How do I register a remote IdP or SP in AM (All versions) using ssoadm?
The purpose of this article is to provide information on registering a remote IdP or SP in AM using ssoadm. Using ssoadm allows you to automate the entire entity provider creation process, including adding attribute mapping.
1 reader recommends this article
Overview
This article details creating a remote entity provider using ssoadm:
- For details on doing this via Amster or the REST API, see How do I create a SAML2 IdP or SP entity provider in AM (All versions) using REST or Amster?
- For details on creating hosted entity providers using ssoadm, see How do I create a hosted IdP or SP in AM (All versions) using ssoadm?
Registering a remote IdP or SP
You can register a remote IdP or SP using ssoadm as follows:
- Create the Circle of Trust (COT) unless it already exists: $ ./ssoadm create-cot -u [adminID] -f [passwordfile] -e [realmname] -t [entityCOT]replacing [adminID], [passwordfile], [realmname], [entityCOT] with appropriate values. You will see the following response if this was successful: Circle of trust, [entityCOT] was created.
- Create the metadata template XML files unless they already exist: $ ./ssoadm create-metadata-templ -u [adminID] -f [passwordfile] -y [entityID] -c saml2 -m [metadataXMLfile] -x [extendedXMLfile] [metaAlias]replacing [adminID], [passwordfile], [entityID], [metadataXMLfile], [extendedXMLfile] and [metaAlias] with appropriate values, where [metaAlias] is one of the following options and values depending on the type of entity provider you are creating:
-
IdP - this should be option
-i
with a value equal to the metaAlias for the remote identity provider and should be in the format: [realm name]/[metaAlias]. -
SP - this should be option
-s
with a value equal to the metaAlias for the remote service provider and should be in the same format as detailed above for the IdP.
-
IdP - this should be option
For example, if you wanted to create metadata template XML files for your IdP (with an ID of EmployeeIdP and a metaAlias of idp in realm employees), your command would look similar to this:
- AM 7 and later: $ ./ssoadm create-metadata-templ -u uid=amAdmin,ou=People,dc=am,dc=forgerock,dc=org -f pwd.txt -y EmployeeIdP -c saml2 -m standard.xml -x extended.xml -i employees/idp
- Pre-AM 7: $ ./ssoadm create-metadata-templ -u amadmin -f pwd.txt -y EmployeeIdP -c saml2 -m standard.xml -x extended.xml -i employees/idp
You will see the following response if this was successful:Remote entity configuration was written to extended.xml. Remote entity descriptor was written to standard.xml.
Note
This simple example create-metadata-templ command creates basic template files, which you can use as a start point for your metadata files. However, you can create more comprehensive template files, if required, by specifying other properties as detailed in ssoadm create-metadata-templ.
- Update the extended metadata file to indicate it is a remote entity provider you want to create. Change the following
hosted="true"
value: <EntityConfig xmlns="urn:sun:fm:SAML:2.0:entityconfig" xmlns:fm="urn:sun:fm:SAML:2.0:entityconfig" hosted="true"tohosted="false"
: <EntityConfig xmlns="urn:sun:fm:SAML:2.0:entityconfig" xmlns:fm="urn:sun:fm:SAML:2.0:entityconfig" hosted="false" - Update your metadata files as necessary and include any additional details needed. If you want to map attributes, you can add attribute mapping to the extended metadata file using the following format: <Attribute name="attributeMap"> <Value>EmailAddress=mail</Value> <Value>username=uid</Value> </Attribute>Where the first attribute listed (EmailAddress and username in this example) are the attributes used by the entity provider you are creating.
- Import the metadata files to create the entity provider in AM: $ ./ssoadm import-entity -u [adminID] -f [passwordfile] -e [realmname] -t [entityCOT] -c saml2 -m [metadataXMLfile] -x [extendedXMLfile]replacing [adminID], [passwordfile], [realmname], [entityCOT], [metadataXMLfile] and [extendedXMLfile] with appropriate values. You will see the following response if this was successful: Import file, [metadataXMLfile]. Import file, [extendedXMLfile].
Note
You can script these changes to fully automate creating entity providers. See How do I make batch changes using ssoadm in AM (All versions)? for further information on scripting ssoadm commands.
See Also
How do I export and import SAML2 metadata in AM (All versions)?
How do I update metadata for an IdP or SP in AM (All versions) using ssoadm?
How do I change the metaAlias for an existing IdP or SP in AM (All versions)?
How do I create a hosted IdP or SP in AM (All versions) using ssoadm?
Related Training
N/A
Related Issue Tracker IDs
N/A