Child pages
  • SAMLv2 IDP Proxy Part 2. Using an IDP Finder and LOAs
Skip to end of metadata
Go to start of metadata

Assuming you have configured and IDP Proxy scenario like the one described in Setting up a SAML2 IdP Proxy scenario (1) , the next step would be to use an IdP Proxy that is able to interact with the user and display the Identity Provider or providers) that are able to fulfil the Authentication Request that the Service Provider has issued.

For this you will need to grab the latest and freshest release of OpenAM. This will add some more options in to your proxy and in general in the Federation configuration.

The scenario will now support Levels of Assurance (LOA) for the IdPs, as described in the SAMLv2 Specifications sstc-saml-assurance-profile-cd-01.pdf (2). With LOAs set, the Service Providers will be able to request specific Levels of Assurance by expressing it as a Requested Authentication Context in the request.

For this example lets assume that we have 4 levels of assurance:
Level of Assurance 1 defined as: http://foo.example.com/assurance/loa1
Level of Assurance 2 defined as: http://foo.example.com/assurance/loa2
Level of Assurance 3 defined as: http://foo.example.com/assurance/loa3
Level of Assurance 4 defined as: http://foo.example.com/assurance/loa4

According to the SAMLv2 specs (2) an Identity provider that supports a given Level of Assurance must be able to define in its metadata the supported LOA.

Step 1: The Service Provider (machinea.sp.com)

It is assumed that the Service Provider has been already installed and configured as indicated in here

Now it is necessary to edit the metadata so it can be indicated that this Service Provider can use the Levels of Assurance mentioned above.

By default, the Console allows us to define the authentication contexts supported by the Service Provider, but these are the Standard Authentication Contexts defined by the SAMLv2 Core specifications. However we would like to add some Authentication Contexts that represent the Levels of Assurance defined above.

Here one way to modify the metadata of the Service Provider to achieve this task:

  1. In the Service Provider machinea.sp.com go to the console and invoke the ssoadm.jsp. Example
    http://machinea.sp.com/openam/ssoadm.jsp
    

  2. Look for the export-entity option and click on it
  3. In the Export-entity page, specify the entity id of the local Service Provider, i.e. in our example, the local SP entity Id in the service provider is called machinea.sp.com
    • Entity ID: machinea.sp.com
    • Realm where data resides: /
    • Set this flag to sign the metadata: unchecked
    • Metadata: checked
    • Extended metadata: checked
    • Specify metadata specification, either wsfed, idff or saml2, defaults to saml2: saml2

      After clicking the submit button, the next page will show the "Standard metadata" and the "extended metadata". The metadata must be copied into an editor so it can be modified and later imported again.

      Example of the standard metadata

      <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
      <EntityDescriptor entityID="machinea.sp.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
          <SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
              <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://machinea.sp.com:80/openam/SPSloRedirect/metaAlias/sp" ResponseLocation="http://machinea.sp.com:80/openam/SPSloRedirect/metaAlias/sp"/>
              <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://machinea.sp.com:80/openam/SPSloPOST/metaAlias/sp" ResponseLocation="http://machinea.sp.com:80/openam/SPSloPOST/metaAlias/sp"/>
              <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://machinea.sp.com:80/openam/SPSloSoap/metaAlias/sp"/>
              <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://machinea.sp.com:80/openam/SPMniRedirect/metaAlias/sp" ResponseLocation="http://machinea.sp.com:80/openam/SPMniRedirect/metaAlias/sp"/>
              <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://machinea.sp.com:80/openam/SPMniPOST/metaAlias/sp" ResponseLocation="http://machinea.sp.com:80/openam/SPMniPOST/metaAlias/sp"/>
              <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://machinea.sp.com:80/openam/SPMniSoap/metaAlias/sp" ResponseLocation="http://machinea.sp.com:80/openam/SPMniSoap/metaAlias/sp"/>
              <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
              <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
              <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
              <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
              <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName</NameIDFormat>
              <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos</NameIDFormat>
              <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</NameIDFormat>
              <AssertionConsumerService index="0" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="http://machinea.sp.com:80/openam/Consumer/metaAlias/sp"/>
              <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://machinea.sp.com:80/openam/Consumer/metaAlias/sp"/>
              <AssertionConsumerService index="2" Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="http://machinea.sp.com:80/openam/Consumer/ECP/metaAlias/sp"/>
          </SPSSODescriptor>
      </EntityDescriptor>
      


