SSO and SLO in Integrated Mode
Authentication nodes and trees support SSO in integrated mode only. The "SAML2 Authentication Node" handles the SAML v2.0 authentication flow, but relies on other nodes.
An unauthenticated user initiates authentication to an AM SAML v2.0 service provider. The login URL references an authentication tree that includes a SAML2 authentication node. For example,
https://openam.example.com:8443/openam/XUI/?service=mySAM2LTree.
If there are any authentication nodes that precede the SAML2 Authentication node, AM executes them.
The SAML2 authentication node processing begins.
The authentication node requests an assertion from the IdP. The configuration of the SAML2 Authentication node determines the details of the request.
If the user is not authenticated in the IdP, the IdP will request them to authenticate.
The IdP responds to the SP with a SAML assertion.
If the SAML assertion contains a non-transient name ID, AM searches the identity store, attempting to locate a user with the same name ID.
If the name ID for the account exists, the tree ends in the success node.
If the name ID does not exist...
... and a Create Object node(or a Provision Dynamic Account node for standalone AM environments) is configured in the tree, it creates a new account in the SP using auto-federation, including the name ID in the user profile.
... and method of authenticating the user is available in the tree, a Write Federation Information node writes the persistent name ID in the user profile.
For more information, see "Linking Identities by Using Authentication Trees or Chains".
Authentication chains support SSO and SLO in integrated mode, whereby the SAML2 authentication node handles all of the SAML v2.0 authentication flow
An unauthenticated user initiates authentication to an AM SAML v2.0 service provider. The login URL references an authentication chain that includes a SAML2 authentication module. For example,
https://openam.example.com:8443/openam/XUI/?service=mySAMLChain#login/
.If there are any authentication modules that precede the SAML2 module in the authentication chain, AM executes them.
SAML2 authentication module processing begins.
The authentication module requests an assertion from the identity provider. The SAML2 module's configuration determines the details of the request.
If the user is currently unauthenticated on the identity provider, the following three steps occur:
The identity provider requests credentials from the user.
The user provides their credentials.
Authentication succeeds (assuming the user provided valid credentials).
Processing continues as follows:
The identity provider responds to the service provider with a SAML assertion.
If the SAML assertion contains a non-transient name ID, AM searches the user datastore, attempting to locate a user with the same name ID.
The flow varies here.
The following event occurs if the following are true:
The name ID for the user is not found in the datastore
Dynamic profile creation is configured in the Core Authentication Service
Auto-federation is enabled on the service provider
AM adds an entry for the user to the user datastore. Even if a linking authentication chain has been configured, it is not invoked. The user is not prompted to authenticate to the service provider.
The following two events occur if the following are true:
The name ID for the user is not found in the datastore
A linking authentication chain has been configured in the SAML2 authentication module
Dynamic profile creation is not configured in the Core Authentication Service
Auto-federation is not enabled on the service provider
The SAML2 authentication module invokes the linking authentication chain, requiring the user to authenticate to the service provider.
After successfully completing the linking authentication chain, AM writes the persistent name ID obtained in the SAML assertion sent by the identity provider into the user's profile.
At this point, SAML2 authentication module processing ends. The remaining events comprise completion of the primary authentication chain:
If there are any authentication modules remaining in the chain, AM executes them.
Authentication is complete.
Implementing SAML v2.0 Single Sign-On in Integrated Mode (Trees)
The following list is an overview of the activities you perform when implementing SAML v2.0 single sign-on in integrated mode:
Preparing entity providers and a circle of trust, and changing several endpoints in the service provider configuration.
Configuring a tree that contains, at least, the SAML2 authentication node.
See "To Create Accounts Dynamically (Standalone AM)" and "To Create Accounts Dynamically (ForgeRock Identity Platform)".
If you have not already done so, configure SAML v2.0 by performing the tasks listed in Deployment Considerations.
In the AM console, create a hosted service provider by following the steps in "To Create a Hosted Entity Provider".
Ensure that you have configured the attribute map (Assertion Processing > Attribute Mapper). It determines how AM will map assertion attributes coming from the IdP to the user's profile on the SP.
During the authentication process, the mapping is used to find existing users on the SP, and to create or update user accounts on the SP.
