Child pages
  • Deploying OpenAM for FICAM
Skip to end of metadata
Go to start of metadata


 

ForgeRock OpenAM

SAML 2.0 IDP/RP FICAM SAML 2.0 Web SSO Profile


 
 
 

Install/Configuration Guide

July 2013


 

 


 

Table of Contents


?

 About  

 Link  

 ForgeRock Binaries  

 Additional Software Used in Install  

 Pre-Install  

 Install  

 Configuration ?


 
 
 

About

This document describes the steps necessary to install and configure ForgeRock’s OpenAM to conform to the Federal Identity and Credential Management (FICAM) SAML 2.0. Web SSO Profile.


 

http://www.idmanagement.gov/sites/default/files/documents/SAML20_Web_SSO_Profile.pdf


 

ForgeRock Binaries

OpenAM: 

https://download.forgerock.com/#/openam 

  • The user will be asked to fill out a registration form to access the ForgeRock Binaries.  

  • Once the registration is filled out, select the 10.1 Deployable war and save the file.


 

OpenDJ: (Optional)

Note:  if not using the embedded OpenDJ instance in OpenAM then download OpenDJ.

http://download.forgerock.org/downloads/opendj/2.5.0-Xpress1/OpenDJ-2.5.0-Xpress1.zip 


 

Additional Software Used in Install

  • Ubuntu 12.10 ( OpenAM supports a wide variety of OSs in addition to Ubuntu)

  • JDK (OpenJDK 7)

  • J2EE Container (Tomcat 7)


 

VM Settings:

OS credentials:  forgerock/forgerock

Hostname:  am1.ssobridge.com

Note: Two VM’s can be used to run testing.  The OS would have the same credentials. The  second VM can be am2.ssobridge.com 

Pre-Install

  • Download OpenAM from the ForgeRock site using the links above.

  • Install OpenJDK 7

    • sudo apt-get install openjdk-7-jdk

  • Install Tomcat 7

    • sudo apt-get install tomcat7

  • Change Tomcat 7 configuration for SSL.

  • Create SSL Certificates for Tomcat 7


 
 

Create Certificates for Tomcat 7


 

In order for OpenAM to use secure connections,  security changes must be made to Tomcat in order for Tomcat to use certificates.

Note:  For creating these certificates, SHA 256 with RSA is being used. 


 

  • From the terminal window enter cd /var/lib/tomcat7/conf

  • A keystore and certificate must be generated, the following command will generate both for the SP.   keytool -genkey -alias am1.ssobridge.com -keyalg RSA -sigalg SHA256withRSA -keysize 2048 -keystore keystore.jks  

  • A keystore and certificate must be generated, the following command will generate both for the IDP.   keytool -genkey -alias am2.ssobridge.com -keyalg RSA -sigalg SHA256withRSA -keysize 2048 -keystore keystore.jks

Once the certificates have been created they need to be exported to be put into the trust store of the other entity.  This is done with the following commands for SP.

  • use the following command to change directories to where the keystore is located. cd /var/lib/tomcat7/conf

  • sudo keytool -export -alias am1.ssobridge.com -file am1.ssobridge.com.crt -keystore keystore.jks

  • Enter the password “changeit” for the keystore. The key has now been exported to the current directory.

  • The certificate can now be moved from the current directory to the IDP.

  • Once the certificate is in the IDP the user needs to change directories to the where the truststore is located this is done with the following command.  cd /usr/lib/jvm/java-7-openjdk-i386/jre/lib/security

  • Now copy the certificate to this directory with sudo cp sudo cp “certificate” cacerts

  • The certificate can be inserted into the truststore with the following command. sudo keytool -keystore cacerts -importcert -alias am1.ssobridge.com -file am1.ssobridge.com.crt

Now that the IDP has the SP’s  certificate the next step is for the SP to have the IDP’s certificate.  This can be done with the following steps.

  • use the following command to change directories to where the keystore is located. cd /var/lib/tomcat7/conf

  • sudo keytool -export -alias am2.ssobridge.com -file am2.ssobridge.com.crt -keystore keystore.jks

  • Enter the password “changeit” for the keystore. The key has now been exported to the current directory.

  • The certificate can now be moved from the current directory to the SP.

  • Once the certificate is in the SP the user needs to change directories to the where the truststore is located this is done with the following command.  cd /usr/lib/jvm/java-7-openjdk-i386/jre/lib/security

  • Now copy the certificate to this directory with sudo cp “certificate” cacerts

  • The certificate can be inserted into the truststore with the following command. sudo keytool -keystore cacerts -importcert -alias am2.ssobridge.com -file am2.ssobridge.com.crt


 

Install


 

  • mv openam_10.0.1.war openam.war

  • sudo cp openam.war /var/lib/tomcat7/webapps/.