      Example of the extended metadata

      <EntityConfig entityID="machinea.sp.com" hosted="true" xmlns="urn:sun:fm:SAML:2.0:entityconfig">
          <SPSSOConfig metaAlias="/sp">
              <Attribute name="useNameIDAsSPUserID">
                  <Value>false</Value>
              </Attribute>
              <Attribute name="appLogoutUrl">
                  <Value/>
              </Attribute>
              <Attribute name="attributeMap">
                  <Value>*=*</Value>
              </Attribute>
              <Attribute name="spAdapterEnv"/>
              <Attribute name="useIntroductionForIDPProxy">
                  <Value>false</Value>
              </Attribute>
              <Attribute name="autofedAttribute">
                  <Value>employeenumber</Value>
              </Attribute>
              <Attribute name="spAdapter">
                  <Value/>
              </Attribute>
              <Attribute name="intermediateUrl">
                  <Value/>
              </Attribute>
              <Attribute name="saml2AuthModuleName">
                  <Value/>
              </Attribute>
              <Attribute name="spAccountMapper">
                  <Value>com.sun.identity.saml2.plugins.DefaultSPAccountMapper</Value>
              </Attribute>
              <Attribute name="defaultRelayState">
                  <Value/>
              </Attribute>
              <Attribute name="wantNameIDEncrypted">
                  <Value>false</Value>
              </Attribute>
              <Attribute name="signingCertAlias"/>
              <Attribute name="responseArtifactMessageEncoding">
                  <Value>URI</Value>
              </Attribute>
              <Attribute name="saeAppSecretList"/>
              <Attribute name="useIDPFinder"/>
              <Attribute name="enableIDPProxy">
                  <Value>true</Value>
              </Attribute>
              <Attribute name="localAuthURL">
                  <Value/>
              </Attribute>
              <Attribute name="encryptionCertAlias"/>
              <Attribute name="spAuthncontextMapper">
                  <Value>com.sun.identity.saml2.plugins.DefaultSPAuthnContextMapper</Value>
              </Attribute>
              <Attribute name="saeSPUrl">
                  <Value>http://machinea.sp.com:80/openam/spsaehandler/metaAlias/sp</Value>
              </Attribute>
              <Attribute name="idpProxyCount">
                  <Value>3</Value>
              </Attribute>
              <Attribute name="transientUser">
                  <Value/>
              </Attribute>
              <Attribute name="autofedEnabled">
                  <Value>true</Value>
              </Attribute>
              <Attribute name="wantAttributeEncrypted">
                  <Value>false</Value>
              </Attribute>
              <Attribute name="wantMNIResponseSigned">
                  <Value>false</Value>
              </Attribute>
              <Attribute name="wantLogoutRequestSigned">
                  <Value>false</Value>
              </Attribute>
              <Attribute name="cotlist">
                  <Value>cot1</Value>
              </Attribute>
              <Attribute name="ECPRequestIDPListFinderImpl">
                  <Value>com.sun.identity.saml2.plugins.ECPIDPFinder</Value>
              </Attribute>
              <Attribute name="relayStateUrlList"/>
              <Attribute name="idpProxyList"/>
              <Attribute name="ECPRequestIDPListGetComplete">
                  <Value/>
              </Attribute>
              <Attribute name="spAuthncontextComparisonType">
                  <Value>exact</Value>
              </Attribute>
              <Attribute name="wantLogoutResponseSigned">
                  <Value>false</Value>
              </Attribute>
              <Attribute name="saeSPLogoutUrl">
                  <Value/>
              </Attribute>
              <Attribute name="basicAuthUser">
                  <Value/>
              </Attribute>
              <Attribute name="wantPOSTResponseSigned">
                  <Value>false</Value>
              </Attribute>
              <Attribute name="basicAuthPassword">
                  <Value/>
              </Attribute>
              <Attribute name="wantArtifactResponseSigned">
                  <Value>false</Value>
              </Attribute>
              <Attribute name="spAttributeMapper">
                  <Value>com.sun.identity.saml2.plugins.DefaultSPAttributeMapper</Value>
              </Attribute>
              <Attribute name="ECPRequestIDPList"/>
              <Attribute name="spSessionSyncEnabled">
                  <Value>false</Value>
              </Attribute>
              <Attribute name="spAuthncontextClassrefMapping">
                  <Value>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|0|default</Value>
              </Attribute>
              <Attribute name="assertionTimeSkew">
                  <Value>300</Value>
              </Attribute>
              <Attribute name="wantMNIRequestSigned">
                  <Value>false</Value>
              </Attribute>
              <Attribute name="metaAlias"/>
              <Attribute name="wantAssertionEncrypted">
                  <Value>false</Value>
              </Attribute>
              <Attribute name="basicAuthOn">
                  <Value>false</Value>
              </Attribute>
          </SPSSOConfig>
      </EntityConfig>
      


  4. The extended metadata needs to be modified so that the Authentication Contexts corresponding to the Levels of Assurance are added. Once edited the standard and the extended metadata can be stored as text files. They will be used in one of the next steps. The extended metadata should look like:

    <EntityConfig entityID="machinea.sp.com" hosted="true" xmlns="urn:sun:fm:SAML:2.0:entityconfig">
        <SPSSOConfig metaAlias="/sp">
            <Attribute name="useNameIDAsSPUserID">
                <Value>false</Value>
            </Attribute>
            <Attribute name="appLogoutUrl">
                <Value/>
            </Attribute>
            <Attribute name="attributeMap">
                <Value>*=*</Value>
            </Attribute>
            <Attribute name="spAdapterEnv"/>
            <Attribute name="useIntroductionForIDPProxy">
                <Value>false</Value>
            </Attribute>
            <Attribute name="autofedAttribute">
                <Value>employeenumber</Value>
            </Attribute>
            <Attribute name="spAdapter">
                <Value/>
            </Attribute>
            <Attribute name="intermediateUrl">
                <Value/>
            </Attribute>
            <Attribute name="saml2AuthModuleName">
                <Value/>
            </Attribute>
            <Attribute name="spAccountMapper">
                <Value>com.sun.identity.saml2.plugins.DefaultSPAccountMapper</Value>
            </Attribute>
            <Attribute name="defaultRelayState">
                <Value/>
            </Attribute>
            <Attribute name="wantNameIDEncrypted">
                <Value>false</Value>
            </Attribute>
            <Attribute name="signingCertAlias"/>
            <Attribute name="responseArtifactMessageEncoding">
                <Value>URI</Value>
            </Attribute>
            <Attribute name="saeAppSecretList"/>
            <Attribute name="useIDPFinder"/>
            <Attribute name="enableIDPProxy">
                <Value>true</Value>
            </Attribute>
            <Attribute name="localAuthURL">
                <Value/>
            </Attribute>
            <Attribute name="encryptionCertAlias"/>
            <Attribute name="spAuthncontextMapper">
                <Value>com.sun.identity.saml2.plugins.DefaultSPAuthnContextMapper</Value>
            </Attribute>
            <Attribute name="saeSPUrl">
                <Value>http://machinea.sp.com:80/openam/spsaehandler/metaAlias/sp</Value>
            </Attribute>
            <Attribute name="idpProxyCount">
                <Value>3</Value>
            </Attribute>
            <Attribute name="transientUser">
                <Value/>
            </Attribute>
            <Attribute name="autofedEnabled">
                <Value>true</Value>
            </Attribute>
            <Attribute name="wantAttributeEncrypted">
                <Value>false</Value>
            </Attribute>
            <Attribute name="wantMNIResponseSigned">
                <Value>false</Value>
            </Attribute>
            <Attribute name="wantLogoutRequestSigned">
                <Value>false</Value>
            </Attribute>
            <Attribute name="cotlist">
                <Value>cot1</Value>
            </Attribute>
            <Attribute name="ECPRequestIDPListFinderImpl">
                <Value>com.sun.identity.saml2.plugins.ECPIDPFinder</Value>
            </Attribute>
            <Attribute name="relayStateUrlList"/>
            <Attribute name="idpProxyList"/>
            <Attribute name="ECPRequestIDPListGetComplete">
                <Value/>
            </Attribute>
            <Attribute name="spAuthncontextComparisonType">
                <Value>exact</Value>
            </Attribute>
            <Attribute name="wantLogoutResponseSigned">
                <Value>false</Value>
            </Attribute>
            <Attribute name="saeSPLogoutUrl">
                <Value/>
            </Attribute>
            <Attribute name="basicAuthUser">
                <Value/>
            </Attribute>
            <Attribute name="wantPOSTResponseSigned">
                <Value>false</Value>
            </Attribute>
            <Attribute name="basicAuthPassword">
                <Value/>
            </Attribute>
            <Attribute name="wantArtifactResponseSigned">
                <Value>false</Value>
            </Attribute>
            <Attribute name="spAttributeMapper">
                <Value>com.sun.identity.saml2.plugins.DefaultSPAttributeMapper</Value>
            </Attribute>
            <Attribute name="ECPRequestIDPList"/>
            <Attribute name="spSessionSyncEnabled">
                <Value>false</Value>
            </Attribute>
            <Attribute name="spAuthncontextClassrefMapping">
                <Value>http://foo.example.com/assurance/loa1|1|</Value>
                <Value>http://foo.example.com/assurance/loa2|2|</Value>
                <Value>http://foo.example.com/assurance/loa3|3|</Value>
                <Value>http://foo.example.com/assurance/loa4|4|</Value>
                <Value>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|0|default</Value>
            </Attribute>
            <Attribute name="assertionTimeSkew">
                <Value>300</Value>
            </Attribute>
            <Attribute name="wantMNIRequestSigned">
                <Value>false</Value>
            </Attribute>
            <Attribute name="metaAlias"/>
            <Attribute name="wantAssertionEncrypted">
                <Value>false</Value>
            </Attribute>
            <Attribute name="basicAuthOn">
                <Value>false</Value>
            </Attribute>
        </SPSSOConfig>
    </EntityConfig>
    


