provider-directory.xml files you will need to change 'https://IDP_DOMAIN:8443' and 'https://SP_DOMAIN:8443' to point to the name or IP address of the machines that you have the IPD and SP deployed on.
Integrating with the toolkit A simplistic demo application has been provided which demonstrates how to integrate the CastlePeak toolkit into your custom application. In general you should refer to the demo application for examples of the necessary steps involved. The main step in integration involves implementing a few interfaces that adapt your application to the toolkit. These interfaces and their supporting classes can be found in the org.sourceid.idff12.adapter package and its sub-packages. The example implementations in the demo can be found in the idff12demo.idp.adapters and idff12demo.sp.adapters packages, and are configured in the sourceid-core-config.xml file.
Runtime Configuration Some of the application's functionality can be configured at runtime via the JBoss JMX Management Console (at https://localhost:8443/jmx-console/ if you are running the server on your local machine). Go to the bottom of the page and under the 'sourceid.demo.idp' heading click on the 'service=Config' link. This will take you to a page where you can dynamically reload the sourceid-provider-directory.xml and sourceid-core-config.xml files from disk. You can also toggle two flags that tell the IDP how to behave in certain situations. You can tell the IDP if it should initiate Register Name Identifier during SSO. Also you can tell the IDP if it should attempt to set the common domain cookie (for Identity Provide Introduction) after authenticating a user.
Identity Provider Introduction (IPI) IPI works by redirecting the user to some common domain to set and read the common domain cookie. This functionality is implemented in the demo application and various options are configurable in the sourceid-core-config.xml file. By default the common domain is configured to 'common-domain.com' and to get this functionality working on your local machine you will need to create a mapping of that domain to your local machine in your local hosts file. You will also need to configure the IDP to set the cookie (this can be done via the JBoss JMX Management Console as described above).

Manifest

Source code for CastlePeak, a Demo application, and supporting libraries
Demo application which demonstrates how to integrate the CastlePeak toolkit into a custom application

Copyright

Ping Identity Corporation
1099 18th St., Ste. 2950
Denver, CO 80202
U.S.A.
Phone: 303.468.2900
FAX: 303.468.2909
E-Mail: info@pingidentity.com

This document is provided for information purposes only, and the information herein is subject to change without notice. Ping Identity Corporation does nor provide any warranties covering and specifically disclaims any liability in connection with this document.

All other company and product names mentioned are used for identification purposes only and may be trademarks of their respective owners.