  • restart tomcat (optional if hot deploy is not enabled)

    • sudo /etc/init.d/tomcat7 restart

  • In a web browser goto:  https://am1.ssobridge.com:8443/openam 

    • Note:  if you get an error about insufficient privileges to /usr/share/tomcat7 then you need to modify the permissions on that directory so that the tomcat7 user has read/write privileges.


  
 

Click on “Create New Configuration”


  
 
 

Password:  forgerock 


 
  
  
  
  
 

Password:  ag3ntp@ss


  
  
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
 
 
 

Password:  forgerock


 
 
 
 
 
 
 
 
 
 
 
 
 
  

Create Certificates for OpenAM

Note: This task is being accomplished on the https://am1.ssobridge.com:8443/openam  and https://am2.ssobridge.com:8443/openam VM’s.


 

  • Change directories with the following command.

cd   /usr/share/tomcat7/openam/openam

  • Once in the proper directory, ensure that keystore.jks is present.  If it is present, enter the following command to create a SHA256 key.

sudo keytool -genkey -alias testSHA -keyalg RSA -sigalg SHA256withRSA -keysize     2048 -keystore keystore.jks.

  • Once these keys have been created, they are readily available in the OpenAM keystore.


 

Configuration


 

Configuration for Hosted Service Provider:

Note: This task is being accomplished on the https://am1.ssobridge.com:8443/openam VM.

  • Click on Create Hosted Service Provider.  The user will be taken to the Create a SAMLv2 Service Provider on this Server page.

  • The user will be asked, “Do you have metadata for this provider?”, this selection can be left in the default no.

  • The user will create a new circle of trust as shown below. 

  • Leave the Attribute Mapping box checked for the default mapping.

  • Click the Configure button in the top right hand corner to configure the service provider.

  • The user will be asked if they want to create a remote identity provider the user should select no.

  • The user will be taken to Your Service Provider has been configured page, the user can select the Finish button.

  • The user will be taken back to the Common Tasks tab.  


 

Configuration for the Hosted Identity Provider:

Note: This task is being accomplished on the https://am2.ssobridge.com:8443/openam VM.

  • Click on Create Hosted Identity Provider.  The user will be take to the Create a SAMLv2 Identity Provider on this Server page.

  • The user will be asked,”Do you have metadata for this provider?”, this selection can be left in the default no.

  • The user can make a selection for the signing key from the Signing Key drop down menu the user can select keys that they have placed in the keystore, or they can select the test key.  Although the test key is not recommended for production environments.  


 

  • The user will enter the same circle of trust name as the service provider. 

  • Click the configure button in the top right hand corner to configure the identity provider.

  • The user will be taken to Your Identity Provider has been configured page, the user can select the Finish button.

  • The user will be taken back to the Common Tasks tab.


 

Configuration for the Remote Service Provider:

Note: This task is being accomplished on the https://am2.ssobridge.com:8443/openam VM.

  • Click on the create Register Remote Service Provider. The user will be taken to the Create a SAMLv2 Remote Service Provider page.

  • The user will be asked,”Where does the metadata file reside?”, this selection can be left in the default URL.

  • The user will be asked the enter the URL where the metadata is located.  They need to enter the URL of the Host Service Provider as shown below. 

  • The user can next select Configure in the top right hand corner. A pop up box will appear letting the user know the service provider has been configured.  The user can click ok and return to the Common task tab.


 

Configuration for the Remote Identity Provider:

Note: This task is being accomplished on the https://am1.ssobridge.com:8443/openam VM.

  • Click on Register Remote Identity Provider.  The user will be take to Create a SAMLv2 Remote Identity Provider page.

  • The user will be asked,”Where does the metadata file reside?”, this selection can be left in the default URL.

  • The user will be asked the enter the URL where the metadata is located.  They need to enter the URL of the Host Identity Provider as shown below. 


 
 

  • The user can next select Configure in the top right hand corner. A pop up box will appear letting the user know the service provider has been configured.  The user can click ok and return to the Common task tab.


 

Testing the connection

  • First the user needs to ensure the cookie names are different in the configuration.

  • Click on the Configuration tab.

  • Click on the System tab.

  • Select Platform from the System Properties.

  • If sso.bridge.com is shown for the current cookie name change the value to am1.ssobridge.com for the service provider or am2.ssobridge.com for the identity provider.

  • Click save in the upper right hand corner.

  • Click Back to Service Configuration.

  • Click the Common Tasks tab.

  • Select Test Federation Connectivity. 

  • Select the radio button in the Circle of Trust table.

  • The identity provider and service provider URL’s will be displayed and the Start Test button will now be accessible.  Click the Start Button.

  • Select OK to test for federation connectivity.

  • The Federation Connectivity Test will appear.

  • Sign into the identity provider with User Name ‘demo’ and Password  ‘changeit’.