    Notice the part that has been changed in the extended metadata:

            <Attribute name="spAuthncontextClassrefMapping">
                <Value>http://foo.example.com/assurance/loa1|1|</Value>
                <Value>http://foo.example.com/assurance/loa2|2|</Value>
                <Value>http://foo.example.com/assurance/loa3|3|</Value>
                <Value>http://foo.example.com/assurance/loa4|4|</Value>
                <Value>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|0|default</Value>
            </Attribute>
    


  5. Now it is necessary to update the metadata:

    This will be done in two steps, first delete the existing entity id, and then add the modified metadata. Here the two steps in detail:

    1. Delete the machinea.sp.com entity
      1. Log in as amadmin in the OpenAM console if you are not already in
      2. Go to the Federation tab and scroll down to the Entity Providers list
      3. Delete the machinea.sp.com entity
    2. Import the metadata from the previous step
      1. In the console, go to the ssoadm.jsp page
        http://machinea.sp.com/openam/ssoadm.jsp
        
      2. Look for the import entity option and click on it
      3. Specify the following:
        • Realm where entity resides: /
        • Standard metadatata to be imported: Paste here the standard metadata that we got from the step
        • Extended entity configuration to be imported: Paste here the edited extended metadata that we did in step
        • Specify name of the Circle of Trust this entity belongs:
        • Specify metadata specification, either wsfed, idff or saml2, defaults to saml2: saml2

          Once the parameters are filled in click the submit button.

          A message indicating that the metadata was imported successfully should appear.

Step 2: Updating the metadata in the Identity Provider

The identity provider need to also reflect the LOAs that it supports and for that we need to update the metadata.
Notice that the latest release of OpenAM supports the LOAS expressed in the IdP metadata as described by the SAMLv2 specs (2), previous releases of OpenAM do not support it and might issue an "Invalid metadata" message.

Here the steps on how to update the metadata in the Identity Provide machine, in our example, the machine is called machinec.idp.com

  1. The metadata can be updated in a similar way as it was done for the SP in the previous Step 1.
  2. In the Identity Provider machine, i.e. machinec.idp.com log in to the console as amadmin
  3. Go to the ssoadm.jsp URL, i.e.
    http://machinec.idp.com/openam/ssoadm.jsp
    
  4. Select the export entity and specify your local Identity Provider entity id, i.e. in our case machinec.idp.com
    • Entity ID: machinec.idp.com
    • Realm where data resides: /
    • Set this flag to sign the metadata: unchecked
    • Metadata: checked
    • Extended metadata: checked
    • Specify metadata specification, either wsfed, idff or saml2, defaults to saml2: saml2

      Click the submit button

  5. The resulted page will show the metadata. The metadata must be copied into an editor so it can be modified and later imported again.