Configure a remote identity provider by following the steps in "To Import and Configure a Remote Entity Provider". When you specify the circle of trust for the IDP, use the Add to Existing option and specify the circle of trust that you created when you created the hosted service provider.
Change the Assertion Consumer Service locations in the hosted service provider configuration. The default locations support standalone mode. Therefore, you must change the locations when implementing integrated mode.
Change the locations as follows:
In the AM console, go to Realms > Realm Name > Applications > Federation > Entity Providers > Service Provider Name > Services > Assertion Consumer Service.
Change the location of the HTTP-Artifact consumer service to use
AuthConsumer
, rather thanConsumer
. For example, if the location ishttps://www.sp.com:8443/openam/Consumer/metaAlias/sp
, change it tohttps://www.sp.com:8443/openam/AuthConsumer/metaAlias/sp
.Similarly, change the location for the HTTP-POST consumer service to use
AuthConsumer
rather thanConsumer
.Note that you do not need to change the location for the PAOS service because integrated mode does not support the PAOS binding.
The results will resemble the following:
Save your changes.
Now you are ready to configure authentication trees.
When using integrated mode, the SP can leverage the authentication tree's features to tailor the authentication experience to the users. Therefore, you can create very complicated trees, or even multiple trees to satisfy the requirements of your organization.
The example shown in this procedure uses the SAML v2.0 node to request an assertion from the IdP, and then creates an account for the user in the SP if one does not exist.
If you are not using auto-federation, you can also use authentication trees to create persistent links between the user accounts.
Perform the steps in this procedure to configure a tree similar to the following:
Add a "SAML2 Authentication Node". Remember that integrated mode is SP SSO-initiated only, and that SLO is not supported.
The node processes the assertion, makes its contents available to the authentication tree's state in the
userInfo
object, and tries to map the assertion's nameID using theuid
mapping in the SP's assertion map.If the node finds a match, the tree continues through the
Account Exists
output. Otherwise, the tree continues through theNo Account Exists
output.Add a "Provision Dynamic Account Node" to the No account exists outcome.
(Optional) If you have not configured auto-federation, you can add the "Write Federation Information Node" to create a persistent link between the accounts. See "Linking Identities by Using Authentication Trees or Chains".
When using integrated mode, the SP can leverage the authentication tree's features to tailor the authentication experience to the users. Therefore, you can create very complicated trees, or even multiple trees to satisfy the requirements of your organization.
The example shown in this procedure uses the SAML v2.0 node to request an assertion from the IdP, and then creates an account for the user in the SP if one does not exist.
If you are not using auto-federation, you can also use authentication trees to create persistent links between the user accounts.
Perform the steps in this procedure to configure a tree similar to the following:
Add a "SAML2 Authentication Node". Remember that integrated mode is SP SSO-initiated only, and that SLO is not supported.
The node processes the assertion, makes its contents available to the authentication tree's state in the
userInfo
object, and tries to map the assertion's nameID using theuid
mapping in the SP's assertion map.If the node finds a match, the tree continues through the
Account Exists
output. Otherwise, the tree continues through theNo Account Exists
output.Note that the attribute the node uses to map the nameID is not configurable, and this example adds nodes to process the
userInfo
object and match its contents to the managed user's schema.Add a "Scripted Decision Node" to copy the information from the assertion to the authentication tree's shared state.
outcome = "true"; if (sharedState.get("userInfo")) { if (sharedState.get("objectAttributes")) { sharedState.remove("objectAttributes"); } var userName=null,sn=null,mail=null; try { userName=sharedState.get("userInfo").get("attributes").get("uid").get(0).toString(); } catch (e) {} try { sn=sharedState.get("userInfo").get("attributes").get("sn").get(0).toString(); } catch (e) {} try { mail=sharedState.get("userInfo").get("attributes").get("mail").get(0).toString(); } catch (e) {} sharedState.put("objectAttributes", {"userName":userName,"sn":sn,"mail":mail}); }
For more information, see "Scripted Decision Node API Functionality".
Add a "Identify Existing User Node" to search the user with the appropriate attribute. For example,
userName
.Complete the tree adding the required nodes to create the new account if it does not exist on the SP.
