How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I change the hostname for a remote IdP or SP entity in AM (All versions)?

Last updated May 10, 2022

The purpose of this article is to provide information on changing the hostname for a remote IdP or SP entity in AM. This article assumes you have already successfully changed the hostname for AM; when you change the hostname for AM by exporting the service configuration and making changes, the hosted IdP or SP is also updated. However, if you have any corresponding remote entity providers on a different AM instance, you need to update them for SAML federation to continue working.


Changing the hostname for a remote IdP or SP entity

When you create a remote IdP or SP entity in AM, the server name is automatically used as the hostname for the entity. If you subsequently change the hostname for AM as described in Changing Host Names, the hosted IdP or SP will also be updated, but you will need to update the hostname for any remote entities.

This example refers to the IdP entity, but you can update the SP entity in the same way. The following URLs are used in this example:

  • Original hostname - http://host1.example.com:18080/openam
  • New hostname - http://openam.new.example.com:28080/openam

You can change a remote IdP's hostname as follows:

  1. Back up AM configuration as described in Backing Up Configurations (AM 7 and later) or How do I make a backup of configuration data in AM 5.x or 6.x?
  2. Export the IdP's standard and extended metadata files using the following ssoadm command: $ ./ssoadm export-entity -u [adminID] -f [passwordfile] -e [realmname] -y [entityID] -c saml2 -m [metadataXMLfile] -x [extendedXMLfile]replacing [adminID], [passwordfile], [realmname], [entityID], [metadataXMLfile] and [extendedXMLfile] with appropriate values.
  3. Update all the Service location URLs in the standard metadata file by replacing the server name part of the URL with the new server name instead. For example, the ArtifactResolutionService looked like this before the change: <ArtifactResolutionService index="0" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://host1.example.com:18080/openam/ArtifactResolver/metaAlias/idp"/> and like this after the change: <ArtifactResolutionService index="0" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://openam.new.example.com:28080/openam/ArtifactResolver/metaAlias/idp"/>
  4. Update all the Service location URLs in the extended metadata file by replacing the server name part of the URL with the new server name instead. For example, the EntityConfig would now look like this after the change: <EntityConfig entityID="http://openam.new.example.com:28080/openam" hosted="false" xmlns="urn:sun:fm:SAML:2.0:entityconfig">
  5. Remove the remote IdP configuration before importing the modified metadata files using the following ssoadm command: $ ./ssoadm delete-entity -u [adminID] -f [passwordfile] -e [realmname] -y [entityID] -c saml2replacing [adminID], [passwordfile], [realmname] and [entityID] with appropriate values.
  6. Import the modified IdP's standard and extended metadata files into AM using the following ssoadm command: $ ./ssoadm import-entity -u [adminID] -f [passwordfile] -e [realmname] -t [entityCOT] -c saml2 -m [metadataXMLfile] -x [extendedXMLfile] replacing [adminID], [passwordfile], [realmname], [entityCOT], [metadataXMLfile] and [extendedXMLfile] with appropriate values.

See Also

How do I change the metaAlias for an existing IdP or SP in AM (All versions)?

How do I update metadata for an IdP or SP in AM (All versions) using ssoadm?

How do I export and import SAML2 metadata in AM (All versions)?

SAML Federation in AM

SAML v2.0 Guide

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2022 ForgeRock, all rights reserved.