Test SAML 2.0 SSO using JSP flows

The topics in this section are for tenants created before January 12, 2023. Learn more in Application management migration FAQ.

SAML 2.0 helps organizations to share(or federate) identities and services without having to manage the identities or credentials themselves.

These instructions describe how to launch an SP-initiated JSP flow to test SAML 2.0 SSO. PingOne Advanced Identity Cloud acts as the authentication service provider (SP) in a circle of trust (CoT). For this test, a self-managed AM instance acts as the identity provider (IDP).

Before identities can be federated in a CoT, an AM module named Federation must be present in the SP configuration.

In self-managed AM instances, by default the Federation module is ready-to-use.

In Advanced Identity Cloud AM instances, you must manually create a module named Federation when you create an SP circle of trust.

Step 1: Set up an SP and an IDP

Set up the Advanced Identity Cloud AM instance as a service provider:
1. In the AM admin UI (native console), go to
  Realm Name > Applications > Federation > Entity Providers.
2. Click + Add Entity Provider > Hosted, and add a hosted entity provider:
  - Entity ID: Enter a unique identifier. Example: Cloud-SP.
  - Service Provider Meta Alias: Provide an SP alias. Example: cloud-sp.
3. Export the SP metadata to an XML file. Example export metadata URL:
  https://<tenant-FQDN>/am/saml2/jsp/exportmetadata.jsp?entityid=<SP-Entity-ID>&realm=/alpha.
Set up the self-managed AM instance as an identity provider:
1. In the AM admin UI (self managed), go to
  Top Level Realm > Applications > Federation > Entity Providers.
2. Click + Add Entity Provider > Hosted, and add a hosted entity provider:
  - Entity ID: Enter a unique identifier. Example: AM-IDP.
  - Meta Alias: Provide an IDP alias. Example: am-idp.
3. Export the IDP metadata to an XML file. Example export metadata URL:
  https://<IDP-host-FQDN>/openam/saml2/jsp/exportmetadata.jsp?entityid=<IDP-Entity-ID>.
In the Advanced Identity Cloud AM instance, add a remote entity provider by importing the IDP metadata:
1. In the AM admin UI (native console), go to
  Realm Name > Authentication > Federation > Entity Providers.
2. Click + Add Entity Provider > Remote.
3. Import the IDP metadata.
In the self-managed AM instance, add a remote entity provider by importing the SP metadata:
1. In the AM admin UI (self managed), go to:
  Top Level Realm > Authentication > Federation > Entity Providers.
2. Click + Add Entity Provider > Remote.
3. Import the SP metadata.
Create a user profile on the SP and IDP:
1. SP: In the AM admin UI (native console), go to Identities and add a user identity.
2. IDP: In the AM admin UI (self managed), go to Identities and add a user identity.

Step 2: Create an SP circle of trust

In the Advanced Identity Cloud AM instance, create a circle of trust:
1. In the AM admin UI (native console), go to
  Realm Name > Applications > Federation > Circles of Trust.
2. Click + Add Circle of Trust.
3. On the New Circle of Trust page, provide a name, then click Create.
4. On the CoT page, provide CoT details.
  CoT details:
  Description: Enter a unique identifier.
  
  Entity Providers: Choose the entity IDs for the SP and IDP.
  Examples: Cloud-SP AM-IDP
5. Click Save Changes.
In the Advanced Identity Cloud AM instance, create a federation module:
1. In the AM admin UI (native console), go to
  Realm Name > Authentication > Modules.
2. On the Modules page, click Add Module. Enter module details:
  - Name: Must be named Federation.
  - Type: Must be type Federation.
3. Click Save Changes.
In the Advanced Identity Cloud AM instance, configure the page the browser displays upon successful SSO:
1. In the AM admin UI (native console), go to
  Realm Name > Applications > Federation > Entity Providers.
2. In the Cloud-SP entity provider page, select the Advanced tab.
3. In the Relay State URL List field, add the target URL for the SP end-user sign-in page.
  Example: https://<tenant-FDQN>/enduser/?realm=alpha#/dashboard.
4. Click Save Changes.

Step 3: Create an IDP circle of trust

In the AM admin UI (self managed), go to
Top Level Realm > Applications > Circles of Trust.
Click + Add Circle of Trust.
On the New Circle of Trust page, provide a name, then click Create.
On the CoT page, provide CoT details.
CoT details:
- Description: Enter a unique identifier.
- Entity Providers: Choose the entity IDs for the SP and IDP.
  Examples: Cloud-SP AM-IDP.
Click Save Changes.

Step 4: Test SAML 2.0 SSO

In a browser, go the JSP URL to launch an SP-initiated JSP flow. Example:
https://<tenant-FQDN>/am/saml2/jsp/spSSOInit.jsp?realm=/alpha/&metaAlias=/alpha/cloud-sp&idpEntityID=AM-IDP&binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST&NameIDformat=urn:oasis:names:tc:SAML:2.0:nameid-format:persistent&RelayState=https://<tenant-FQDN>/enduser/?realm=alpha#/dashboard.
On the IDP sign-in page, enter the user’s credentials:

Keep this session open. The IDP authenticates the user, then the browser redirects the user back to the SP sign-in page.
On the SP sign-in page, enter the user’s credentials:

After this second successful authentication, the user’s SP identity is linked to, or federated with, the user’s IDP identity.

The browser redirects to the SP end-user page.
Sign the user out of both the SP and IDP.
Go to the IDP end-user sign-in page, and enter the user’s credentials.

When the user is successfully authenticated, the browser redirects to the SP end-user page specified in Relay State URL List.

More Information

For deep dives, learn more in: