How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I create a hosted IdP or SP in AM (All versions) using ssoadm?

Last updated May 10, 2022

The purpose of this article is to provide information on creating a hosted IdP or SP in AM using ssoadm. Using ssoadm allows you to automate the entire entity provider creation process, including adding attribute mapping.


2 readers recommend this article

Overview

This article details creating a hosted entity provider using ssoadm:

Creating a hosted IdP or SP

You can create a hosted IdP or SP using ssoadm as follows: 

  1. Create the Circle of Trust (COT) unless it already exists: $ ./ssoadm create-cot -u [adminID] -f [passwordfile] -e [realmname] -t [entityCOT]replacing [adminID], [passwordfile], [realmname], [entityCOT] with appropriate values. You will see the following response if this was successful: Circle of trust, [entityCOT] was created.
  2. Create the metadata template XML files unless they already exist: $ ./ssoadm create-metadata-templ -u [adminID] -f [passwordfile] -y [entityID] -c saml2 -m [metadataXMLfile] -x [extendedXMLfile] [metaAlias]replacing [adminID], [passwordfile], [entityID], [metadataXMLfile], [extendedXMLfile] and [metaAlias] with appropriate values, where [metaAlias] is one of the following options and values depending on the type of entity provider you are creating:
    • IdP - this should be option -i with a value equal to the metaAlias for the hosted identity provider and should be in the format: [realm name]/[metaAlias], for example: -i /idp for a metaAlias of idp in the top level realm.
    • SP - this should be option -s with a value equal to the metaAlias for the hosted service provider and should be in the same format as detailed above for the IdP.

For example, if you wanted to create metadata template XML files for your IdP (with an ID of EmployeeIdP and a metaAlias of idp in realm employees), your command would look similar to this:

  • AM 7 and later: $ ./ssoadm create-metadata-templ -u uid=amAdmin,ou=People,dc=openam,dc=forgerock,dc=org -f pwd.txt -y EmployeeIdP -c saml2 -m standard.xml -x extended.xml -i employees/idp
  • Pre-AM 7: $ ./ssoadm create-metadata-templ -u amadmin -f pwd.txt -y EmployeeIdP -c saml2 -m standard.xml -x extended.xml -i employees/idp

You will see the following response if this was successful:Hosted entity configuration was written to extended.xml. Hosted entity descriptor was written to standard.xml.

Note

This simple example create-metadata-templ command creates basic template files, which you can use as a start point for your metadata files. However, you can create more comprehensive template files, if required, by specifying other properties as detailed in ssoadm create-metadata-templ.

  1. Update your metadata files as necessary and include any additional details needed. If you want to map attributes, you can add attribute mapping to the extended metadata file using the following format: <Attribute name="attributeMap">     <Value>EmailAddress=mail</Value>      <Value>username=uid</Value> </Attribute>Where the first attribute listed (EmailAddress and username in this example) are the attributes used by the entity provider you are creating.
  2. Import the metadata files to create the entity provider in AM: $ ./ssoadm import-entity -u [adminID] -f [passwordfile] -e [realmname] -t [entityCOT] -c saml2 -m [metadataXMLfile] -x [extendedXMLfile]replacing [adminID], [passwordfile], [realmname], [entityCOT], [metadataXMLfile] and [extendedXMLfile] with appropriate values. You will see the following response if this was successful: Import file, [metadataXMLfile]. Import file, [extendedXMLfile].
Note

You could script these changes to fully automate updating your entity providers. See How do I make batch changes using ssoadm in AM (All versions)? for further information on scripting ssoadm commands.

See Also

How do I export and import SAML2 metadata in AM (All versions)?

How do I update metadata for an IdP or SP in AM (All versions) using ssoadm?

How do I change the metaAlias for an existing IdP or SP in AM (All versions)?

SAML Federation in AM

SAML v2.0 Guide

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2022 ForgeRock, all rights reserved.