SSO in integrated mode

Journeys support SSO in integrated mode only via the SAML2 Authentication node. It handles the SAML 2.0 authentication flow but relies on other nodes.

Integrated mode flow (journeys)

${saml2_abbr} Integrated Mode Flow$

Figure 1. SAML 2.0 Integrated Mode Flow

An unauthenticated user initiates authentication to an Identity Cloud SAML 2.0 SP. The login URL references a journey that includes a SAML2 Authentication node. For example, https://<tenant-env-fqdn>/am/XUI/?service=mySAM2LTree.
If there are any authentication nodes that precede the SAML2 Authentication node, Identity Cloud executes them.
The SAML2 authentication node processing begins.
The authentication node requests an assertion from the IDP. The configuration of the SAML2 Authentication node determines the details of the request.

If the user is not authenticated in the IDP, the IDP requests them to authenticate.
The IDP responds to the SP with a SAML assertion.
If the SAML assertion contains a non-transient name ID, Identity Cloud searches the identity store, and attempts to locate a user with the same name ID.

If the name ID for the account exists, the journey ends in the success node.

If the name ID does not exist...
... and a Create Object node is configured in the journey, it creates a new account in the SP using auto-federation that includes the name ID in the user profile.
... and a method of authenticating the user is available in the journey, a Write Federation Information node writes the persistent name ID in the user profile.

For more information about linking when autofederation is not configured, refer to Link identities for authentication.

Implement SAML 2.0 single sign-on in integrated mode

The following list is an overview of the activities you perform when implementing SAML 2.0 single sign-on in integrated mode:

Preparing entity providers and a circle of trust and changing several endpoints in the SP configuration.

For more information, refer to Configure Identity Cloud for integrated mode.
Configuring a journey that contains, at least, the SAML2 Authentication node.

For more information, refer to Create accounts dynamically during federation.

Configure Identity Cloud for integrated mode

If you haven’t already done so, configure SAML 2.0 by performing the tasks listed in Deployment considerations.
Under Native Consoles > Access Management, create a hosted SP by following the steps in Create a hosted entity provider.

You must configure the attribute map (Assertion Processing > Attribute Mapper) first. This determines how Identity Cloud maps assertion attributes from the IDP to the user’s profile on the SP.

During the authentication process, the mapping is used to find existing users on the SP and to create or update user accounts on the SP.
Configure a remote IDP by following the steps in Import and configure a remote entity provider.

When you specify the circle of trust for the IDP, use the Add to Existing option and specify the circle of trust you created when you created the hosted SP.
Change the Assertion Consumer Service locations in the hosted SP configuration.

The default locations support standalone mode; therefore, you must change the locations when implementing integrated mode.

Change the locations as follows:
- Under Native Consoles > Access Management, go to Realms > Realm Name > Applications > Federation > Entity Providers > SP Name > Services > Assertion Consumer Service.
- Change the location of the HTTP-Artifact consumer service to use AuthConsumer, rather than Consumer. For example, if the location is https://<tenant-env-sp-fqdn>/am/Consumer/metaAlias/sp, change it to https://<tenant-env-sp-fqdn>/am/AuthConsumer/metaAlias/sp.
- Similarly, change the location for the HTTP-POST consumer service to use AuthConsumer rather than Consumer.
  
  You do not need to change the location for the PAOS service because integrated mode does not support the PAOS binding.
- The results will resemble the following:
  
  Save your changes. Now you are ready to configure your journey(s).

Create accounts dynamically during federation

In integrated mode, the SP can use journeys to tailor the authentication experience to the users. You can create multiple complex journeys to satisfy the requirements of your organization.

The example shown in this procedure uses the SAML 2.0 node to request an assertion from the IDP, and then creates an account for the user in the SP if one does not exist.

If you are not using auto-federation, you can also use journeys to create persistent links between user accounts.

Perform the steps in this procedure to configure a journey similar to the following:

Figure 2. Example journey to create accounts dynamically

Add a SAML2 Authentication node.

Integrated mode is SP SSO-initiated only, and SLO is not supported.

The node processes the assertion, makes its contents available to the journey’s state in the userInfo object, and tries to map the assertion’s nameID using the uid mapping in the SP’s assertion map.

If the node finds a match, the journey continues through the Account Exists output. Otherwise, the journey continues through the No Account Exists output.

The attribute the node uses to map the nameID is not configurable. This example adds nodes to process the userInfo object and matches its contents to the managed user’s schema.

Add a Scripted Decision node to copy the information from the assertion to the authentication journey’s shared state.

Example script

Next-generation
Legacy

if (nodeState.get("userInfo")) {
  if (nodeState.get("objectAttributes")) {
    nodeState.remove("objectAttributes");
  }
  var userName=null,sn=null,mail=null;

  try {
    var attribs = nodeState.get("userInfo")["attributes"];

    userName=attribs["uid"][0];
    sn=attribs["sn"][0];
    mail=attribs["mail"][0];

  } catch (e) {
    logger.error("Error getting userInfo: " + e);
  }
  nodeState.putShared("objectAttributes", {"userName":userName,"sn":sn,"mail":mail});
}
action.goTo("true");

var fr = JavaImporter(org.forgerock.openam.auth.node.api.Action);

if (nodeState.get("userInfo")) {
  if (nodeState.get("objectAttributes")) {
    nodeState.remove("objectAttributes");
  }
  var userName=null,sn=null,mail=null;

  try {
    var attribs = nodeState.get("userInfo").get("attributes");

    userName=attribs.get("uid").get(0).asString();
    sn=attribs.get("sn").get(0).asString();
    mail=attribs.get("mail").get(0).asString();

  } catch (e) {
    logger.error("Error getting userInfo: " + e);
  }
  nodeState.putShared("objectAttributes", {"userName":userName,"sn":sn,"mail":mail});
}
action = fr.Action.goTo("true").build();

For more information, refer to Scripted decision node API functionality.

Add an Identify Existing User node to search the user with the appropriate attribute.

For example, userName.
Complete the journey by adding the required nodes to create the new account if it does not exist on the SP.

The scripted decision node you created before gathering the attributes are now available in the journey’s shared state to create the account; however, these may not be enough to satisfy your managed user rules.

To ensure the required attributes are available, use the Required Attributes Present node to check them and the Attribute Collector node to collect the ones missing.

Finally, to create the account, use the Create Object node.

You must configure the appropriate identity resource in this node. For example, managed/alpha_user.
(Optional) If you have not configured auto-federation, you can add the Write Federation Information node to create a persistent link between the accounts.

For examples, refer to Link identities by using journeys.