How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I register a remote IdP or SP in AM (All versions) using ssoadm?

Last updated Apr 13, 2021

The purpose of this article is to provide information on registering a remote IdP or SP in AM using ssoadm. Using ssoadm allows you to automate the entire entity provider creation process, including adding attribute mapping.


1 reader recommends this article

Overview

This article details creating a remote entity provider using ssoadm:

Registering a remote IdP or SP

You can register a remote IdP or SP using ssoadm as follows: 

  1. Create the Circle of Trust (COT) unless it already exists: $ ./ssoadm create-cot -u [adminID] -f [passwordfile] -e [realmname] -t [entityCOT]replacing [adminID], [passwordfile], [realmname], [entityCOT] with appropriate values. You will see the following response if this was successful: Circle of trust, [entityCOT] was created.
  2. Create the metadata template XML files unless they already exist: $ ./ssoadm create-metadata-templ -u [adminID] -f [passwordfile] -y [entityID] -c saml2 -m [metadataXMLfile] -x [extendedXMLfile] [metaAlias] replacing [adminID], [passwordfile], [entityID], [metadataXMLfile], [extendedXMLfile] and [metaAlias] with appropriate values, where [metaAlias] is one of the following options and values depending on the type of entity provider you are creating:
    • IdP - this should be option -i with a value equal to the metaAlias for the remote identity provider and should be in the format: [realm name]/[metaAlias].
    • SP - this should be option -s with a value equal to the metaAlias for the remote service provider and should be in the same format as detailed above for the IdP.

For example, if you wanted to create metadata template XML files for your IdP (with an ID of EmployeeIdP and a metaAlias of idp in realm employees), your command would look similar to this:

  • AM 7 and later: $ ./ssoadm create-metadata-templ -u uid=amAdmin,ou=People,dc=openam,dc=forgerock,dc=org -f pwd.txt -y EmployeeIdP -c saml2 -m standard.xml -x extended.xml -i employees/idp
  • Pre-AM 7: $ ./ssoadm create-metadata-templ -u amadmin -f pwd.txt -y EmployeeIdP -c saml2 -m standard.xml -x extended.xml -i employees/idp

You will see the following response if this was successful:Remote entity configuration was written to extended.xml. Remote entity descriptor was written to standard.xml.

Note

This simple example create-metadata-templ command creates basic template files, which you can use as a start point for your metadata files. However, you can create more comprehensive template files, if required, by specifying other properties as detailed in Reference › ssoadm create-metadata-templ.

  1. Update the extended metadata file to indicate it is a remote entity provider you want to create. Change the following hosted="true" value: <EntityConfig xmlns="urn:sun:fm:SAML:2.0:entityconfig"   xmlns:fm="urn:sun:fm:SAML:2.0:entityconfig"     hosted="true"to hosted="false": <EntityConfig xmlns="urn:sun:fm:SAML:2.0:entityconfig"   xmlns:fm="urn:sun:fm:SAML:2.0:entityconfig"     hosted="false"
  2. Update your metadata files as necessary and include any additional details needed. If you want to map attributes, you can add attribute mapping to the extended metadata file using the following format: <Attribute name="attributeMap"> <Value>EmailAddress=mail</Value> <Value>username=uid</Value> </Attribute>Where the first attribute listed (EmailAddress and username in this example) are the attributes used by the entity provider you are creating.
  3. Import the metadata files to create the entity provider in AM: $ ./ssoadm import-entity -u [adminID] -f [passwordfile] -e [realmname] -t [entityCOT] -c saml2 -m [metadataXMLfile] -x [extendedXMLfile]replacing [adminID], [passwordfile], [realmname], [entityCOT], [metadataXMLfile] and [extendedXMLfile] with appropriate values. You will see the following response if this was successful: Import file, [metadataXMLfile]. Import file, [extendedXMLfile].
Note

You can script these changes to fully automate creating entity providers. See How do I make batch changes using ssoadm in AM (All versions)? for further information on scripting ssoadm commands.

See Also

How do I export and import SAML2 metadata in AM (All versions)?

How do I update metadata for an IdP or SP in AM (All versions) using ssoadm?

How do I change the metaAlias for an existing IdP or SP in AM (All versions)?

How do I create a hosted IdP or SP in AM (All versions) using ssoadm?

SAML Federation in AM

SAML v2.0 Guide

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.