  • Sign into the service provider with User name ‘demo’ and Password ‘changeit’.

  • Next, Single Sign On will appear enter the same User Name and Password as above.


 

Options to set inside of SP

  • From main menu screen select Federation tab.

  • Select SP from Entity Providers.

  • While on the Assertion Content tab check Authentication Requests Signed, and Assertions signed.

  

  • Click save.

  • Click back.


 

Options to set inside of IDP

  • From main menu screen select Federation tab.

  • Select IDP from Entity Providers.

  • While on the Assertion Content tab check Artifact Resolve.  

  • Click save.

  • Click back.


 
 
 

Activation for ssoadm.jsp

In order for the user to set the Levels of Assurance (LOA) he or she must first activate the ssoadm.jsp this is done as follows.

  • Log into OpenAM as amadmin with the password forgerock.

  • Click on the Configuration tab.

  • Select Servers and Sites tab.

  • Select the server that is being used

  • Click on the advanced tab.

  • Click on add to create a new property

  • Enter ‘ssoadm.disabled’ as the property and ‘false’ as the property value.

  • Select save.

  • Restart tomcat with sudo /etc/init.d/tomcat7.


 

Editing the metadata for the Service Provider

  • Login to OpenAm as amadmin on the service provider machine.

  • Type ‘https://am1.ssobridge.com:8443/openam/ssoadm.jsp’

  • Scroll down and select export-entity.

  • For the Entity ID enter ‘https://am1.ssobridge.com:8443/openam’

  • For the Realm where data resides enter ‘/’.

  • Leave the Set this flag to sign the metadata unchecked.

  • Check the Metadata box.

  • Check the Extended data box.

  • Enter ‘saml2’ into the Specify metadata specification box.

  • Select Submit.

  • The metadata will be displayed, copy the metadata and paste the results into a text editor.

  • Inside the text editor the user will see this in the metadata the red text portion of the metadata is what the user needs to insert.


 

Standard Metadata

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<EntityDescriptor entityID="https://am1.ssobridge.com:8443/openam" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">

   <SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

       <KeyDescriptor use="signing">

           <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

               <ds:X509Data>

                   <ds:X509Certificate>

MIIDazCCAlOgAwIBAgIENwhy2TANBgkqhkiG9w0BAQsFADBmMQswCQYDVQQGEwJVUzELMAkGA1UE

CBMCV0ExEjAQBgNVBAcTCVZhbmNvdXZlcjEWMBQGA1UEChMNRm9yZ2VSb2NrLmNvbTEMMAoGA1UE

CxMDRW5nMRAwDgYDVQQDEwd0ZXN0U0hBMB4XDTEzMDgxNTE3NTY0M1oXDTEzMTExMzE3NTY0M1ow

ZjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRIwEAYDVQQHEwlWYW5jb3V2ZXIxFjAUBgNVBAoT

DUZvcmdlUm9jay5jb20xDDAKBgNVBAsTA0VuZzEQMA4GA1UEAxMHdGVzdFNIQTCCASIwDQYJKoZI

hvcNAQEBBQADggEPADCCAQoCggEBAIXCwp7knXmvjDJn9B+Rv7YmskL/4oXgUhLLmE+f34rnbZ7F

YynPAIf4SldFq4pmTjW3BQlc2wHGhWjb9DlfWmsUBWGZNEUtH/zgngoiHKFTn3XjuvZxlD4k0fd0

31h5dvkEgbOI3VlHvRvQP7qxpKZtQ/KoXZ5p9e3xex4pYNkK0qdG4GXLLKcI9hgzwKQvfBgKq/74

yMrsGgFJIa+HXouxaMrvh0pe+tiSgznhw6hz0uezPzpl2/X12pwSIVN1HCGfcSzXyiIf2zMMPkNv

JlFcbvXxt0Q6ifJzwzzlWCkQ8HrthgHdBQhXa3bkvzL3CntX/eReriV0R5+5oV0r4VECAwEAAaMh

MB8wHQYDVR0OBBYEFFAMgFj0RPhx2vB+lhmXIpaOj5mBMA0GCSqGSIb3DQEBCwUAA4IBAQA74MJU

UXpxLwK62XJx3XDVSzSHALNZaDNjh31WBr1y5w4xhch1mBSE87+6iDvlFym+pcLM9YHDMvTmcqVC

zS+z+5KV+rkAmYZgyOJZSlqJd2MnoK+obl6y4yZWQtmhUuRULs0CBsMcQUxbRW6Y7GjChdVfjq+Z

UoqG8X5CELrGExvN73/pgUHkXJltyM8kylBJS3g4TtnHfBlwY6wr1oXhofPhOZKSLTwy9FWDuYbY

lNoYOmy9aBiY3n6RIwQWQfF8vkzN0D3n8UVq5aJQmV6jYoLg1y+/A78X6LM+lxd6PbIkCjpYNyy2

AawrNuUfntblnOda/bFE7aBlcz68UP7N

                   </ds:X509Certificate>

               </ds:X509Data>

           </ds:KeyInfo>

       </KeyDescriptor>

       <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://am1.ssobridge.com:8443/openam/SPSloRedirect/metaAlias/sp" ResponseLocation="https://am1.ssobridge.com:8443/openam/SPSloRedirect/metaAlias/sp"/>

