Web or Java Agents SSO and SLO

You can use Web Agents and Java Agents in a SAML v2.0 Federation deployment.

Configuring agents to work alongside AM when performing SAML v2.0 single sign-on and single logout involves altering the URLs the agents use for logging in unauthenticated users, and logging users out.

To Use Web or Java Agents with a SAML v2.0 Service Provider

This procedure applies when AM is configured as an IDP in one domain, and a Web or Java agent protects resources on behalf of a second AM server, configured as an SP, on a second domain.

  1. Install the web or Java agent, as described in the relevant user documentation.

    The following steps will guide you to configure the agent through the AM console. If your agent is not using the centralized configuration mode, make the changes to the noted properties in the OpenSSOAgentConfiguration.properties configuration file of the agent instead.

  2. When using Web agents:

    1. In the AM console of the SP, go to Realms > Realm Name > Applications > Agents > Web > Agent Name > AM Services.

    2. When using integrated mode SSO:

      1. Set the AM Login URL property (com.sun.identity.agents.config.login.url) to the authentication chain that contains the "SAML2 Authentication Module", or the authentication tree that contains the "SAML2 Authentication Node". For example:

        https://www.sp.com:8443/openam/XUI/#login/&service=mySAMLTree
    3. When using standalone mode SSO:

      1. Set the AM Login URL property (com.sun.identity.agents.config.login.url) to the URL of the SP-initiated SSO JSP file, including the parameters necessary for initiating SSO. For example:

        https://www.sp.com:8443/openam/saml2/jsp/spSSOInit.jsp
        ?metaAlias=/sp
        &idpEntityID=https%3A%2F%2Fwww.idp.com%3A8443%2Fopenam
      2. Add the URL of the SP-initiated SLO JSP file to the AM Logout URL property (com.sun.identity.agents.config.logout.url). For example:

        https://www.sp.com:8443/openam/saml2/jsp/spSingleLogoutInit.jsp
        ?binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
        &RelayState=http%3A%2F%2Fwww.sp.com
    4. Save your changes.

  3. Set the Custom Login Mode (org.forgerock.openam.agents.config.allow.custom.login) property to 1.

  4. Disable the Invalidate Logout Session property (org.forgerock.agents.config.logout.session.invalidate set to false).

  5. When using Java agents:

    1. In the AM console of the SP, go to Realms > Realm Name > Applications > Agents > Java > Agent Name > AM Services.

    2. When using integrated mode SSO:

      1. Set the AM Login URL property (com.sun.identity.agents.config.login.url) to the authentication chain that contains the "SAML2 Authentication Module", or the authentication tree that contains the "SAML2 Authentication Node". For example:

        https://www.sp.com:8443/openam/XUI/#login/&service=mySAMLTree
    3. When using standalone mode SSO:

      1. Set the AM Login URL property (com.sun.identity.agents.config.login.url) to the URL of the SP-initiated SSO JSP file, including the parameters necessary for initiating SSO. For example:

        https://www.sp.com:8443/openam/saml2/jsp/spSSOInit.jsp
          ?metaAlias=/sp
          &idpEntityID=https%3A%2F%2Fwww.idp.com%3A8443%2Fopenam
      2. Add the URL of the SP-initiated SLO JSP file to the AM Logout URL property (com.sun.identity.agents.config.logout.url). For example:

        https://www.sp.com:8443/openam/saml2/jsp/spSingleLogoutInit.jsp
        ?binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
        &RelayState=http%3A%2F%2Fwww.sp.com
    4. Enable the Allow Custom Login Mode property (set the org.forgerock.openam.agents.config.allow.custom.login to true).

    5. Enable the Convert SSO Tokens into OpenID Connect JWTs property (set the org.forgerock.openam.agents.config.allow.custom.login to true).

    6. Save your changes.

Read a different version of :