    Here an example of how the Standard metadata for the IdP looks like

    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <EntityDescriptor entityID="machinec.idp.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
        <IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
            <KeyDescriptor use="signing">
                <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                    <ds:X509Data>
                        <ds:X509Certificate>
    MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh
    bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w
    ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw
    CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK
    BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B
    AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of+
    RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY
    Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U
    QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA
    cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC
    /FfwWigmrW0Y0Q==
                        </ds:X509Certificate>
                    </ds:X509Data>
                </ds:KeyInfo>
            </KeyDescriptor>
            <KeyDescriptor use="encryption">
                <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                    <ds:X509Data>
                        <ds:X509Certificate>
    MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh
    bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w
    ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw
    CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK
    BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B
    AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of+
    RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY
    Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U
    QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA
    cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC
    /FfwWigmrW0Y0Q==
                        </ds:X509Certificate>
                    </ds:X509Data>
                </ds:KeyInfo>
                <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc">
                    <xenc:KeySize xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">128</xenc:KeySize>
    </EncryptionMethod>
            </KeyDescriptor>
            <ArtifactResolutionService index="0" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://machinec.idp.com:80/openam/ArtifactResolver/metaAlias/idp"/>
            <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://machinec.idp.com:80/openam/IDPSloRedirect/metaAlias/idp" ResponseLocation="http://machinec.idp.com:80/openam/IDPSloRedirect/metaAlias/idp"/>
            <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://machinec.idp.com:80/openam/IDPSloPOST/metaAlias/idp" ResponseLocation="http://machinec.idp.com:80/openam/IDPSloPOST/metaAlias/idp"/>
            <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://machinec.idp.com:80/openam/IDPSloSoap/metaAlias/idp"/>
            <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://machinec.idp.com:80/openam/IDPMniRedirect/metaAlias/idp" ResponseLocation="http://machinec.idp.com:80/openam/IDPMniRedirect/metaAlias/idp"/>
            <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://machinec.idp.com:80/openam/IDPMniPOST/metaAlias/idp" ResponseLocation="http://machinec.idp.com:80/openam/IDPMniPOST/metaAlias/idp"/>
            <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://machinec.idp.com:80/openam/IDPMniSoap/metaAlias/idp"/>
            <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
            <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
            <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
            <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
            <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName</NameIDFormat>
            <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos</NameIDFormat>
            <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</NameIDFormat>
            <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://machinec.idp.com:80/openam/SSORedirect/metaAlias/idp"/>
            <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://machinec.idp.com:80/openam/SSOPOST/metaAlias/idp"/>
            <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://machinec.idp.com:80/openam/SSOSoap/metaAlias/idp"/>
            <NameIDMappingService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://machinec.idp.com:80/openam/NIMSoap/metaAlias/idp"/>
            <AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://login1.visionrock.no:80/openam/AIDReqSoap/IDPRole/metaAlias/idp"/>
            <AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:2.0:bindings:URI" Location="http://login1.visionrock.no:80/openam/AIDReqUri/IDPRole/metaAlias/idp"/>
        </IDPSSODescriptor>
    </EntityDescriptor>
    


    And here an example on how the Extended metadata looks like

    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <EntityConfig entityID="machinec.idp.com" hosted="true" xmlns="urn:sun:fm:SAML:2.0:entityconfig">
        <IDPSSOConfig metaAlias="/idp">
            <Attribute name="idpAuthncontextMapper">
                <Value>com.sun.identity.saml2.plugins.DefaultIDPAuthnContextMapper</Value>
            </Attribute>
            <Attribute name="appLogoutUrl">
                <Value/>
            </Attribute>
            <Attribute name="attributeMap"/>
            <Attribute name="autofedAttribute">
                <Value/>
            </Attribute>
            <Attribute name="wantNameIDEncrypted">
                <Value>false</Value>
            </Attribute>
            <Attribute name="signingCertAlias">
                <Value>test</Value>
            </Attribute>
            <Attribute name="idpSessionSyncEnabled">
                <Value>false</Value>
            </Attribute>
            <Attribute name="idpAuthncontextClassrefMapping">
                <Value>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|0||default</Value>
            </Attribute>
            <Attribute name="saeAppSecretList"/>
            <Attribute name="encryptionCertAlias">
                <Value>test</Value>
            </Attribute>
            <Attribute name="assertionEffectiveTime">
                <Value>600</Value>
            </Attribute>
            <Attribute name="autofedEnabled">
                <Value>false</Value>
            </Attribute>
            <Attribute name="wantMNIResponseSigned">
                <Value>false</Value>
            </Attribute>
            <Attribute name="discoveryBootstrappingEnabled">
                <Value>false</Value>
            </Attribute>
            <Attribute name="wantLogoutRequestSigned">
                <Value>false</Value>
            </Attribute>
            <Attribute name="cotlist">
                <Value>cot1</Value>
            </Attribute>
            <Attribute name="AuthUrl">
                <Value/>
            </Attribute>
            <Attribute name="relayStateUrlList"/>
            <Attribute name="wantArtifactResolveSigned">
                <Value>false</Value>
            </Attribute>
            <Attribute name="idpAccountMapper">
                <Value>com.sun.identity.saml2.plugins.DefaultIDPAccountMapper</Value>
            </Attribute>
            <Attribute name="wantLogoutResponseSigned">
                <Value>false</Value>
            </Attribute>
            <Attribute name="basicAuthUser">
                <Value/>
            </Attribute>
            <Attribute name="assertionNotBeforeTimeSkew">
                <Value>600</Value>
            </Attribute>
            <Attribute name="basicAuthPassword">
                <Value/>
            </Attribute>
            <Attribute name="idpECPSessionMapper">
                <Value>com.sun.identity.saml2.plugins.DefaultIDPECPSessionMapper</Value>
            </Attribute>
            <Attribute name="wantMNIRequestSigned">
                <Value>false</Value>
            </Attribute>
            <Attribute name="assertionCacheEnabled">
                <Value>false</Value>
            </Attribute>
            <Attribute name="idpAttributeMapper">
                <Value>com.sun.identity.saml2.plugins.DefaultIDPAttributeMapper</Value>
            </Attribute>
            <Attribute name="nameIDFormatMap">
                <Value>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName=</Value>
                <Value>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos=</Value>
                <Value>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress=mail</Value>
                <Value>urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName=</Value>
                <Value>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified=</Value>
            </Attribute>
            <Attribute name="metaAlias"/>
            <Attribute name="basicAuthOn">
                <Value>false</Value>
            </Attribute>
            <Attribute name="saeIDPUrl">
                <Value>http://machinec.idp.com:80/openam/idpsaehandler/metaAlias/idp</Value>
            </Attribute>
        </IDPSSOConfig>
    </EntityConfig>
    


  6. Edit the standard metadata.
    Note: The edited standard metadata will be needed in the IdP Proxy, if the IdP has not been updated with the latest release of OpenAM, the modified standard metadata could not be imported in the IdP. However the modified metadata will be needed in the IdP Proxy.