       <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://am1.ssobridge.com:8443/openam/SPSloPOST/metaAlias/sp" ResponseLocation="https://am1.ssobridge.com:8443/openam/SPSloPOST/metaAlias/sp"/>

       <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://am1.ssobridge.com:8443/openam/SPSloSoap/metaAlias/sp"/>

       <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://am1.ssobridge.com:8443/openam/SPMniRedirect/metaAlias/sp" ResponseLocation="https://am1.ssobridge.com:8443/openam/SPMniRedirect/metaAlias/sp"/>

       <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://am1.ssobridge.com:8443/openam/SPMniPOST/metaAlias/sp" ResponseLocation="https://am1.ssobridge.com:8443/openam/SPMniPOST/metaAlias/sp"/>

       <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://am1.ssobridge.com:8443/openam/SPMniSoap/metaAlias/sp" ResponseLocation="https://am1.ssobridge.com:8443/openam/SPMniSoap/metaAlias/sp"/>

       <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>

       <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>

       <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>

       <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>

       <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName</NameIDFormat>

       <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos</NameIDFormat>

       <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</NameIDFormat>

       <AssertionConsumerService index="0" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://am1.ssobridge.com:8443/openam/Consumer/metaAlias/sp"/>

       <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://am1.ssobridge.com:8443/openam/Consumer/metaAlias/sp"/>

       <AssertionConsumerService index="2" Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://am1.ssobridge.com:8443/openam/Consumer/ECP/metaAlias/sp"/>

   </SPSSODescriptor>

</EntityDescriptor>


 

Extended Metadata

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<EntityConfig entityID="https://am1.ssobridge.com:8443/openam" hosted="true" xmlns="urn:sun:fm:SAML:2.0:entityconfig">

   <SPSSOConfig metaAlias="/sp">

       <Attribute name="appLogoutUrl">

           <Value/>

       </Attribute>

       <Attribute name="spAdapterEnv"/>

       <Attribute name="useIntroductionForIDPProxy">

           <Value>false</Value>

       </Attribute>

       <Attribute name="spAdapter">

           <Value/>

       </Attribute>

       <Attribute name="intermediateUrl">

           <Value/>

       </Attribute>

       <Attribute name="spAccountMapper">

           <Value>com.sun.identity.saml2.plugins.DefaultSPAccountMapper</Value>

       </Attribute>

       <Attribute name="signingCertAlias">

           <Value>testsha</Value>

       </Attribute>

       <Attribute name="useIDPFinder"/>

       <Attribute name="enableIDPProxy">

           <Value>false</Value>

       </Attribute>

       <Attribute name="encryptionCertAlias"/>

       <Attribute name="spAuthncontextMapper">

           <Value>com.sun.identity.saml2.plugins.DefaultSPAuthnContextMapper</Value>

       </Attribute>

       <Attribute name="idpProxyCount">

           <Value>0</Value>

       </Attribute>

       <Attribute name="wantAttributeEncrypted">

           <Value>false</Value>

       </Attribute>

       <Attribute name="cotlist">

           <Value>cot1</Value>

       </Attribute>

       <Attribute name="ECPRequestIDPListFinderImpl">

           <Value>com.sun.identity.saml2.plugins.ECPIDPFinder</Value>

       </Attribute>

       <Attribute name="relayStateUrlList"/>

       <Attribute name="idpProxyList">

           <Value/>

       </Attribute>

       <Attribute name="wantLogoutResponseSigned">

           <Value>false</Value>

       </Attribute>

       <Attribute name="saeSPLogoutUrl"/>

       <Attribute name="basicAuthUser">

           <Value/>

       </Attribute>

       <Attribute name="wantPOSTResponseSigned">

           <Value>false</Value>

       </Attribute>

       <Attribute name="alwaysIdpProxy"/>

       <Attribute name="spSessionSyncEnabled">

           <Value>false</Value>

       </Attribute>

       <Attribute name="spAuthncontextClassrefMapping">

           <Value>http://idmanagement.gov/icam/2009/12/saml_2.0_profile/assurancelevel4|4|</Value>

           <Value>http://idmanagement.gov/icam/2009/12/saml_2.0_profile/assurancelevel2|2|</Value>

