So, now you are ready to administrate the OpenSSO server that you have just configured. There is a pretty console provided by the server, to facilitate the configuration and identities administration in OpenSSO. At the time of writing, OpenSSO shipped with two different console interfaces. There are quite a number of new features planned and implemented in the Express Build 9 (even though the landscape for the OpenSSO open source project has changed significantly after Oracle acquired Sun Microsystems Inc.). I keep using the express builds for consistency. Entitlements provide fine-grained authorization as opposed to coarse-grained authorization. This is one of the key components in the express build 9. It is somewhat equivalent to Forgerock's OpenAM build 9; both were built from the same source tree. A new user interface (also referred to as new console) was built to manage the entitlements feature in OpenSSO. This console is relatively different from the default console that manages the rest of the features of OpenSSO. In this book, we will not be using the entitlements console. When I refer to console, it implies to the default console of OpenSSO. Both consoles are part of the OpenSSO web application's web archive file and are available out of the box after the product configuration.
This chapter covers:
- Administration of OpenSSO using a web console
- Using command line tools to administer OpenSSO configuration
- Privileges mapping and assignment
- OpenSSO console customization
OpenSSO provides Graphical User Interface (GUI) as a separate web application to address specific customer deployment use cases. Well, GUI-based administration looks cool, but what about the command line interface to perform the administration activities? Yes, OpenSSO does provide a feature-rich command line tool too. In fact, there are certain administrative activities that can only be achieved by using the Command Line Tool (CLI) tool. I have briefly introduced this CLI tool called ssoadm in the previous chapter. Both the browser-based user interface and the CLI are widely documented and supported by Sun Microsystems Inc. with a valid support contract. There is one little, yet powerful, utility in terms of making some quick configuration changes in the server without even configuring the CLI tool. This tool is a stripped version of the CLI tool, ssoadm. This tool can be accessed by using the URL:><protocol>://servername:port/<deploy_uri>/ssoadm.jsp. For instance, it would look something like http://opensso.packt-services.net:8080/opensso/ssoadm.jsp.
The ssoadm.jsp is not a supported tool. This tool facilitates the automation of multi-domain features such as the SAMLv2 protocol tests developed and executed by the OpenSSO quality engineering teams. This tool does not support all the subcommands provided by the CLI counterpart ssoadm or ssoadm.bat. So please use this version of the tool at your own discretion.
|
Feature |
ssoadm CLI |
ssoadm.jsp |
|---|---|---|
|
Setup and Configuration |
Needs to be set up from the |
Available out-of-the-box upon product configuration. |
|
Support |
Thoroughly tested and supported by Sun Microsystems Inc., can raise escalations on this tool |
Not a supported interface, so customers cannot raise escalations on this tool. |
|
Limitations |
All the sub commands are supported |
Only selected sub commands are supported, features such as terminating a user session or exporting server configuration are not supported. |
In this chapter, you can find the procedures to administrate the server configuration as well as identities management. The OpenSSO console is not intended to replace a commercial grade Identity Management product such as Sun Identity Manager. Please refer to the appropriate documentation on how to integrate OpenSSO with Sun Identity Manager. The administrative interfaces are designed to manage the Authentication, Authorization, Entitlements, Web services security, and Federation and Audit configurations. Along the way, it also covers the basic identity CRUD (create, read, update, and delete) operations. In this chapter, you will be presented with browser-based configuration administration procedures along with its corresponding CLI procedures wherever applicable.
After the product configuration you can log in to the administration console by using a valid OpenSSO user identity and password. Based on the authenticated identity's delegation privileges, the server will present the applicable user interface page. Broadly speaking, two user interface pages will be rendered—one for the administrator page, the other for normal non-administrator view.