    1. In an editor, edit the standard metadata so it looks like:

      <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
      <EntityDescriptor entityID="machinec.idp.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
          <Extensions>
              <ns1:EntityAttributes xmlns:ns1="urn:oasis:names:tc:SAML:metadata:attribute">
                  <ns2:Attribute Name="urn:oasis:names:tc:SAML:attribute:assurance-certification" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion">
                      <ns2:AttributeValue>http://foo.example.com/assurance/loa1</ns2:AttributeValue>
                      <ns2:AttributeValue>http://foo.example.com/assurance/loa2</ns2:AttributeValue>
                  </ns2:Attribute>
              </ns1:EntityAttributes>
          </Extensions>
          <IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
              <KeyDescriptor use="signing">
                  <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                      <ds:X509Data>
                          <ds:X509Certificate>
      MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh
      bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w
      ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw
      CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK
      BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B
      AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of+
      RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY
      Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U
      QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA
      cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC
      /FfwWigmrW0Y0Q==
                          </ds:X509Certificate>
                      </ds:X509Data>
                  </ds:KeyInfo>
              </KeyDescriptor>
              <KeyDescriptor use="encryption">
                  <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                      <ds:X509Data>
                          <ds:X509Certificate>
      MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh
      bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w
      ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw
      CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK
      BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B
      AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of+
      RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY
      Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U
      QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA
      cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC
      /FfwWigmrW0Y0Q==
                          </ds:X509Certificate>
                      </ds:X509Data>
                  </ds:KeyInfo>
                  <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc">
                      <xenc:KeySize xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">128</xenc:KeySize>
      </EncryptionMethod>
              </KeyDescriptor>
              <ArtifactResolutionService index="0" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://machinec.idp.com:80/openam/ArtifactResolver/metaAlias/idp"/>
              <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://machinec.idp.com:80/openam/IDPSloRedirect/metaAlias/idp" ResponseLocation="http://machinec.idp.com:80/openam/IDPSloRedirect/metaAlias/idp"/>
              <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://machinec.idp.com:80/openam/IDPSloPOST/metaAlias/idp" ResponseLocation="http://machinec.idp.com:80/openam/IDPSloPOST/metaAlias/idp"/>
              <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://machinec.idp.com:80/openam/IDPSloSoap/metaAlias/idp"/>
              <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://machinec.idp.com:80/openam/IDPMniRedirect/metaAlias/idp" ResponseLocation="http://machinec.idp.com:80/openam/IDPMniRedirect/metaAlias/idp"/>
              <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://machinec.idp.com:80/openam/IDPMniPOST/metaAlias/idp" ResponseLocation="http://machinec.idp.com:80/openam/IDPMniPOST/metaAlias/idp"/>
              <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://machinec.idp.com:80/openam/IDPMniSoap/metaAlias/idp"/>
              <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
              <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
              <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
              <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
              <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName</NameIDFormat>
              <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos</NameIDFormat>
              <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</NameIDFormat>
              <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://machinec.idp.com:80/openam/SSORedirect/metaAlias/idp"/>
              <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://machinec.idp.com:80/openam/SSOPOST/metaAlias/idp"/>
              <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://machinec.idp.com:80/openam/SSOSoap/metaAlias/idp"/>
              <NameIDMappingService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://machinec.idp.com:80/openam/NIMSoap/metaAlias/idp"/>
              <AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://login1.visionrock.no:80/openam/AIDReqSoap/IDPRole/metaAlias/idp"/>
              <AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:2.0:bindings:URI" Location="http://login1.visionrock.no:80/openam/AIDReqUri/IDPRole/metaAlias/idp"/>
          </IDPSSODescriptor>
      </EntityDescriptor>
      

      Notice that this is the part that was added:
          <Extensions>
              <ns1:EntityAttributes xmlns:ns1="urn:oasis:names:tc:SAML:metadata:attribute">
                  <ns2:Attribute Name="urn:oasis:names:tc:SAML:attribute:assurance-certification" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion">
                      <ns2:AttributeValue>http://foo.example.com/assurance/loa1</ns2:AttributeValue>
                      <ns2:AttributeValue>http://foo.example.com/assurance/loa2</ns2:AttributeValue>
                  </ns2:Attribute>
              </ns1:EntityAttributes>
          </Extensions>
      


    2. Edit the extended metadata.
      Note : The extended metadata must be edited. To support the modified extended metadata it is not necessary the latest release of OpenAM

      The modified extended metadata should look like:

