| | 84 | |
| | 85 | ===== Keystore ===== |
| | 86 | The AAA Service requires a JKS keystore that contains a private key. This is the key that will be used to sign all SAML objects such as requests. A keystore can be generated using the Java Keytool. Instructions here: http://wiki.eclipse.org/Generating_a_Private_Key_and_a_Keystore |
| | 87 | The keystoreManager bean needs to be configured to use this keystore. This can be done by changing the following properties in metadata.properties: |
| | 88 | ||=Property=||=Description=|| |
| | 89 | ||keystore.file||Location of the keystore. Default is classpath:keystore.jks|| |
| | 90 | ||keystore.pass||Keystore password|| |
| | 91 | ||key.alias||Certificate alias to be used for signing objects|| |
| | 92 | ||key.pass||Password for the certificate alias|| |
| | 93 | |
| | 94 | ===== Metadata ===== |
| | 95 | The exchange of SAML metadata is the first stage in enabling SAML single sign-on. Entities that wish to establish trust with the hosted AAA Service will need to exchange metadata. Therefore the STS used by the AAA Service to generate tokens must have the metadata for the AAA Service. Similarly, the AAA Service must have the metadata for the STS. The metadata follows the SAML 2.0 Metadata specification [1]. Metadata for the AAA Service should be created by hand or in the same way as for the STS above. |
| | 96 | |
| | 97 | In addition, the following properties must be set in metadata.properties |
| | 98 | ||=Property=||=Description=|| |
| | 99 | ||sts.uri||Location of the STS to use to generate tokens|| |
| | 100 | ||sts.request.uri||URI on the STS to which requests for tokens should be sent|| |
| | 101 | ||aaaservice.uri||Location of the hosted AAA Service|| |
| | 102 | |
| | 103 | ===== Trusted Entity Register ===== |
| | 104 | The Trusted Entity Register contains the metadata for all trusted Service Providers and trusted STSs. It is configured in the metadataProvider bean in applicationContext-saml.xml. |
| | 105 | To register a trusted entity, you will need the metadata for that entity either in a file or as a URL. The default metadata files are stored in /WEB-INF/classes/trustedEntities. Configure a bean for each trusted entity using the org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider class for metadata contained in a file or the org.opensaml.saml2.metadata.provider.HTTPMetadataProvider class for metadata as a URL. |
| | 106 | |
| | 107 | ===== Accounting ===== |
| | 108 | The database used for storing the accounting data may be configured by changing the following properties in application.properties. |
| | 109 | ||=Property=||=Description=|| |
| | 110 | ||jdbc.driverClassName||The fully qualified Java class name of the JDBC driver to be used|| |
| | 111 | ||jdbc.url||The connection URL to be passed to the JDBC driver to establish a connection|| |
| | 112 | ||jdbc.username||The connection username to be passed to the JDBC driver to establish a connection|| |
| | 113 | ||jdbc.password||The connection password to be passed to the JDBC driver to establish a connection|| |
| | 114 | ||hibernate.dialect||The classname of a org.hibernate.dialect.Dialect which allows Hibernate to generate SQL optimised for a particulat relational database|| |
| | 115 | |
| | 116 | The AAA Service requires the following permissions for the database: |
| | 117 | * Create |
| | 118 | * Update |
| | 119 | * Delete |
| | 120 | * Select |
| | 121 | * Insert |