The scripted decision node that you created before gathered the attributes that are now available to create the account. However, these may not be enough to satisfy your managed user rules. To ensure that the required attributes are available, use the "Required Attributes Present Node" to check them, and the "Attribute Collector Node" to collect the ones missing.
Finally, to create the account, use the "Create Object Node".
Ensure that you configure the appropriate identity resource in this node. For example,
managed/alpha_user
.(Optional) If you have not configured auto-federation, you can add the "Write Federation Information Node" to create a persistent link between the accounts. See "Linking Identities by Using Authentication Trees or Chains".
Implementing SSO in Integrated Mode (Chains)
The following list is an overview of the activities you perform when implementing SAML v2.0 single sign-on in integrated mode:
Preparing entity providers and a circle of trust.
Changing several endpoints in the service provider configuration.
Configuring a SAML2 authentication module and including it in an authentication chain.
Deciding if and how you want to federate identities during authentication. In integrated mode, you can either create user entries dynamically, or you can configure a linking authentication chain that authenticates users at the service provider after successful authentication at the identity provider, and then federates the identity.
The following procedure provides step-by-step instructions for performing these activities.
If you have not already done so, configure SAML v2.0 by performing the tasks listed in Deployment Considerations.
In the AM console of the SP, create a hosted service provider by following the steps in "To Create a Hosted Entity Provider".
Configure a remote identity provider by following the steps in "To Import and Configure a Remote Entity Provider". When you specify the circle of trust for the IDP, use the Add to Existing option and specify the circle of trust that you created when you created the hosted service provider.
Change the Assertion Consumer Service locations in the hosted service provider configuration. The default locations support standalone mode. Therefore, you must change the locations when implementing integrated mode.
Change the locations as follows:
In the AM console, go to Realms > Realm Name > Applications > Federation > Entity Providers > Service Provider Name > Services > Assertion Consumer Service.
Change the location of the HTTP-Artifact consumer service to use
AuthConsumer
, rather thanConsumer
. For example, if the location ishttps://www.sp.com:8443/openam/Consumer/metaAlias/sp
, change it tohttps://www.sp.com:8443/openam/AuthConsumer/metaAlias/sp
.Similarly, change the location for the HTTP-POST consumer service to use
AuthConsumer
rather thanConsumer
.Note that you do not need to change the location for the PAOS service because integrated mode does not support the PAOS binding.
The results will resemble the following:
Save your changes.
Create a SAML2 authentication module:
In the AM console, go to Realms > Realm Name > Authentication > Modules, and then select Add Module.
Specify a name for the module, specify the module type as SAML2, and then select Create.
Configure the SAML2 authentication module options. See "SAML2 Authentication Module" for detailed information about the configuration options.
Ensure that you set a value for the Linking Authentication Chain property, specifying the authentication chain that will be invoked.
Save your changes.
Create an authentication chain that includes the SAML2 authentication module that you created in the previous step.
Test your configuration. First, clear your browser's cache and cookies. Then, attempt to log in to AM using a login URL that references the authentication chain that includes the SAML2 module. For example,
https://www.sp.com:8443/openam/XUI/#login/&service=mySAMLChain
.AM will redirect you to the identity provider for authentication.
If required, you can now configure AM to link identities in the IDP with those in the SP, generate new accounts on the SP, or link to a shared account; for example
anonymous
. For more information and instructions, see Federating Identities.
Configuring SLO in Integrated Mode (Chains)
Use the following two options to control single logout in integrated mode:
The post-authentication processing class for the authentication chain that includes the SAML2 authentication module. You configure post-authentication processing classes by navigating to Realms > Realm Name > Authentication > Chains > Chain Name > Settings.
The Single Logout Enabled option in the SAML2 authentication module configuration.
Configure these options as follows:
Requirement | Configuration |
---|---|
Single logout occurs when a user initiates logout at the identity provider or at the service provider. | Set the post-authentication processing class for the authentication chain that contains the SAML2 authentication module to Set the Single Logout Enabled option to |
Single logout occurs only when the user initiates logout at the identity provider. | Set the post-authentication processing class for the authentication chain that contains the SAML2 authentication module to Set the Single Logout Enabled option to |
Single logout occurs only when the user initiates logout at the service provider. | Not available. |
Single logout never occurs. | Do not set the post-authentication processing class for the authentication chain that contains the SAML2 authentication module to |