[[TOC(noheading, ../../..,../*)]]
= Accepting Access Manager SAML Assertions =

== Access Manager Configuration and settings ==
Please see [http://www.novell.com/documentation/novellaccessmanager/#inst installation] and [http://www.novell.com/documentation/novellaccessmanager/#admin administration] guides for assistance in configuring Access Manager.   This sample makes the following assumptions:
 * Roles are sent in the saml using the attribute name http://www.bandit-project.org/ontologies/2008/otis/sampleroles
 * all role values are in their own attribute value, not sent as part of a concatenated string.

== General Configuration ==
Please see the general [../../../Configuration/General XML File Configuration Format] for details on base configuration

== Authentication Methods ==

Following the general [../../../Configuration/General/SpecificAuthenticationMethods Configuration for Authentication Methods] we set up the following authentication methods.
{{{
   <Setting Name="authMethods" Type="htf:list">
      <Setting Name="urn:bandit-project:otis:authmethod:1.0:usernamePassword" Type="htf:map">
         <Setting Name="authMethodID" Type="xsd:string">urn:bandit-project:otis:authmethod:1.0:usernamePassword</Setting>
         <Setting Name="authMethodClass" Type="xsd:string">org.bandit.otis.impl.UsernamePasswordAuthMethod</Setting>
      </Setting>
      <Setting Name="urn:bandit-project:otis:authmethod:1.0:anonymous" Type="htf:map">
         <Setting Name="authMethodID" Type="xsd:string">urn:bandit-project:otis:authmethod:1.0:anonymous</Setting>
         <Setting Name="authMethodClass" Type="xsd:string">org.bandit.otis.impl.AnonymousAuthMethod</Setting>
      </Setting>
      <Setting Name="urn:bandit-project:otis:authmethod:1.0:infocard" Type="htf:map">
         <Setting Name="authMethodID" Type="xsd:string">urn:bandit-project:otis:authmethod:1.0:infocard</Setting>
         <Setting Name="authMethodClass" Type="xsd:string">org.bandit.otis.impl.InfocardAuthMethod</Setting>
      </Setting>
      <Setting Name="urn:bandit-project:otis:authmethod:1.0:samlpolicy" Type="htf:map">
         <Setting Name="authMethodID" Type="xsd:string">urn:bandit-project:otis:authmethod:1.0:samlpolicy</Setting>
         <Setting Name="authMethodClass" Type="xsd:string">org.bandit.otis.impl.SAMLPolicyAuthMethod</Setting>
         <Setting Name="authMethodCtxID" Type="xsd:string">urn:InMemoryCache</Setting>
         <Setting Name="UseForOpen" Type="xsd:boolean">false</Setting>
         <Setting Name="ValidateSAML" Type="xsd:boolean">true</Setting>
         <Setting Name="JSSharedScope" Type="htf:ref">/JSSharedScope</Setting>
         <Setting Name="AuthEntityId" Type="htf:jscriptexec">
            RESULT =  getAuthEntityId(saml);
         </Setting>
         <Setting Name="InjectEntity" Type="xsd:boolean">true</Setting>
         <Setting Name="InjectEntityAttrMap" Type="htf:jscriptexec">
            RESULT =  getMappedAttrURI(saml, samlURI);
         </Setting>
         <Setting Name="InjectEntityAttrValueMap" Type="htf:jscriptexec">
            RESULT =  getMappedAttrValue(saml, samlURI, idasURI, samlvalue);
         </Setting>
      </Setting>
   </Setting>
}}}

== Role Configuration ==
The roles configuration for this is based on the general [../../../Configuration/Roles Configuration For Roles].  In this case there are no roles assumed automatically at authentication time and only values from the default role name in the saml are use.  Please not in this sample the role values are not transformed or modified.   That could happen at two different places.  
 * During the authentication using !InjectEntityAttrValueMap configuration to map the values/
 * During the role configuration, checking the issuer, the attribute and then mapping the values to something meaningful.   I prefer mapping here because it allows me to have rules that span attributes, and preserves the data in it's original form.
The role configuration looks like this:
{{{
   <Setting Name="Roles" Type="htf:map">
      <!-- Root most role configuration element, should be located under the OtisConfiguration element -->
      <Setting Name="Assumable Roles" Type="htf:map">
			
         <Setting Name="Role Rule 1" Type="htf:map">
            <Setting Name="Enabled" Type="xsd:boolean">true</Setting>
            <Setting Name="EntityAttrs" Type="htf:list">
               <Setting Type="xsd:anyURI">http://www.bandit-project.org/ontologies/2008/otis/sampleroles</Setting>
            </Setting>
            <Setting Name="RoleInstantiation" Type="htf:jscriptexec">
               RESULT = new Packages.org.bandit.otis.impl.CommonRole( String(data));
               RESULT.addPropertyValue(Packages.org.bandit.otis.api.IRole.roleTypes, 
                         attribute.getAttrID().toString());
            </Setting>
         </Setting>
      </Setting> <!-- End Assumable Roles -->
   </Setting> <!-- End Roles -->
}}}