           <Value>http://idmanagement.gov/icam/2009/12/saml_2.0_profile/assurancelevel3|3|</Value>

           <Value>http://idmanagement.gov/icam/2009/12/saml_2.0_profile/assurancelevel1|1|</Value>

           <Value>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|0|default</Value>

       </Attribute>

       <Attribute name="assertionTimeSkew">

           <Value>300</Value>

       </Attribute>

       <Attribute name="spDoNotWriteFederationInfo">

           <Value>false</Value>

       </Attribute>

       <Attribute name="wantAssertionEncrypted">

           <Value>false</Value>

       </Attribute>

       <Attribute name="basicAuthOn">

           <Value>false</Value>

       </Attribute>

       <Attribute name="useNameIDAsSPUserID">

           <Value>false</Value>

       </Attribute>

       <Attribute name="attributeMap">

           <Value>*=*</Value>

       </Attribute>

       <Attribute name="autofedAttribute">

           <Value/>

       </Attribute>

       <Attribute name="saml2AuthModuleName">

           <Value/>

       </Attribute>

       <Attribute name="defaultRelayState">

           <Value/>

       </Attribute>

       <Attribute name="wantNameIDEncrypted">

           <Value>false</Value>

       </Attribute>

       <Attribute name="responseArtifactMessageEncoding">

           <Value>URI</Value>

       </Attribute>

       <Attribute name="saeAppSecretList"/>

       <Attribute name="localAuthURL">

           <Value/>

       </Attribute>

       <Attribute name="saeSPUrl">

           <Value>https://am1.ssobridge.com:8443/openam/spsaehandler/metaAlias/sp</Value>

       </Attribute>

       <Attribute name="transientUser">

           <Value>demo</Value>

       </Attribute>

       <Attribute name="autofedEnabled">

           <Value>false</Value>

       </Attribute>

       <Attribute name="wantMNIResponseSigned">

           <Value>false</Value>

       </Attribute>

       <Attribute name="wantLogoutRequestSigned">

           <Value>false</Value>

       </Attribute>

       <Attribute name="ECPRequestIDPListGetComplete">

           <Value/>

       </Attribute>

       <Attribute name="spAuthncontextComparisonType">

           <Value>exact</Value>

       </Attribute>

       <Attribute name="basicAuthPassword">

           <Value/>

       </Attribute>

       <Attribute name="wantArtifactResponseSigned">

           <Value>false</Value>

       </Attribute>

       <Attribute name="spAttributeMapper">

           <Value>com.sun.identity.saml2.plugins.DefaultSPAttributeMapper</Value>

       </Attribute>

       <Attribute name="ECPRequestIDPList">

           <Value/>

       </Attribute>

       <Attribute name="wantMNIRequestSigned">

           <Value>false</Value>

       </Attribute>

       <Attribute name="metaAlias"/>

   </SPSSOConfig>

</EntityConfig>


 

Once the changes have been made the updates need to be loaded into OpenAm this is done as follows.

  • Log into OpenAm if the user has been logged out.

  • Select the Federation tab.

  • Delete the host service provider profile.

  • Type ‘https://am1.ssobridge.com:8443/openam/ssoadm.jsp’ into the web browser.

  • Scroll down and select import entity.

  • Insert ‘/’ for where the realm resides.

  • For the standard metadata to be imported copy and paste the standard metadata from the text editor.

  • For the extended entity configuration to be imported copy and paste the extended metadata from the text editor.

  • Specify the Circle of trust as cot1.

  • Enter ‘saml2’ for the Specify metadata specifications.

  • If successful Import file, web will be displayed select back to main page.

  • Insert ‘https://am1.ssobridge.com:8443/openam’ to return back to the main menu. 


 

Editing the metadata for the Identity Provider

  • Login to OpenAm as amadmin on the identity provider machine.

  • Type ‘am2.ssobridge.com:8080/openam/ssoadm.jsp’.

  • Scroll down and select export-entity.

  • For the Entity ID enter ‘https://am2.ssobridge.com:8443/openam

  • For the Realm where data resides enter ‘/’.

  • Leave the Set this flag to sign the metadata unchecked.

  • Check the Metadata box.

  • Check the Extended data box.

  • Enter ‘saml2’ into the Specify metadata specification box.

  • Select Submit.

  • The metadata will be displayed, copy the metadata and paste the results into a text editor.

  • Inside the text editor the user will see this in the metadata the red text portion of the metadata is what the user needs to insert.


