Child pages
  • OIDC to SAML2 Federation Hub
Skip to end of metadata
Go to start of metadata

If you need to link OIDC (apps) to SAML2 (partner IDPs). Then this wiki will be helpful. I have come across many POC requests where Prospect is a SaaS provider, with service being a OIDC app, while their subscriber base includes users who  login at their respective employer IDPs (typically SAML2 IDPs)

NOTE : This wiki applies only for OIDC app initiated Flow. It does not cover, If the flow is initiated from Partner IDP.  

Setup Summary :

high level, what is needed steps.

  1. Setup AM as OIDC Provider
  2. Setup OIDC Client profile for SaaS app on AM.
  3. Test OIDC flow from Client app to AM.
  4. Setup AM as SAML2 Hosted SP
  5. Onboard Partner IDPs as Remote IDP (SAML2) (I used my own second instance of AM setup as hosted IDP)
  6. Setup SAML2 Auth Module. Enter Remote IDP details. Add this to a chain (partnerIdpChain)
  7. Test the SAML flow via request param (service=partnerIdpChain)
  8. Test Flow from OIDC app to Partner IDP.

Setup Detail :

This part covers the details of the setup.

  1. Setup AM as OIDC Provider

    1. basic OOTB setup here, nothing unique to this wiki.
    2. https://backstage.forgerock.com/docs/am/5/oidc1-guide/chap-oidc1-implementation
  2. Setup OIDC Client profile for SaaS app on AM.

    1. basic OOTB OIDC Client setup. Just make sure you add at the minimum these scopes : oidc, profile, email
    2. https://backstage.forgerock.com/docs/am/5/oidc1-guide/chap-oidc1-implementation#register-openid-connect-clients
  3. Test OIDC flow from Client app to AM.

    1. enter an url based on the following template to trigger a OIDC flow
    2. http://my.idp.com:8080/openam/oauth2/authorize?response_type=code&scope=openid%20profile%20email&nonce=1234&client_id=MYCLIENT_ID&redirect_uri=http://my.hub.com:8080/MY-OIDC-APP/some-callback-page"
    3. Note : the client app should have a callback page that can trap the Authz Code and exchange it for an OIDC AccessToken/Id_Token.
  4. Setup AM as SAML2 Hosted SP

    1. basic OOTB SAML2 Hosted SP setup. Nothing unique for this wiki.
    2. https://backstage.forgerock.com/docs/am/5/saml2-guide/chap-saml2-implementation-console#saml2-providers-and-cots
  5. Onboard Partner IDPs as Remote IDP (SAML2) (I used my own second instance of AM setup as hosted IDP)

    1. Setup Remote IDP : basic OOTB SAML2 Hosted SP setup. Nothing unique for this wiki.
    2. https://backstage.forgerock.com/docs/am/5/saml2-guide/chap-saml2-implementation-console#saml2-providers-and-cots
  6. Setup SAML2 Auth Module + AuthnChain 

    1. Select SAML2 Auth Module. Enter Remote IDP entityID. Save
    2. Create a Chain. Add this Module to the chain.
  7. Test SAML2 Chain

    1. goto : http://my.hub.com:8080/openam/XUI/#login/&service=saml2Chain
    2. should be redirected to the Remote IDP (remote IDP setup is not covered here, it could just another OpenAM for testing)
  8. Test Flow from OIDC app to Partner IDP.

    1. repeat step-3, but with service parameter in the URL, such as
    2. http://my.idp.com:8080/oildex/XUI/?realm=%2F&service=saml2Chain
    3. &goto=http%3A%2F%2Fmy.idp.com%3A8080%2Foildex%2Foauth2%2Fauthorize%3Fservice%3DmfaChain%26response_type%3Dcode%26scope%3Dopenid%2520profile%2520email%26nonce%3D1234%26login_hint%3D%26client_id%3Doildex-platform%26redirect_uri%3Dhttp%253A%252F%252Fmy.hub.com%253A8080%252Foildex-platform%252Foidccallback#login/
  9. NOTE

    1. If you want to test IDP initiated, you will have to play with relayState of Remote SAML2 IDP in the AM Hub.
    2. You will have to set the relayState value to a local AM page, that has a redirect to OIDC portal app. This will then trigger a OIDC flow from portal app, after the SAML2 flow is completed. At this moment, this is the best I could figure out. Hopefully, someone has a better setup for IDP initiated flow.