How To

How do I set up the SAML2 Authentication module using Integrated Mode in OpenAM 13.x?

Last updated Jan 5, 2021

The purpose of this article is to provide information on setting up federation with the SAML2 Authentication module in OpenAM, where OpenAM is the hosted SP. This information applies when you want to configure SAML2 SSO in integrated mode.

2 readers recommend this article


This article has been archived and is no longer maintained by ForgeRock.

Setting up federation in integrated mode


The process to set up federation in integrated mode is fully documented in AM 5 and later. You should refer to the documentation for these versions: SAML v2.0 Guide › Implementing SAML v2.0 Single Sign-On in Integrated Mode.

However, if you are confident about setting up federation in integrated mode without referring to the documentation, here are the high-level steps (including the key changes you must make that are not so obvious without referring to the documentation):

  1. Set up federation as usual with OpenAM as the hosted SP.
  2. Create the SAML2 authentication module and include it in an authentication chain.
  3. Select the SP entity provider by navigating to: Federation > Circle of Trust Configuration > Entity Providers and click the name of the entity provider that is of type Hosted SP.
  4. Navigate to Services > Assertion Consumer Service and change the following consumer service locations in the SP configuration:
    • Change the location of the HTTP-Artifact consumer service to use AuthConsumer rather than Consumer. For example, if the location is, change it to
    • Change the location of the HTTP-POST consumer service to use AuthConsumer rather than Consumer as per the HTTP-Artifact consumer service.
    These changes are necessary and imply that you cannot have both the SAML2 authentication module and non-integrated federation on the same SP.
  5. Notify the IdP of these new endpoints if relevant. 

You do not need to change the location of the PAOS service because integrated mode does not support the PAOS binding.

  1. Test your configuration. First, clear your browser's cache and cookies. Then, attempt to log in to OpenAM using a login URL that references the authentication chain that includes the SAML2 module. For example:

See Also

How do I configure the SAML2 Authentication module for Local Account Linking in AM (All versions)?

FAQ: SAML federation in AM

SAML Federation in AM

Authentication and Single Sign-On Guide › SAML2 Authentication Module

Related Training


Related Issue Tracker IDs

OPENAM-8071 (Documentation on SAML2 Authn module: add a reference for the need to modify the SP Assertion Consumer Service endpoints)

Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.