 

Standard Metadata

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<EntityDescriptor entityID="https://am2.ssobridge.com:8443/openam" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">

   <Extensions>

       <ns1:EntityAttributes xmlns:ns1="urn:oasis:names:tc:SAML:metadata:attribute">

           <ns2:Attribute Name="urn:oasis:names:tc:SAML:attribute:assurance-certification" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion">

               <ns2:AttributeValue>http://idmanagement.gov/icam/2009/12/saml_2.0_profile/assurancelevel1

</ns2:AttributeValue>

               <ns2:AttributeValue>http://idmanagement.gov/icam/2009/12/saml_2.0_profile/assurancelevel2

</ns2:AttributeValue>

               <ns2:AttributeValue>http://idmanagement.gov/icam/2009/12/saml_2.0_profile/assurancelevel3

</ns2:AttributeValue>

               <ns2:AttributeValue>http://idmanagement.gov/icam/2009/12/saml_2.0_profile/assurancelevel4

</ns2:AttributeValue>

           </ns2:Attribute>

       </ns1:EntityAttributes>

   </Extensions>

   <IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

       <KeyDescriptor use="signing">

           <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

               <ds:X509Data>

                   <ds:X509Certificate>

MIIDazCCAlOgAwIBAgIEIa0fxzANBgkqhkiG9w0BAQsFADBmMQswCQYDVQQGEwJVUzELMAkGA1UE

CBMCV0ExEjAQBgNVBAcTCVZhbmNvdXZlcjEWMBQGA1UEChMNRm9yZ2VSb2NrLmNvbTEMMAoGA1UE

CxMDRW5nMRAwDgYDVQQDEwd0ZXN0U0hBMB4XDTEzMDgxNTE3NTgzMFoXDTEzMTExMzE3NTgzMFow

ZjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRIwEAYDVQQHEwlWYW5jb3V2ZXIxFjAUBgNVBAoT

DUZvcmdlUm9jay5jb20xDDAKBgNVBAsTA0VuZzEQMA4GA1UEAxMHdGVzdFNIQTCCASIwDQYJKoZI

hvcNAQEBBQADggEPADCCAQoCggEBAJVcxNRp96b9u64FaOoQMaLctu8EgGrdt84TIz0pvpragqf3

QrzYjUlxcGjLI1qDbtfDDtQ5ch1v2Kyz2utXhdJBBUnHi7iiJsUxNwnyc1BKE+SHnbLToY+qoXR3

8tEaG0MHra9MRco6lOVlYIuGPfgd6qfqcHexZvONoWgwfFTX4I82YI8M4IpTyQLBfapnFYyc0KWw

4/3ENHipuATWZLyjq5PyQWLyI0t4cbrwNhLSDA21OcJfph6ikLa4yMAex51Z+L5et+PKUTFvF6Ef

bkBonQtRp4JZd6KksdB5e3sM4JZ9CRGfWfO0rtgsMbADwOTQwGeDtDw+k0Yyqv7pL9ECAwEAAaMh

MB8wHQYDVR0OBBYEFHKFcIuojxIfsj+AxKYWgkFlIW1hMA0GCSqGSIb3DQEBCwUAA4IBAQBUVyzf

f+sgovf5GTnctY34kMkVVWM2yRCJhoFOPT1fc17FUq7906Bg0/di7SDOinUmcYSjxjAjPH9wFGhS

fX/pq7IcJTv544ZyIXkMaSY7ZwU0JKizOgFg6+/TlBRbXIozA/WHWc2m0Xfk4Zjcv+CTo2YFsspt

oSHVUpC5msQcTOWHYYH+edPzAKtY+lmTbb1n9QAn5oGNKm4Dy5iPl1Y2uqtupwxyse5ZA3fPxYlT

/vJVKMEWA3m0aOa7WSNekfAp74BPPiNcg88kyfO6HjkgawY04CA0Y63g6cmMduwL8e3ArbayQNxB

VqGtaBdKQC+DIi8ooSNB9pOtyBd/F6ZZ

                   </ds:X509Certificate>

               </ds:X509Data>

           </ds:KeyInfo>

       </KeyDescriptor>

       <ArtifactResolutionService index="0" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://am2.ssobridge.com:8443/openam/ArtifactResolver/metaAlias/idp"/>

       <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://am2.ssobridge.com:8443/openam/IDPSloRedirect/metaAlias/idp" ResponseLocation="https://am2.ssobridge.com:8443/openam/IDPSloRedirect/metaAlias/idp"/>

       <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://am2.ssobridge.com:8443/openam/IDPSloPOST/metaAlias/idp" ResponseLocation="https://am2.ssobridge.com:8443/openam/IDPSloPOST/metaAlias/idp"/>

       <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://am2.ssobridge.com:8443/openam/IDPSloSoap/metaAlias/idp"/>

       <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://am2.ssobridge.com:8443/openam/IDPMniRedirect/metaAlias/idp" ResponseLocation="https://am2.ssobridge.com:8443/openam/IDPMniRedirect/metaAlias/idp"/>

