Configuring IDPs, SPs, and CoTs

This section covers configuration tasks to implement SAML v2.0 in AM.

During setup, you share metadata for providers that you host with other providers in the circle of trust. You must also configure remote providers, by importing their metadata.

In AM terms, a hosted provider is one served by the current AM instance; a remote provider is one hosted elsewhere.

To Create a Circle of Trust

A circle of trust is an AM concept that groups at least one identity provider and at least one service provider who agree to share authentication information.

  1. Go to Realms > Realm Name > Applications > Federation > Circles of Trust, and then click Add Circle of Trust.

  2. Provide a name, and then click Create.

  3. On the Circle of Trust page, in the Entity Providers property, select at least one IDP and one SP.

    Note that entity providers can be added at any time, if you have not yet created them.

  4. Customize any other properties as required, and then click Save Changes.

    For information about circle of trust properties, see "Circle of Trust Configuration Properties".

To Create a Hosted Entity Provider

This procedure provides steps for creating a hosted identity or service providers using the administration console.

Note

In AM 7, you can create identity and service provider roles in the administration console.

To create other roles, AM 7 provides the /realm-config/federation/entityproviders/saml2 REST endpoint.

For information on how to view the details of this endpoint, see REST API Explorer.

  1. Go to Realms > Realm Name > Dashboard, and then click SAML Applications.

  2. Click the Add Entity Provider drop-down button, and then click Hosted.

  3. Enter an Entity ID, and verify the Entity Provider Base URL value is correct.

    Note

    AM truncates sequences of whitespace with a single whitespace character in values such as entity IDs. For example, if ID value (with one space) exists already, a new entity with the same name but multiple spaces would result in an error because the string values are treated as identical.

    AM uses the Entity Provider Base URL value for all SAML v2.0 related endpoints, so ensure other entities in your SAML deployment are able to access the specified URL.

  4. In the Meta Aliases section, provide a URL-friendly value in either the Identity Provider Meta Alias, the Service Provider Meta Alias property, or both.

    Ensure the aliases for providers are unique in a circle of trust, as well as in the realm.

  5. Click Create.

    Tip

    If you have added both a service provider meta alias, and an identity provider alias, you can switch between the two roles by clicking the IDP or SP toggle:

    Switch Between Multiple Roles in an Entity Provider
    Switch Between Multiple Roles in an Entity Providers

  6. On the Assertion Processing tab, in the Attribute Mapper section, map SAML attribute names (Name in Assertion), to local attribute names.

    Mapping SAML Attributes to Local Attributes
    Mapping SAML Attributes to Local Attributes

    The default mapping implementation has additional features beyond simply retrieving string attributes from the user profile.

    • Add an attribute that takes a static value by enclosing the profile attribute name in double quotes (").

      For example, you can add a static SAML attribute called partnerID with a value of staticPartnerIDValue by adding partnerID as the SAML Attribute with "staticPartnerIDValue" as the Local Attribute Name.

    • Select the binary option when dealing with binary attribute values; for example, values that are Base64 encoded.

    • Use the optional Name Format Uri property as required by the remote provider. For example, you may need to specify urn:oasis:names:tc:SAML:2.0:attrname-format:uri.

  7. Customize any other properties as required, and then click Save Changes.

    For information about hosted entity provider properties, see:

  8. Export the XML-based metadata from your hosted provider to share with other providers in your circle of trust.

    $ curl \
    --output metadata.xml \
    "https://openam.example.com:8443/openam/saml2/jsp/exportmetadata.jsp\
    ?entityid=myHostedProvider\
    &realm=/mySubRealm"

    When you have configured your provider in the Top Level Realm, omit the realm query parameter.

    You may also be able to provide the URL in the above example to remote providers, if they can load the metadata by using a URL rather than a file.

To Import and Configure a Remote Entity Provider

The following procedure provides steps for importing and configuring one or more remote entity providers:

  1. Obtain the entity provider metadata as an XML-formatted file.

  2. Go to Realms > Realm Name > Dashboard, and then click SAML Applications.

  3. Click the Add Entity Provider drop-down button, and then click Remote.

  4. On the New Remote Entity Provider page, perform one of the following steps to import the XML file:

    • Drag and drop the XML file into the dotted box.

    • Click within the dotted box to open a file browser to select the XML file.

    Note

    You can import multiple remote entities in a single operation, as long as the entity ID is unique within each.

    AM truncates sequences of whitespace with a single whitespace character in values such as entity IDs. For example, if ID value (with one space) exists already, a new entity with the same name but multiple spaces would result in an error because the string values are treated as identical.

  5. (Optional) If you have already created a Circle of Trust, you can add the remote providers into one or more of them by using the Circles of Trust property.

  6. Click Create.

  7. After importing meta data, to edit the configuration of an entity provider, go to Realms > Realm Name > Applications > Federation > Entity Providers, and select the entity provider to edit.

    Tip

    If you have imported providers that serve as both a service provider, and an identity provider, you can switch between the two roles by clicking the IDP or SP toggle:

    Switch Between Multiple Roles in an Entity Provider
    Switch Between Multiple Roles in an Entity Providers

    For information about remote entity provider properties, see:

Read a different version of :