== Sample ==
Below is a full sample of the minimal system described above which allows specific saml assertions to be accepted and to be used for entities and roles.
{{{
<Configuration
	xmlns:xsd="http://www.w3.org/2001/XMLSchema"
	xmlns="http://higgins.eclipse.org/sts/Configuration"
	xmlns:htf="http://higgins.eclipse.org/sts/Configuration"
	xsd:schemaLocation="http://higgins.eclipse.org/sts/Configuration Configuration.xsd ">

	<!--  The setting handlers are classes that consume Setting elements where the Type matches and generate an object of the Class -->
	<SettingHandlers>
		<SettingHandler Type="htf:map" Class="java.util.Map" Handler="org.eclipse.higgins.configuration.xml.MapHandler"/>
		<SettingHandler Type="htf:list" Class="java.util.List" Handler="org.eclipse.higgins.configuration.xml.ListHandler"/>
		<SettingHandler Type="xsd:string" Class="java.lang.String" Handler="org.eclipse.higgins.configuration.xml.StringHandler"/>
		<SettingHandler Type="xsd:boolean" Class="java.lang.Boolean" Handler="org.eclipse.higgins.configuration.xml.BooleanHandler"/>
		<SettingHandler Type="xsd:anyURI" Class="java.net.URI" Handler="org.eclipse.higgins.configuration.xml.URIHandler"/>
		<SettingHandler Type="htf:file" Class="java.io.FileInputStream" Handler="org.eclipse.higgins.configuration.xml.FileHandler"/>
		<SettingHandler Type="htf:keystore" Class="java.security.KeyStore" Handler="org.eclipse.higgins.configuration.xml.KeyStoreHandler"/>
		<SettingHandler Type="htf:certificate" Class="java.lang.String" Handler="org.eclipse.higgins.configuration.xml.CertificateHandler"/>
		<SettingHandler Type="htf:privatekey" Class="java.security.PrivateKey" Handler="org.eclipse.higgins.configuration.xml.PrivateKeyHandler"/>
		<SettingHandler Type="htf:singleton" Class="java.lang.Object" Handler="org.eclipse.higgins.configuration.xml.SingletonHandler"/>
		<SettingHandler Type="htf:instance" Class="java.lang.Object" Handler="org.eclipse.higgins.configuration.xml.InstanceHandler"/>
		<SettingHandler Type="htf:classinstance" Class="java.lang.Object" Handler="org.eclipse.higgins.configuration.xml.ClassInstanceHandler"/>
		<SettingHandler Type="htf:classsingleton" Class="java.lang.Object" Handler="org.eclipse.higgins.configuration.xml.ClassSingletonHandler"/>
		<SettingHandler Type="htf:jscriptexec" Class="org.eclipse.higgins.util.jscript.JScriptExec" Handler="org.eclipse.higgins.util.idas.cp.jscript.JScriptExecSettingHandler"/>
		<SettingHandler Type="htf:jscriptscope" Class="org.eclipse.higgins.util.jscript.JScriptScope" Handler="org.eclipse.higgins.util.idas.cp.jscript.JScriptScopeSettingHandler"/>
		<SettingHandler Type="htf:include" Class="java.util.Map" Handler="org.eclipse.higgins.configuration.xml.IncludeHandler"/>
		<SettingHandler Type="htf:ref" Class="Object" Handler="org.eclipse.higgins.configuration.xml.ReferenceHandler"/>
		<SettingHandler Type="htf:remoteEndPointHandler" Class="org.bandit.otis.impl.RemoteEndPointClient" Handler="org.bandit.otis.impl.RemoteEndPointClientHandler"/>
	</SettingHandlers>

	<Setting Name="OTISConfiguration" Type="htf:map">

		<Setting Name="defaultContextId" Type="xsd:string">urn:Corporate-LDAP-Server</Setting>

		<!-- The various assertion types that are handled -->
		<Setting Name="JSSharedScope" Type="htf:jscriptscope">
			// TODO fix so it looks at the issuer
			function getAuthEntityId(saml)
			{
				if ( saml != null)
				{
					Temp = saml.getSubject();
					id = Temp.getNameID();
					if ( !id || id == null)
				  		id = saml.getID();
				}
				return id; 
			}
			
			//based on the issuer map the attribute uris
			function getMappedAttrURI(saml, uri)
			{
				// should look at the saml issuer and make adjustments
				return uri;
			}
			
			//based on the issuer map the attribute uris
			function getMappedAttrValue(saml, oldURI, newURI, value)
			{
				// should look at the saml issuer and make adjustments
				return value;
			}
		</Setting>  <!-- end of JSSharedScope-->
		