       <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://am2.ssobridge.com:8443/openam/IDPMniPOST/metaAlias/idp" ResponseLocation="https://am2.ssobridge.com:8443/openam/IDPMniPOST/metaAlias/idp"/>

       <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://am2.ssobridge.com:8443/openam/IDPMniSoap/metaAlias/idp"/>

       <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>

       <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>

       <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>

       <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>

       <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName</NameIDFormat>

       <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos</NameIDFormat>

       <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</NameIDFormat>

       <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://am2.ssobridge.com:8443/openam/SSORedirect/metaAlias/idp"/>

       <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://am2.ssobridge.com:8443/openam/SSOPOST/metaAlias/idp"/>

       <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://am2.ssobridge.com:8443/openam/SSOSoap/metaAlias/idp"/>

       <NameIDMappingService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://am2.ssobridge.com:8443/openam/NIMSoap/metaAlias/idp"/>

       <AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://am2.ssobridge.com:8443/openam/AIDReqSoap/IDPRole/metaAlias/idp"/>

       <AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:2.0:bindings:URI" Location="https://am2.ssobridge.com:8443/openam/AIDReqUri/IDPRole/metaAlias/idp"/>

   </IDPSSODescriptor>

</EntityDescriptor>


 

Extended Metadata

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<EntityConfig entityID="https://am2.ssobridge.com:8443/openam" hosted="true" xmlns="urn:sun:fm:SAML:2.0:entityconfig">

   <IDPSSOConfig metaAlias="/idp">

       <Attribute name="idpAuthncontextMapper">

           <Value>com.sun.identity.saml2.plugins.DefaultIDPAuthnContextMapper</Value>

       </Attribute>

       <Attribute name="appLogoutUrl">

           <Value/>

       </Attribute>

       <Attribute name="attributeMap">

           <Value>mail=mail</Value>

           <Value>branch=branch</Value>

       </Attribute>

       <Attribute name="proxyIDPFinderJSP"/>

       <Attribute name="autofedAttribute">

           <Value/>

       </Attribute>

       <Attribute name="proxyIDPFinderClass"/>

       <Attribute name="wantNameIDEncrypted">

           <Value>false</Value>

       </Attribute>

       <Attribute name="signingCertAlias">

           <Value>testsha</Value>

       </Attribute>

       <Attribute name="idpSessionSyncEnabled">

           <Value>false</Value>

       </Attribute>

       <Attribute name="idpAuthncontextClassrefMapping">

           <Value>http://idmanagement.gov/icam/2009/12/saml_2.0_profile/assurancelevel3|3||</Value>

           <Value>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|0||default</Value>

           <Value>http://idmanagement.gov/icam/2009/12/saml_2.0_profile/assurancelevel4|4||</Value>

           <Value>http://idmanagement.gov/icam/2009/12/saml_2.0_profile/assurancelevel2|2||</Value>

           <Value>http://idmanagement.gov/icam/2009/12/saml_2.0_profile/assurancelevel1|1||</Value>

