How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I configure AM (All versions) as an IdP when going through a proxy?

Last updated Apr 13, 2021

The purpose of this article is to provide information on configuring AM as a hosted IdP when going through a proxy, such as a load balancer. It assumes you have already created the hosted IdP.


1 reader recommends this article

Configuring AM

When you create a hosted IdP in AM, the server name is automatically used as the hostname for the IdP. If you go through a proxy or load balancer, you need to update all pre-populated instances of the hostname with the name of your proxy or load balancer.

The following URLs are used in this example:

  • Server name - http://host1.example.com:18080/openam
  • Load balancer name - http://lb.openam.com:8080/openam

You can configure AM as follows:  

  1. Back up AM configuration as described in Maintenance Guide › Backing Up Configurations (AM 7 and later) or How do I make a backup of configuration data in AM 5.x or 6.x?
  2. Export the IdP's standard and extended metadata files using the following ssoadm command: $ ./ssoadm export-entity -u [adminID] -f [passwordfile] -e [realmname] -y [entityID] -c saml2 -m [metadataXMLfile] -x [extendedXMLfile]replacing [adminID], [passwordfile], [realmname], [entityID], [metadataXMLfile] and [extendedXMLfile] with appropriate values.
  3. Update all the Service location URLs in the standard metadata file by replacing the server name part of the URL with the proxy name instead. For example, the ArtifactResolutionService looked like this before the change: <ArtifactResolutionService index="0" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://host1.example.com:18080/openam/ArtifactResolver/metaAlias/idp"/> and like this after the change: <ArtifactResolutionService index="0" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://lb.openam.com:8080/openam/ArtifactResolver/metaAlias/idp"/>
  4. Update any URLs (other than the entityID) in the extended metadata file by replacing the server name part of the URL with the proxy name instead. For example, the saeIDPUrl would now look like this after the change: <Attribute name="saeIDPUrl">     <Value>http://lb.openam.com:8080/openam/idpsaehandler/metaAlias/idp</Value> </Attribute>  
  5. Remove the hosted IdP configuration from AM before importing the modified metadata files using the following ssoadm command: $ ./ssoadm delete-entity -u [adminID] -f [passwordfile] -e [realmname] -y [entityID] -c saml2replacing [adminID], [passwordfile], [realmname] and [entityID] with appropriate values.
  6. Import the modified IdP's standard and extended metadata files into AM using the following ssoadm command: $ ./ssoadm import-entity -u [adminID] -f [passwordfile] -e [realmname] -t [entityCOT] -c saml2 -m [metadataXMLfile] -x [extendedXMLfile] replacing [adminID], [passwordfile], [realmname], [entityCOT], [metadataXMLfile] and [extendedXMLfile] with appropriate values.

See Also

SAML Federation in AM

SAML v2.0 Guide

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.