3.1. Overview

IDentia Trusted IdP is a major component of the IDentia product offering. There are three IDentia Trusted IdP installation packages:

  1. IDentiaTIdP-PKI-RC-1.0-install.jar – Installation package for Trusted IdP using PKI user authentication. The package contains the PKI authentication IdP and demo user certificates. Select this package if your organization requires X.509 certificates for authentication.
  2. IDentiaTIdP-LdapPass-RC-1.0-install.jar – Installation package for Trusted IdP using username/password authentication with LDAP support. It contains the username/password IdP with username/password stored in the LDAP.   Select this package if your organization uses username/password authentication and uses LDAP for managing login credentials (e.g. storing username and password).
  3. IDentiaTIdP-UserPass-RC-1.0-install.jar – Installation package for Trusted IdP using username/password authentication without LDAP support. The package contains the username/password IdP with username/password stored in the identia-users.xml Select this package if your organization uses username/password authentication and the username/password information is not stored in a LDAP.

The Trusted IdP installation package contains three application servers: an Apache Directory Server (apacheds-example), an Apache Tomcat server for the IdP (idp-tomcat7), and an Apache Tomcat server for the demo RP (sp2-tomcat7).  The Apache Directory Server is a Java-based LDAP server preloaded with sample LDAP user entries for demo purposes. The IdP interacts with the LDAP servers directly to retrieve user attribute information and passes to RPs. The user attributes are required for user authorization by a RP. A RP interacts with the IdP to perform user authentication and authorization using a user selected authentication or login mechanism.

 

 

3.2. Installation

The installation process of IDentia IdP is self-directed using a GUI wizard. To launch the installation, enter the following command in a shell window (assuming that the JDK or JRE is already available in the install environment):

java –jar IDentiaTrusted IdP-PKI-RC-1.0-install.jar

 

This initiates the installation process. You will either be prompted to set the installation path, desired bundles, and domain name and port number variables in the command window, or in wizard windows by following the steps below.

  1. Specify the Installation Path:

 

Figure 1

Figure 1
The installation path is the directory where IdP server shall be installed. Please enter the directory path path (e.g. /opt) in the input field and click Next.

  1. Determine which components, in addition to the IdP server component, to install. You may select additional components to install, as shown in Figure 2. The optional components are:
    • DemoCerts: contains the PKI certificates of the demo users. When this option is selected, all user certificates will be installed on the installation directory. Please follow instructions in the IDentia User’s Guide on how to install user certificates onto different browsers.
    • IDentiaSAML-RP: This component contains the demo RP

 

Figure 2
Once components are selected/deselected, click Next to continue.

  1. Next, define the host server name, the domain names and port numbers. The IdP domain name is used to specify the domain of IdP, e.g. identia.net. The SP2 domain name is used to specify the domain of the demo RP, e.g. samlsp2.identia.net. There are four input fields for specifying various port numbers:
    • Primary Port Number: This is a non-SSL port number for the IdP primarily used for testing purpose (should not be used in production).
    • IdP SSL Port Number: This is the SSL port number used by the IdP.
    • SP Port Number: This is the non-SSL port number used by the RP.
    • SP2 Port Number: This is the SSL port number used by the demo RP.
  2. Once you complete the input fields, click Next to continue.

 

Figure 3

 

 

3.3. Define DNS entries for the IdP and demo RPs

The IdP and demo RP shall be assigned with distinct domain name entries either in your local DNS server or in your local /etc/hosts file. For instance, if your operational domain is identia.net, the default domain name for your IdP and RP are samlidp.identia.net, samlsp2.identia.net etc., respectively.

If you choose to use a DNS server to map the URL endpoints of your IDentia Trusted IdP, please contact your network administrator. If you choose to use your local host file to define the DNS entries for the IdP service, please use a text editor to edit your /etc/hosts files.

For Linux, Unix or Mac, the hosts file is located at /etc/hosts.

For Windows, the hosts file is located at %SystemRoot%system32driversetchosts

The hosts file consists of a list of IP addresses and the DNS name associated with them. If you choose to run the IdP and demo RP on your local machine, please add the following lines to your hosts file:

127.0.0.1 samlidp.identia.net samlsp2.identia.net

If you choose to run IDentia on a remote server and access the servers from your local machine, you must declare the IP address of the remote machine (e.g. 192.168.1.32) for the IdP and RP instead of your local host. For instance:

192.168.1.32 samlidp.identia.net samlsp2.identia.net

 

3.4. Changing Domain Names and Port Numbers

For Amazon Machine Image (AMI), The IdP Server and RP Server are pre-configured with the identia.mobi domain name. You will need to change the default domain name value to your own domain name value.
 

