If you need to link OIDC (apps) to SAML2 (partner IDPs). Then this wiki will be helpful. I have come across many POC requests where Prospect is a SaaS provider, with service being a OIDC app, while their subscriber base includes users who login at their respective employer IDPs (typically SAML2 IDPs)
NOTE : This wiki applies only for OIDC app initiated Flow. It does not cover, If the flow is initiated from Partner IDP.
Setup Summary :
high level, what is needed steps.
- Setup AM as OIDC Provider
- Setup OIDC Client profile for SaaS app on AM.
- Test OIDC flow from Client app to AM.
- Setup AM as SAML2 Hosted SP
- Onboard Partner IDPs as Remote IDP (SAML2) (I used my own second instance of AM setup as hosted IDP)
- Setup SAML2 Auth Module. Enter Remote IDP details. Add this to a chain (partnerIdpChain)
- Test the SAML flow via request param (service=partnerIdpChain)
- Test Flow from OIDC app to Partner IDP.
Setup Detail :
This part covers the details of the setup.
Setup AM as OIDC Provider
- basic OOTB setup here, nothing unique to this wiki.
- https://backstage.forgerock.com/docs/am/5/oidc1-guide/chap-oidc1-implementation
Setup OIDC Client profile for SaaS app on AM.
- basic OOTB OIDC Client setup. Just make sure you add at the minimum these scopes : oidc, profile, email
- https://backstage.forgerock.com/docs/am/5/oidc1-guide/chap-oidc1-implementation#register-openid-connect-clients
Test OIDC flow from Client app to AM.
- enter an url based on the following template to trigger a OIDC flow
- http://my.idp.com:8080/openam/oauth2/authorize?response_type=code&scope=openid%20profile%20email&nonce=1234&client_id=MYCLIENT_ID&redirect_uri=http://my.hub.com:8080/MY-OIDC-APP/some-callback-page"
- Note : the client app should have a callback page that can trap the Authz Code and exchange it for an OIDC AccessToken/Id_Token.
Setup AM as SAML2 Hosted SP
- basic OOTB SAML2 Hosted SP setup. Nothing unique for this wiki.
- https://backstage.forgerock.com/docs/am/5/saml2-guide/chap-saml2-implementation-console#saml2-providers-and-cots
Onboard Partner IDPs as Remote IDP (SAML2) (I used my own second instance of AM setup as hosted IDP)
- Setup Remote IDP : basic OOTB SAML2 Hosted SP setup. Nothing unique for this wiki.
- https://backstage.forgerock.com/docs/am/5/saml2-guide/chap-saml2-implementation-console#saml2-providers-and-cots
Setup SAML2 Auth Module + AuthnChain
- Select SAML2 Auth Module. Enter Remote IDP entityID. Save
- Create a Chain. Add this Module to the chain.
Test SAML2 Chain
- goto : http://my.hub.com:8080/openam/XUI/#login/&service=saml2Chain
- should be redirected to the Remote IDP (remote IDP setup is not covered here, it could just another OpenAM for testing)
Test Flow from OIDC app to Partner IDP.
- repeat step-3, but with service parameter in the URL, such as
- http://my.idp.com:8080/oildex/XUI/?realm=%2F&service=saml2Chain
- &goto=http%3A%2F%2Fmy.idp.com%3A8080%2Foildex%2Foauth2%2Fauthorize%3Fservice%3DmfaChain%26response_type%3Dcode%26scope%3Dopenid%2520profile%2520email%26nonce%3D1234%26login_hint%3D%26client_id%3Doildex-platform%26redirect_uri%3Dhttp%253A%252F%252Fmy.hub.com%253A8080%252Foildex-platform%252Foidccallback#login/
NOTE
- If you want to test IDP initiated, you will have to play with relayState of Remote SAML2 IDP in the AM Hub.
- You will have to set the relayState value to a local AM page, that has a redirect to OIDC portal app. This will then trigger a OIDC flow from portal app, after the SAML2 flow is completed. At this moment, this is the best I could figure out. Hopefully, someone has a better setup for IDP initiated flow.
Related articles