		<Setting Name="authMethods" Type="htf:list">
			<Setting Type="htf:map">
				<Setting Name="authMethodID" Type="xsd:string">urn:bandit-project:otis:authmethod:1.0:usernamePassword</Setting>
				<Setting Name="authMethodClass" Type="xsd:string">org.bandit.otis.impl.UsernamePasswordAuthMethod</Setting>
			</Setting>
			<Setting Type="htf:map">
				<Setting Name="authMethodID" Type="xsd:string">urn:bandit-project:otis:authmethod:1.0:anonymous</Setting>
				<Setting Name="authMethodClass" Type="xsd:string">org.bandit.otis.impl.AnonymousAuthMethod</Setting>
			</Setting>
			<Setting Type="htf:map">
				<Setting Name="authMethodID" Type="xsd:string">urn:bandit-project:otis:authmethod:1.0:infocard</Setting>
				<Setting Name="authMethodClass" Type="xsd:string">org.bandit.otis.impl.InfocardAuthMethod</Setting>
			</Setting>
			<Setting Type="htf:map">
				<Setting Name="authMethodID" Type="xsd:string">urn:bandit-project:otis:authmethod:1.0:samlpolicy</Setting>
				<Setting Name="authMethodClass" Type="xsd:string">org.bandit.otis.impl.SAMLPolicyAuthMethod</Setting>
				<Setting Name="authMethodCtxID" Type="xsd:string">urn:InMemoryCache</Setting>
				<Setting Name="UseForOpen" Type="xsd:boolean">false</Setting>
				<Setting Name="ValidateSAML" Type="xsd:boolean">true</Setting>
				<Setting Name="JSSharedScope" Type="htf:ref">/JSSharedScope</Setting>
				<Setting Name="AuthEntityId" Type="htf:jscriptexec">
					 RESULT =  getAuthEntityId(saml);
				</Setting>
				<Setting Name="InjectEntity" Type="xsd:boolean">true</Setting>
				<Setting Name="ClearEntity" Type="xsd:boolean">true</Setting>
				<Setting Name="InjectEntityAttrMap" Type="htf:jscriptexec">
					 RESULT =  getMappedAttrURI(saml, samlURI);
				</Setting>
				<Setting Name="InjectEntityAttrValueMap" Type="htf:jscriptexec">
					 RESULT =  getMappedAttrValue(saml, samlURI, idasURI, samlvalue);
				</Setting>
			</Setting>
		</Setting>

		<!-- Other components - mainly IdASRegistry -->

		<Setting Name="ComponentSettings" Type="htf:map">
			<Setting Name="IdASRegistry" Type="htf:map">
				<Setting Name="ComponentSettings" Type="htf:map">
					<Setting Name="InMemoryContextFactory" Type="htf:map" />
				</Setting>
				<Setting Name="InMemoryContextFactory" Type="htf:classinstance">org.eclipse.higgins.idas.cp.inmem.InMemoryContextFactory</Setting>
				<Setting Name="ContextFactoryInstancesList" Type="htf:list">
					<Setting Name="InMemoryContextFactory" Type="htf:map">
						<Setting Name="Instance" Type="xsd:string">InMemoryContextFactory</Setting>
						<Setting Name="ContextTypes" Type="htf:list">
							<Setting Name="InMemContextType" Type="xsd:string">$context+inmem</Setting>
						</Setting>
					</Setting>
				</Setting>
				<Setting Name="ContextIdsList" Type="htf:list">
					<Setting Name="urn:InMemoryCache" Type="htf:map" >
							<Setting Name="ContextId" Type="xsd:string">urn:InMemoryCache</Setting>
							<Setting Name="ContextTypes" Type="htf:list">
								<Setting Name="LDAPContextType" Type="xsd:string">$context+inmem</Setting>
							</Setting>
							<Setting Name="ContextUris" Type="htf:list">
								<Setting Name="DefaultContextUri" Type="xsd:anyURI">urn:InMemoryCache</Setting>
							</Setting>
					</Setting>
				</Setting>
			</Setting>
		</Setting>

		<!-- The name of the class that provides the factory for the class that implements the IdASRegistry -->
		<Setting Name="IdASRegistry" Type="htf:classinstance">org.eclipse.higgins.idas.registry.IdASRegistry</Setting>

		<Setting Name="Roles" Type="htf:map">
		<!-- Root most role configuration element, should be located under the OtisConfiguration element -->
			<Setting Name="Assumable Roles" Type="htf:map">
			
				<Setting Name="Role Rule 1" Type="htf:map">
					<Setting Name="Enabled" Type="xsd:boolean">true</Setting>
					<Setting Name="EntityAttrs" Type="htf:list">
						<Setting Type="xsd:anyURI">http://www.bandit-project.org/ontologies/2008/otis/sampleroles</Setting>
					</Setting>
					<Setting Name="RoleInstantiation" Type="htf:jscriptexec">
									RESULT = new Packages.org.bandit.otis.impl.CommonRole(
										String(data));
									RESULT.addPropertyValue(Packages.org.bandit.otis.api.IRole.roleTypes, 
										attribute.getAttrID().toString());
					</Setting>
				</Setting>
			</Setting> <!-- End Assumable Roles -->
		</Setting> <!-- End Roles -->
	</Setting>
</Configuration>
}}}