       </Attribute>

       <Attribute name="saeAppSecretList"/>

       <Attribute name="encryptionCertAlias"/>

       <Attribute name="assertionEffectiveTime">

           <Value>600</Value>

       </Attribute>

       <Attribute name="autofedEnabled">

           <Value>false</Value>

       </Attribute>

       <Attribute name="wantMNIResponseSigned">

           <Value>false</Value>

       </Attribute>

       <Attribute name="discoveryBootstrappingEnabled">

           <Value>false</Value>

       </Attribute>

       <Attribute name="wantLogoutRequestSigned">

           <Value>false</Value>

       </Attribute>

       <Attribute name="cotlist">

           <Value>cot1</Value>

       </Attribute>

       <Attribute name="AuthUrl">

           <Value/>

       </Attribute>

       <Attribute name="relayStateUrlList"/>

       <Attribute name="wantArtifactResolveSigned">

           <Value>true</Value>

       </Attribute>

       <Attribute name="idpAccountMapper">

           <Value>com.sun.identity.saml2.plugins.DefaultIDPAccountMapper</Value>

       </Attribute>

       <Attribute name="wantLogoutResponseSigned">

           <Value>false</Value>

       </Attribute>

       <Attribute name="enableProxyIDPFinderForAllSPs"/>

       <Attribute name="idpAdapter"/>

       <Attribute name="basicAuthUser">

           <Value/>

       </Attribute>

       <Attribute name="assertionNotBeforeTimeSkew">

           <Value>600</Value>

       </Attribute>

       <Attribute name="basicAuthPassword">

           <Value/>

       </Attribute>

       <Attribute name="idpECPSessionMapper">

           <Value>com.sun.identity.saml2.plugins.DefaultIDPECPSessionMapper</Value>

       </Attribute>

       <Attribute name="wantMNIRequestSigned">

           <Value>false</Value>

       </Attribute>

       <Attribute name="assertionCacheEnabled">

           <Value>false</Value>

       </Attribute>

       <Attribute name="idpAttributeMapper">

           <Value>com.sun.identity.saml2.plugins.DefaultIDPAttributeMapper</Value>

       </Attribute>

       <Attribute name="nameIDFormatMap">

           <Value>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName=</Value>

           <Value>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos=</Value>

           <Value>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress=mail</Value>

           <Value>urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName=</Value>

           <Value>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified=</Value>

       </Attribute>

       <Attribute name="metaAlias"/>

       <Attribute name="RpUrl">

           <Value/>

       </Attribute>

       <Attribute name="basicAuthOn">

           <Value>false</Value>

       </Attribute>

       <Attribute name="saeIDPUrl">

           <Value>https://am2.ssobridge.com:8443/openam/idpsaehandler/metaAlias/idp</Value>

       </Attribute>

   </IDPSSOConfig>

</EntityConfig>


 

Once the changes have been made the updates need to be loaded into OpenAM this is done as follows.

  • Log into OpenAm if the user has been logged out.

  • Select the Federation tab.

  • Delete the host service provider profile.

  • Type ‘https://am2.ssobridge.com:8443/openam/ssoadm.jsp’ into the web browser.

  • Scroll down and select import entity.

  • Insert ‘/’ for where the realm resides.

  • For the standard metadata to be imported copy and paste the standard metadata from the text editor.

  • For the extended entity configuration to be imported copy and paste the extended metadata from the text editor.

  • Specify the Circle of trust as cot1.

  • Enter ‘saml2’ for the Specify metadata specifications.

  • If successful Import file, web will be displayed select back to main page.

  • Insert ‘https://am2.ssobridge.com:8443/openam’ to return back to the main menu.


 

Editing the Metadata for the Remote IDP

  • Open the file with the IDP metadata if it isn’t already open.

  • In the extended metadata the hosted option must be changed from true to false. 

Once the changes have been made the updates need to be loaded into OpenAM this is done as follows

  • Log into OpenAM if the user has been logged out.

  • Select the Federation tab.

  • Delete the remote identity provider profile.

  • Type ‘https://am1.ssobridge.com:8443/openam/ssoadm.jsp’ into the web browser.

  • Scroll down and select import entity.

  • Insert ‘/’ for where the realm resides.

  • For the standard metadata to be imported copy and paste the standard metadata from the text editor.

  • For the extended entity configuration to be imported copy and paste the extended metadata from the text editor.

  • Specify the Circle of trust as cot1.

  • Enter ‘saml2’ for the Specify metadata specifications.

  • If successful Import file, web will be displayed select back to main page.

  • Insert ‘am1.ssobridge.com:8080/openam’ to return back to the main menu.


 

Editing the Metadata for the Remote SP

  • Open the file with the SP metadata if it isn’t already open .

  • In the extended metadata the hosted option must be changed from true to false.  

Once the changes have been made the updates need to be loaded into OpenAM this is done as follows

  • Log into OpenAM if the user has been logged out.

  • Select the Federation tab.

  • Delete the remote service provider profile.

  • Type ‘https://am2.ssobridge.com:8443/openam/ssoadm.jsp’ into the web browser.

  • Scroll down and select import entity.

  • Insert ‘/’ for where the realm resides.

  • For the standard metadata to be imported copy and paste the standard metadata from the text editor.

  • For the extended entity configuration to be imported copy and paste the extended metadata from the text editor.

  • Specify the Circle of trust as cot1.

  • Enter ‘saml2’ for the Specify metadata specifications.

  • If successful Import file, web will be displayed select back to main page.

  • Insert ‘https://am2.ssobridge.com:8443/openam’ to return back to the main menu.


 
 

Testing

  • To test and ensure the set works correctly enter the following URL.

https://am1.ssobridge.com:8443/openam/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=https://am2.ssobridge.com:8443/openam&NameIDFormat=transient&binding=HTTP-POST&AuthnContextClassRef=http://idmanagement.gov/icam/2009/12/saml_2.0_profile/assurancelevel1


 

Once the site is entered the user will be brought to the OpenAM log in page.  For the User Name, the user can enter ‘demo’.  For the Password the user can enter ‘changeit’.  The user will see that Single Sign-on succeeded.


  
 

To turn on isPassive and and ForceAuthn 

To enable these two attributes use the following URL.

https://am1.ssobridge.com:8443/openam/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=https://am2.ssobridge.com:8443/openam&NameIDFormat=transient&binding=HTTP-POST&isPassive=true&ForceAuthn=true&AuthnContextClassRef=http://idmanagement.gov/icam/2009/12/saml_2.0_profile/assurancelevel1.  

The changes can be seen in the metadata.


 
 
 

  • No labels