This article has been archived and is no longer maintained by ForgeRock.
The process to set up federation in integrated mode is fully documented in AM 5 and later. You should refer to the documentation for these versions: SAML v2.0 Guide › Implementing SAML v2.0 Single Sign-On in Integrated Mode.
However, if you are confident about setting up federation in integrated mode without referring to the documentation, here are the high-level steps (including the key changes you must make that are not so obvious without referring to the documentation):
- Set up federation as usual with OpenAM as the hosted SP.
- Create the SAML2 authentication module and include it in an authentication chain.
- Select the SP entity provider by navigating to: Federation > Circle of Trust Configuration > Entity Providers and click the name of the entity provider that is of type Hosted SP.
- Navigate to Services > Assertion Consumer Service and change the following consumer service locations in the SP configuration:
- Change the location of the HTTP-Artifact consumer service to use AuthConsumer rather than Consumer. For example, if the location is http://sp.example.com:8080/openam/Consumer/metaAlias/sp, change it to http://sp.example.com:8080/openam/AuthConsumer/metaAlias/sp.
- Change the location of the HTTP-POST consumer service to use AuthConsumer rather than Consumer as per the HTTP-Artifact consumer service.
- Notify the IdP of these new endpoints if relevant.
You do not need to change the location of the PAOS service because integrated mode does not support the PAOS binding.
- Test your configuration. First, clear your browser's cache and cookies. Then, attempt to log in to OpenAM using a login URL that references the authentication chain that includes the SAML2 module. For example: http://sp.example.com:8080/openam/XUI/#login/&service=mySAMLChain