      <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
      <EntityConfig entityID="machinec.idp.com" hosted="true" xmlns="urn:sun:fm:SAML:2.0:entityconfig">
          <IDPSSOConfig metaAlias="/idp">
              <Attribute name="idpAuthncontextMapper">
                  <Value>com.sun.identity.saml2.plugins.DefaultIDPAuthnContextMapper</Value>
              </Attribute>
              <Attribute name="appLogoutUrl">
                  <Value/>
              </Attribute>
              <Attribute name="attributeMap"/>
              <Attribute name="autofedAttribute">
                  <Value/>
              </Attribute>
              <Attribute name="wantNameIDEncrypted">
                  <Value>false</Value>
              </Attribute>
              <Attribute name="signingCertAlias">
                  <Value>test</Value>
              </Attribute>
              <Attribute name="idpSessionSyncEnabled">
                  <Value>false</Value>
              </Attribute>
              <Attribute name="idpAuthncontextClassrefMapping">
                  <Value>http://foo.example.com/assurance/loa1|1||</Value>
                  <Value>http://foo.example.com/assurance/loa3|2||</Value>
                  <Value>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|0||default</Value>
              </Attribute>
              <Attribute name="saeAppSecretList"/>
              <Attribute name="encryptionCertAlias">
                  <Value>test</Value>
              </Attribute>
              <Attribute name="assertionEffectiveTime">
                  <Value>600</Value>
              </Attribute>
              <Attribute name="autofedEnabled">
                  <Value>false</Value>
              </Attribute>
              <Attribute name="wantMNIResponseSigned">
                  <Value>false</Value>
              </Attribute>
              <Attribute name="discoveryBootstrappingEnabled">
                  <Value>false</Value>
              </Attribute>
              <Attribute name="wantLogoutRequestSigned">
                  <Value>false</Value>
              </Attribute>
              <Attribute name="cotlist">
                  <Value>cot1</Value>
              </Attribute>
              <Attribute name="AuthUrl">
                  <Value/>
              </Attribute>
              <Attribute name="relayStateUrlList"/>
              <Attribute name="wantArtifactResolveSigned">
                  <Value>false</Value>
              </Attribute>
              <Attribute name="idpAccountMapper">
                  <Value>com.sun.identity.saml2.plugins.DefaultIDPAccountMapper</Value>
              </Attribute>
              <Attribute name="wantLogoutResponseSigned">
                  <Value>false</Value>
              </Attribute>
              <Attribute name="basicAuthUser">
                  <Value/>
              </Attribute>
              <Attribute name="assertionNotBeforeTimeSkew">
                  <Value>600</Value>
              </Attribute>
              <Attribute name="basicAuthPassword">
                  <Value/>
              </Attribute>
              <Attribute name="idpECPSessionMapper">
                  <Value>com.sun.identity.saml2.plugins.DefaultIDPECPSessionMapper</Value>
              </Attribute>
              <Attribute name="wantMNIRequestSigned">
                  <Value>false</Value>
              </Attribute>
              <Attribute name="assertionCacheEnabled">
                  <Value>false</Value>
              </Attribute>
              <Attribute name="idpAttributeMapper">
                  <Value>com.sun.identity.saml2.plugins.DefaultIDPAttributeMapper</Value>
              </Attribute>
              <Attribute name="nameIDFormatMap">
                  <Value>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName=</Value>
                  <Value>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos=</Value>
                  <Value>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress=mail</Value>
                  <Value>urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName=</Value>
                  <Value>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified=</Value>
              </Attribute>
              <Attribute name="metaAlias"/>
              <Attribute name="basicAuthOn">
                  <Value>false</Value>
              </Attribute>
              <Attribute name="saeIDPUrl">
                  <Value>http://machinec.idp.com:80/openam/idpsaehandler/metaAlias/idp</Value>
              </Attribute>
          </IDPSSOConfig>
      </EntityConfig>
      


      Notice the part that was added in the extended metadata:

              <Attribute name="idpAuthncontextClassrefMapping">
                  <Value>http://foo.example.com/assurance/loa1|1||</Value>
                  <Value>http://foo.example.com/assurance/loa3|2||</Value>
                  <Value>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|0||default</Value>
              </Attribute>
      


  7. Now it is necessary to update the metadata:
    1. Delete the machinec.idp.com entity
      1. Log in as amadmin in the OpenAM console of the Identity Provider, if you are not already in
      2. Go to the Federation tab and scroll down to the Entity Providers list
      3. Delete the machinec.idp.com entity
    2. Import the metadata from the previous step
      1. In the console, go to the ssoadm.jsp page
        http://machinec.idp.com/openam/ssoadm.jsp
        

      2. Look for the import entity option and click on it
      3. Specify the following:
        • Realm where entity resides: /
        • Standard metadatato be imported: Paste here the standard metadata that we got from the step
        • Extended entity configuration to be imported: Paste here the edited extended metadata that we did in step
        • Specify name of the Circle of Trust this entity belongs:
        • Specify metadata specification, either wsfed, idff or saml2, defaults to saml2: saml2
          Once the parameters are filled in click the submit button.
          A message indicating that the metadata was imported successfully should appear.

Step 3: The IdP Proxy

In the IdP Proxy we need to update the metadata of the SP, the IdP and the own metadata of the IdP Proxy.

These tasks are needed in the machineb.idpproxy.com

  1. Updating the Remote SP metadata
    1. Login in the machineb.idpproxy.com OpenAM console as amadmin
    2. Go to the federation tab and delete the remote SP entity id, i.e. the entity machinea.sp.com
    3. Go to the ssoadm.jsp page
      http://machineb.idpproxy.com/openam/ssoadm.jsp
      

    4. Look for the import-entity option and click import entity
    5. In the import entity page specify the following:
        • Realm where entity resides: /
        • Standard metadata to be imported: Paste here the SP standard metadata that we got from the Step 1 Point 3
        • Extended entity configuration to be imported: Paste here the edited extended metadata that resulted from Step 1 Point 4 but be sure to change the header part:
          <EntityConfig entityID="machinea.sp.com" hosted="true" xmlns="urn:sun:fm:SAML:2.0:entityconfig">
          To
          <EntityConfig entityID="machinea.sp.com" hosted="false" xmlns="urn:sun:fm:SAML:2.0:entityconfig">
        • Specify name of the Circle of Trust this entity belongs:
        • Specify metadata specification, either wsfed, idff or saml2, defaults to saml2: saml2

          Click the submit button

          A message indicating that the metadata was imported successfully must appear
  2. Now we need to add some extra configuration to the Remote SP entity id.
    1. Return to the Federation tab
    2. Scroll down to the list of entities
    3. Click on the machines.sp.com (Remote SAMLv2 SP)
    4. Once in the SP configuration tab, Select the Advanced tab
    5. Scroll down to the IDP Proxy section
      • Be sure that the "IDP Proxy" is enabled
      • Optionally enable "Use IDP Finder"
      • Be sure that the Proxy count is something greater than 0, for example 3
      • Leave the IDP Proxy List empty
      • Click the Save button to save the configuration
  1. Updating the Remote IDP metadata
    1. Login in the machineb.idpproxy.com OpenAM console as amadmin
    2. Go to the federation tab and delete the remote IdP entity id, i.e. the entity machinec.idp.com
    3. Go to the ssoadm.jsp page
      http://machineb.idpproxy.com/openam/ssoadm.jsp
      

