Test SAML2 SSO using JSP flows

Overview

SAML v2.0 helps organizations share, or federate identities and services, without having to manage the identities or credentials themselves.

These instructions describe how to launch an SP-initiated JSP flow to test SAML 2 SSO. Identity Cloud acts as the authentication service provider (SP) in a circle of trust (CoT). For this test, a standalone AM instance acts as the identity provider (IDP).

Before identities can be federated in a CoT, an AM module named Federation must be present in the SP configuration. By default, the Federation module is ready-to-use in standalone AM instances. But, in Identity Cloud AM instances, you must manually create a module named Federation when you create an SP circle of trust.

Step 1: Set up an SP and an IDP

  1. Set up the Identity Cloud AM instance as a service provider:

    1. In the Identity Cloud Admin UI, go to
      Native Consoles > Access Management > Realm Name > Applications > Federation > Entity Providers.

    2. Click + Add Entity Provider.

      Enter entity provider details:
      • Entity provider type: Hosted.

      • Entity ID: Enter a unique identifier. Example: Cloud-SP.

      • Meta Alias: Provide an SP alias. Example: cloud-sp.

    3. After you’ve created an SP, export its SP metadata to an XML file.
      Example export metadata URL: https://<tenant-FQDN>/am/saml2/jsp/exportmetadata.jsp?entityid=<SP-Entity-ID>&realm=/alpha.

  2. Set up standalone the AM instance as an identity provider:

    1. In the standalone AM Admin UI, go to
      Top Level Realm > Applications > Federation > Entity Providers. Click + Add Entity Provider.

      Enter entity provider details:
      • Entity provider type: Choose Hosted.

      • Entity ID: Enter a unique identifier. Example: AM-IDP.

      • Meta Alias: Provide an IDP alias. Example: am-idp.

    2. After you’ve created an IDP, export its IDP metadata to an XML file.
      Example export metadata URL: https://<IDP-host-FQDN>/openam/saml2/jsp/exportmetadata.jsp?entityid=<IDP-Entity-ID>.

  3. In Identity Cloud, add a remote entity provider by importing the IDP metadata.

    1. In the Identity Cloud Admin UI, go to
      Native Consoles > Access Management > Realm Name > Authentication > Federation > Entity Providers.

    2. Click + New Entity Provider.

    3. Import the IDP metadata.

  4. In the standalone AM Admin UI, add a remote entity provider by importing the SP metadata.

    1. In the standalone AM Admin UI, go to:
      Top Level Realm > Authentication > Federation > Entity Providers.

    2. Click + New Entity Provider.

    3. Import the SP metadata.

  5. Create a user profile on both the SP and the IDP:

    1. SP: In the Identity Cloud AM Admin UI, go to Identities > Manage.

      • Click + New Alpha-realm-User, and enter user details.

      • Click Save.

    2. IDP: In the standalone AM Admin UI, go to Identities > Manage.

      • Click + Add New Identity, and enter user details.

      • Click Create.

Step 2: Create an SP circle of trust

  1. In the Identity Cloud Admin UI, create a circle of trust.

    1. Go to
      Native Consoles > Access Management > Realm Name > Applications > Circles of Trust.

    2. Click + Add Circle of Trust.

    3. On the New Circle of Trust page, provide a name, then click Create.

    4. On the CoT page, provide CoT details.

      CoT details:
      • Description: Enter a unique identifier.

      • Entity Providers: Choose the entity IDs for the SP and IDP.
        Examples: Cloud-SP AM-IDP

    5. Click Save Changes.

  2. In the Identity Cloud Admin UI, create a federation module.

    1. Go to
      Native Consoles > Access Management > Realm Name > Authentication > Modules.

    2. On the Modules page, click Add Module. Enter module details:

      • Name: Must be named Federation.

      • Type: Must be type Federation.

    3. Click Save Changes.

  3. Configure a relay state URL.
    This is the target end-user page the browser will display upon successful SSO.

    1. In the Identity Cloud Admin UI, go to
      Native Consoles > Access Management > Realm Name > Applications > Federation > Entity Providers.

    2. For this example, in the Cloud-SP entity provider details page, search for Relay State URL List.
      Enter the target URLs for the SP end-user sign-in page.
      Example: https://<tenant-FDQN>/enduser/?realm=alpha#/dashboard.

    3. Click Save Changes.

Step 3: Create an IDP circle of trust

  1. In the standalone AM Admin UI, create a circle of trust. Go to
    Top Level Realm > Applications > Circles of Trust.

  2. Click + Add Circle of Trust.

  3. On the New Circle of Trust page, provide a name, then click Create.

  4. On the CoT page, provide CoT details.

    CoT details:
    • Description: Enter a unique identifier.

    • Entity Providers: Choose the entity IDs for the SP and IDP.
      Examples: Cloud-SP AM-IDP.

  5. Click Save Changes.

Step 4: Test SAML2 SSO

  1. Launch an SP-initiated JSP flow.
    In a browser, to go the launch JSP URL. Example:
    https://<tenant-FQDN>/am/saml2/jsp/spSSOInit.jsp?realm=/alpha/&metaAlias=/alpha/cloud-sp&idpEntityID=AM-IDP&binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST&NameIDformat=urn:oasis:names:tc:SAML:2.0:nameid-format:persistent&RelayState=https://<tenant-FQDN>/enduser/?realm=alpha#/dashboard.

  2. On the IDP sign-in page, enter the user’s credentials:

    1. Keep this session open.

    2. The IDP authenticates the user, then the browser redirects the user back to the SP sign-in page.

  3. On the SP sign-in page, enter the user’s credentials:

    • After this second successful authentication, the user’s SP identity is linked to, or federated with, the user’s IDP identity.

    • The browser redirects to the SP end-user page.

  4. Sign the user out of both SP and IDP.

  5. Go to the IDP end-user sign-in page, and enter user’s credentials.
    The user is successfully authenticated.

  6. The browser redirects to the SP end-user page specified in the Relay State URL field.