3.4.1. Changing IdP Domain Names and Port Numbers

The default domain name and port number for the AMI IdP is idp.identia.mobi:4443

  1. To change the domain name and port numbers, go to the bin directory of the IdP server (i.e. /opt/idp-tomcat7/bin) and edit the idp-param.properties file. This file specifies the path to the WEB-INF directory of the IdP, the password for the keystore containing the server cert of the IdP, the IdP domain name, IdP port number, and the server hostname
  2. idp-param.properties

  3. After editing the idp-param.properties file, run the idp-config.sh script.
  4. To run the script, open a command line window, such as a Linux terminal, and change the directory to the bin directory of the IdP Server, for instance: /opt/idp-tomcat7/bin
  5. Run the shell command to start the script: ./idp-config.sh

This script will create a new key, certificate and keystore for the new IdP domain name in the IdP server (i.e. /opt/idp-tomcat7/idp-resources/credentials/idp.jks). Make sure to also import the RP’s certificate to the idp.jks.The script will also replace all default domain name, port number and hostname with the new values in configuration files.
 

3.4.2. Changing RP Domain Names and Port Numbers

The default domain name and port number for the AMI RP is rp2.identia.mobi:6423

  1. To change the domain name and port numbers, go to the bin directory of the RP server (i.e. /opt/sp2-tomcat7/bin) and edit the rp-param.properties file. This file specifies the RP and IdP domain names, port numbers and keystore passwords.
  2. rp-param.properties

  3. After editing the rp-param.properties file, run the rp-config.sh script.
  4. To run the script, open a command line window, such as a Linux terminal, and change the directory to the bin directory of the RP Server, for instance: /opt/sp2-tomcat7/bin
  5. Run the shell command to start the script: ./rp-config.sh

This script will create a new key, certificate and keystore for the new RP domain name in the IdP server (i.e. /opt/sp2-tomcat7/conf/sp.jks). The script will also replace all default domain name, port number and hostname with the new values in configuration files
 

3.5. Starting and Running the IdP and Demo RP

Before starting the IdP and demo RP, you need to make sure that an LDAP server is running. A default Apache Directory Server is bundled with the installation package. It is an LDAP service that provides IdP with user attribute information, and can be used to run the IDentia demo applications with the sample RP. The demo LDAP server contains users arranged in several different organizations. You can certainly use your own LDAP server or Active Directory Server instead of using the default one in the package.

 

3.5.1. Start and Shutdown the Apache Directory Server

To start the Apache Directory Server (e.g. apacheds), follow the following steps:

  1. Open a command line window, such as a Linux terminal, and change the directory to the bin directory of the apacheds, for instance:

/opt/apacheds-example/bin

  1. Run the shell command to start the server:
    • For Windows: bat
    • For Linux or Mac: ./apacheds.sh

To shut down the Apache Directory Server, please use Ctrl-C (i.e. press the Ctrl key and the key “C” simultaneously) to terminate the server.

 

3.5.2. Start and Shutdown the IdP Server

To start the IdP Server from the installation package after installation, follow these steps:

  1. Open a command line window, such as a Linux terminal, and change the directory to the bin directory of the IdP Server, for instance:

/opt/idp-tomcat7/bin

  1. Run the shell command to start the server:
    • For Windows: bat
    • For Linux or Mac: ./startup.sh
  2. Once the IdP is started, you may access the IdP admin page at https://samlidp.identia.net:4443/idp/ to run the configuration. To shut down the IdP Server, run the shutdown command from the same directory (i.e. /opt/idp-tomcat7/bin)
    • For Windows: bat
    • For Linux or Mac: ./shutdown.sh

 

3.5.3. Start and Shutdown the RP Server

To start the RP Server from the installation package after installation, follow these steps:

  1. Open a command line window, such as a Linux terminal, and change the directory to the bin directory of the RP Server, for instance:

/opt/sp2-tomcat7/bin

  1. Run the shell command to start the server:
    • For Windows: bat
    • For Linux or Mac: ./startup.sh
  1. Once the RP is started, you may access the RP at https://samlsp2.identia.net:6423/identia-rp-demo/. To shut down the RP Server, run the shutdown command from the same directory (i.e. /opt/sp2-tomcat7/bin)
    • For Windows: bat
    • For Linux or Mac: ./startup.sh

 

3.6. User Certificates

The user certificate bundle contains all of the demo PKI certificates needed to run the demo RPs. To use the certificates, you must add them to the Keychain Access on Mac, your certificate store on Windows, or directly to your browser if using the Firefox browser. For detailed information about PKI authentication or certificate installation, please refer browser-specific instructions provided by the browser vendors.

 

<< Getting Started

Configuring SAML IdP via Admin GUI >>