    4. Look for the import-entity option and click import entity
    5. In the import entity page specify the following:
        • Realm where entity resides: /
        • Standard metadatato be imported: Paste here the standard metadata of the IdP that we got from the Step 2 Point 6.a
        • Extended entity configuration to be imported: Paste here the edited extended metadata of the IdP that we did in Step 2 Point 6.b but be sure to change the header part:
          <EntityConfig entityID="machinec.idp.com" hosted="true" xmlns="urn:sun:fm:SAML:2.0:entityconfig">
          To
          <EntityConfig entityID="machinec.idp.com" hosted="false" xmlns="urn:sun:fm:SAML:2.0:entityconfig">
        • Specify name of the Circle of Trust this entity belongs:
        • Specify metadata specification, either wsfed, idff or saml2, defaults to saml2: saml2

          Click the submit button

          A message indicating that the metadata was imported successfully must appear

  2. Updating the IDP Proxy metadata
    The identity provider need to also reflect the LOAs that it supports
  3. In the IdP Proxy machine, i.e. machineb.idpproxy.com log in to the console as amadmin
  4. Go to the ssoadm.jsp
    http://machineb.idpproxy.com/openam/ssoadm.jsp
    

  5. Select the export entity and specify your local IdP Proxy entity id, i.e. in our case machineb.idpproxy.com
    • Entity ID: machineb.idpproxy.com
    • Realm where data resides: /
    • Set this flag to sign the metadata: unchecked
    • Metadata: checked
    • Extended metadata: checked
    • Specify metadata specification, either wsfed, idff or saml2, defaults to saml2: saml2

      Click the submit button

  6. The resulted page will show the metadata.
    The metadata must be copied into an editor so it can be modified and later imported again.

    Example of the Standard metadata for the IdP Proxy

    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <EntityDescriptor entityID="machineb.idpproxy.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
        <IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
            <KeyDescriptor use="signing">
                <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                    <ds:X509Data>
                        <ds:X509Certificate>
    MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh
    bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w
    ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw
    CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK
    BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B
    AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of+
    RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY
    Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U
    QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA
    cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC
    /FfwWigmrW0Y0Q==
                        </ds:X509Certificate>
                    </ds:X509Data>
                </ds:KeyInfo>
            </KeyDescriptor>
            <KeyDescriptor use="encryption">
                <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                    <ds:X509Data>
                        <ds:X509Certificate>
    MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh
    bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w
    ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw
    CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK
    BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B
    AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of+
    RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY
    Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U
    QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA
    cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC
    /FfwWigmrW0Y0Q==
                        </ds:X509Certificate>
                    </ds:X509Data>
                </ds:KeyInfo>
                <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc">
                    <xenc:KeySize xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">128</xenc:KeySize>
                </EncryptionMethod>
            </KeyDescriptor>
            <ArtifactResolutionService index="0" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://machineb.idpproxy.com:80/openam/ArtifactResolver/metaAlias/proxyidp"/>
            <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://machineb.idpproxy.com:80/openam/IDPSloRedirect/metaAlias/proxyidp" ResponseLocation="http://machineb.idpproxy.com:80/openam/IDPSloRedirect/metaAlias/proxyidp"/>
            <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://machineb.idpproxy.com:80/openam/IDPSloPOST/metaAlias/proxyidp" ResponseLocation="http://machineb.idpproxy.com:80/openam/IDPSloPOST/metaAlias/proxyidp"/>
            <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://machineb.idpproxy.com:80/openam/IDPSloSoap/metaAlias/proxyidp"/>
            <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://machineb.idpproxy.com:80/openam/IDPMniRedirect/metaAlias/proxyidp" ResponseLocation="http://machineb.idpproxy.com:80/openam/IDPMniRedirect/metaAlias/proxyidp"/>
            <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://machineb.idpproxy.com:80/openam/IDPMniPOST/metaAlias/proxyidp" ResponseLocation="http://machineb.idpproxy.com:80/openam/IDPMniPOST/metaAlias/proxyidp"/>
            <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://machineb.idpproxy.com:80/openam/IDPMniSoap/metaAlias/proxyidp"/>
            <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
            <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
            <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
            <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
            <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName</NameIDFormat>
            <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos</NameIDFormat>
            <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</NameIDFormat>
            <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://machineb.idpproxy.com:80/openam/SSORedirect/metaAlias/proxyidp"/>
            <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://machineb.idpproxy.com:80/openam/SSOPOST/metaAlias/proxyidp"/>
            <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://machineb.idpproxy.com:80/openam/SSOSoap/metaAlias/proxyidp"/>
            <NameIDMappingService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://machineb.idpproxy.com:80/openam/NIMSoap/metaAlias/proxyidp"/>
            <AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://machineb.idpproxy.com:80/openam/AIDReqSoap/IDPRole/metaAlias/proxyidp"/>
            <AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:2.0:bindings:URI" Location="http://machineb.idpproxy.com:80/openam/AIDReqUri/IDPRole/metaAlias/proxyidp"/>
        </IDPSSODescriptor>
        <SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
            <KeyDescriptor use="signing">
                <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                    <ds:X509Data>
                        <ds:X509Certificate>
    MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh
    bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w
    ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw
    CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK
    BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B
    AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of+
    RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY
    Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U
    QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA
    cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC
    /FfwWigmrW0Y0Q==
                        </ds:X509Certificate>
                    </ds:X509Data>
                </ds:KeyInfo>
            </KeyDescriptor>
            <KeyDescriptor use="encryption">
                <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                    <ds:X509Data>
                        <ds:X509Certificate>
    MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh
    bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w
    ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw
    CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK
    BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B
    AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of+
    RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY
    Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U
    QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA
    cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC
    /FfwWigmrW0Y0Q==
                        </ds:X509Certificate>
                    </ds:X509Data>
                </ds:KeyInfo>
                <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc">
                    <xenc:KeySize xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">128</xenc:KeySize>
                </EncryptionMethod>
            </KeyDescriptor>
            <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://machineb.idpproxy.com:80/openam/SPSloRedirect/metaAlias/proxysp" ResponseLocation="http://machineb.idpproxy.com:80/openam/SPSloRedirect/metaAlias/proxysp"/>
            <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://machineb.idpproxy.com:80/openam/SPSloPOST/metaAlias/proxysp" ResponseLocation="http://machineb.idpproxy.com:80/openam/SPSloPOST/metaAlias/proxysp"/>
            <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://machineb.idpproxy.com:80/openam/SPSloSoap/metaAlias/proxysp"/>
            <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://machineb.idpproxy.com:80/openam/SPMniRedirect/metaAlias/proxysp" ResponseLocation="http://machineb.idpproxy.com:80/openam/SPMniRedirect/metaAlias/proxysp"/>
            <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://machineb.idpproxy.com:80/openam/SPMniPOST/metaAlias/proxysp" ResponseLocation="http://machineb.idpproxy.com:80/openam/SPMniPOST/metaAlias/proxysp"/>
            <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://machineb.idpproxy.com:80/openam/SPMniSoap/metaAlias/proxysp" ResponseLocation="http://machineb.idpproxy.com:80/openam/SPMniSoap/metaAlias/proxysp"/>
            <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
            <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
            <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
            <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
            <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName</NameIDFormat>
            <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos</NameIDFormat>
            <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</NameIDFormat>
            <AssertionConsumerService index="0" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="http://machineb.idpproxy.com:80/openam/Consumer/metaAlias/proxysp"/>
            <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://machineb.idpproxy.com:80/openam/Consumer/metaAlias/proxysp"/>
            <AssertionConsumerService index="2" Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="http://machineb.idpproxy.com:80/openam/Consumer/ECP/metaAlias/proxysp"/>
        </SPSSODescriptor>
    </EntityDescriptor>
    


