If you need to link OIDC (apps) to SAML2 (partner IDPs). Then this wiki will be helpful. I have come across many POC requests where Prospect is a SaaS provider, with service being a OIDC app, while their subscriber base includes users who login at their respective employer IDPs (typically SAML2 IDPs)
NOTE : This wiki applies only for OIDC app initiated Flow. It does not cover, If the flow is initiated from Partner IDP.
Setup Summary :
high level, what is needed steps.
- Setup AM as OIDC Provider
- Setup OIDC Client profile for SaaS app on AM.
- Test OIDC flow from Client app to AM.
- Setup AM as SAML2 Hosted SP
- Onboard Partner IDPs as Remote IDP (SAML2) (I used my own second instance of AM setup as hosted IDP)
- Setup SAML2 Auth Module. Enter Remote IDP details. Add this to a chain (partnerIdpChain)
- Test the SAML flow via request param (service=partnerIdpChain)
- Test Flow from OIDC app to Partner IDP.
Setup Detail :
This part covers the details of the setup.
Setup AM as OIDC Provider
- basic OOTB setup here, nothing unique to this wiki.
Setup OIDC Client profile for SaaS app on AM.
- basic OOTB OIDC Client setup. Just make sure you add at the minimum these scopes : oidc, profile, email
Test OIDC flow from Client app to AM.
- enter an url based on the following template to trigger a OIDC flow
- Note : the client app should have a callback page that can trap the Authz Code and exchange it for an OIDC AccessToken/Id_Token.
Setup AM as SAML2 Hosted SP
- basic OOTB SAML2 Hosted SP setup. Nothing unique for this wiki.
Onboard Partner IDPs as Remote IDP (SAML2) (I used my own second instance of AM setup as hosted IDP)
- Setup Remote IDP : basic OOTB SAML2 Hosted SP setup. Nothing unique for this wiki.
Setup SAML2 Auth Module + AuthnChain
- Select SAML2 Auth Module. Enter Remote IDP entityID. Save
- Create a Chain. Add this Module to the chain.
Test SAML2 Chain
- goto : http://my.hub.com:8080/openam/XUI/#login/&service=saml2Chain
- should be redirected to the Remote IDP (remote IDP setup is not covered here, it could just another OpenAM for testing)
Test Flow from OIDC app to Partner IDP.
- repeat step-3, but with service parameter in the URL, such as
- If you want to test IDP initiated, you will have to play with relayState of Remote SAML2 IDP in the AM Hub.
- You will have to set the relayState value to a local AM page, that has a redirect to OIDC portal app. This will then trigger a OIDC flow from portal app, after the SAML2 flow is completed. At this moment, this is the best I could figure out. Hopefully, someone has a better setup for IDP initiated flow.