How do I register a remote IdP or SP in AM (All versions) using ssoadm?

Overview

This article details creating a remote entity provider using ssoadm:

• For details on doing this via Amster or the REST API, see How do I create a SAML2 IdP or SP entity provider in AM (All versions) using REST or Amster?
• For details on creating hosted entity providers using ssoadm, see How do I create a hosted IdP or SP in AM (All versions) using ssoadm?

Registering a remote IdP or SP

You can register a remote IdP or SP using ssoadm as follows:

1. Create the Circle of Trust (COT) unless it already exists: $ ./ssoadm create-cot -u [adminID] -f [passwordfile] -e [realmname] -t [entityCOT]replacing [adminID], [passwordfile], [realmname], [entityCOT] with appropriate values. You will see the following response if this was successful: Circle of trust, [entityCOT] was created.
2. Create the metadata template XML files unless they already exist: $ ./ssoadm create-metadata-templ -u [adminID] -f [passwordfile] -y [entityID] -c saml2 -m [metadataXMLfile] -x [extendedXMLfile] [metaAlias]replacing [adminID], [passwordfile], [entityID], [metadataXMLfile], [extendedXMLfile] and [metaAlias] with appropriate values, where [metaAlias] is one of the following options and values depending on the type of entity provider you are creating:
   • IdP - this should be option -i with a value equal to the metaAlias for the remote identity provider and should be in the format: [realm name]/[metaAlias].
   • SP - this should be option -s with a value equal to the metaAlias for the remote service provider and should be in the same format as detailed above for the IdP.

For example, if you wanted to create metadata template XML files for your IdP (with an ID of EmployeeIdP and a metaAlias of idp in realm employees), your command would look similar to this:

• AM 7 and later: $ ./ssoadm create-metadata-templ -u uid=amAdmin,ou=People,dc=am,dc=forgerock,dc=org -f pwd.txt -y EmployeeIdP -c saml2 -m standard.xml -x extended.xml -i employees/idp
• Pre-AM 7: $ ./ssoadm create-metadata-templ -u amadmin -f pwd.txt -y EmployeeIdP -c saml2 -m standard.xml -x extended.xml -i employees/idp

You will see the following response if this was successful:Remote entity configuration was written to extended.xml. Remote entity descriptor was written to standard.xml.

3. Update the extended metadata file to indicate it is a remote entity provider you want to create. Change the following hosted="true" value: <EntityConfig xmlns="urn:sun:fm:SAML:2.0:entityconfig" xmlns:fm="urn:sun:fm:SAML:2.0:entityconfig" hosted="true"to hosted="false": <EntityConfig xmlns="urn:sun:fm:SAML:2.0:entityconfig" xmlns:fm="urn:sun:fm:SAML:2.0:entityconfig" hosted="false"
4. Update your metadata files as necessary and include any additional details needed. If you want to map attributes, you can add attribute mapping to the extended metadata file using the following format: <Attribute name="attributeMap"> <Value>EmailAddress=mail</Value> <Value>username=uid</Value> </Attribute>Where the first attribute listed (EmailAddress and username in this example) are the attributes used by the entity provider you are creating.
5. Import the metadata files to create the entity provider in AM: $ ./ssoadm import-entity -u [adminID] -f [passwordfile] -e [realmname] -t [entityCOT] -c saml2 -m [metadataXMLfile] -x [extendedXMLfile]replacing [adminID], [passwordfile], [realmname], [entityCOT], [metadataXMLfile] and [extendedXMLfile] with appropriate values. You will see the following response if this was successful: Import file, [metadataXMLfile]. Import file, [extendedXMLfile].

See Also

How do I export and import SAML2 metadata in AM (All versions)?

How do I update metadata for an IdP or SP in AM (All versions) using ssoadm?

How do I change the metaAlias for an existing IdP or SP in AM (All versions)?

How do I create a hosted IdP or SP in AM (All versions) using ssoadm?

SAML 2.0 federation in AM

SAML v2.0

Related Training

N/A

Related Issue Tracker IDs

N/A