    Example of the Extended metadata for the IdP Proxy

    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <EntityConfig entityID="machineb.idpproxy.com" hosted="true" xmlns="urn:sun:fm:SAML:2.0:entityconfig">
        <IDPSSOConfig metaAlias="/proxyidp">
            <Attribute name="idpAuthncontextMapper">
                <Value>com.sun.identity.saml2.plugins.DefaultIDPAuthnContextMapper</Value>
            </Attribute>
            <Attribute name="appLogoutUrl">
                <Value/>
            </Attribute>
            <Attribute name="attributeMap" />
            <Attribute name="autofedAttribute">
                <Value/>
            </Attribute>
            <Attribute name="wantNameIDEncrypted">
                <Value/>
            </Attribute>
            <Attribute name="signingCertAlias">
                <Value>test</Value>
            </Attribute>
            <Attribute name="idpSessionSyncEnabled">
                <Value>false</Value>
            </Attribute>
            <Attribute name="idpAuthncontextClassrefMapping">
                <Value>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|0||default</Value>
            </Attribute>
            <Attribute name="saeAppSecretList"/>
            <Attribute name="encryptionCertAlias">
                <Value>test</Value>
            </Attribute>
            <Attribute name="assertionEffectiveTime">
                <Value>600</Value>
            </Attribute>
            <Attribute name="autofedEnabled">
                <Value>false</Value>
            </Attribute>
            <Attribute name="wantMNIResponseSigned">
                <Value/>
            </Attribute>
            <Attribute name="discoveryBootstrappingEnabled">
                <Value>false</Value>
            </Attribute>
            <Attribute name="wantLogoutRequestSigned">
                <Value/>
            </Attribute>
            <Attribute name="cotlist">
                <Value>cot1</Value>
            </Attribute>
            <Attribute name="AuthUrl">
                <Value/>
            </Attribute>
            <Attribute name="relayStateUrlList"/>
            <Attribute name="wantArtifactResolveSigned">
                <Value/>
            </Attribute>
            <Attribute name="idpAccountMapper">
                <Value>com.sun.identity.saml2.plugins.DefaultIDPAccountMapper</Value>
            </Attribute>
            <Attribute name="wantLogoutResponseSigned">
                <Value/>
            </Attribute>
            <Attribute name="basicAuthUser">
                <Value/>
            </Attribute>
            <Attribute name="assertionNotBeforeTimeSkew">
                <Value>600</Value>
            </Attribute>
            <Attribute name="basicAuthPassword">
                <Value/>
            </Attribute>
            <Attribute name="idpECPSessionMapper">
                <Value>com.sun.identity.saml2.plugins.DefaultIDPECPSessionMapper</Value>
            </Attribute>
            <Attribute name="wantMNIRequestSigned">
                <Value/>
            </Attribute>
            <Attribute name="assertionCacheEnabled">
                <Value>false</Value>
            </Attribute>
            <Attribute name="idpAttributeMapper">
                <Value>com.sun.identity.saml2.plugins.DefaultIDPAttributeMapper</Value>
            </Attribute>
            <Attribute name="nameIDFormatMap">
                <Value>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName=</Value>
                <Value>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos=</Value>
                <Value>urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName=</Value>
                <Value>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress=mail</Value>
                <Value>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified=</Value>
            </Attribute>
            <Attribute name="metaAlias"/>
            <Attribute name="basicAuthOn">
                <Value>false</Value>
            </Attribute>
            <Attribute name="saeIDPUrl">
                <Value>http://machineb.idpproxy.com:80/openam/idpsaehandler/metaAlias/proxyidp</Value>
            </Attribute>
        </IDPSSOConfig>
        <SPSSOConfig metaAlias="/proxysp">
            <Attribute name="useNameIDAsSPUserID">
                <Value>false</Value>
            </Attribute>
            <Attribute name="appLogoutUrl">
                <Value/>
            </Attribute>
            <Attribute name="attributeMap">
                <Value>firstname=givenname</Value>
                <Value>lastname=sn</Value>
                <Value>email=mail</Value>
            </Attribute>
            <Attribute name="spAdapterEnv"/>
            <Attribute name="useIntroductionForIDPProxy">
                <Value>false</Value>
            </Attribute>
            <Attribute name="autofedAttribute">
                <Value>email</Value>
            </Attribute>
            <Attribute name="spAdapter">
                <Value/>
            </Attribute>
            <Attribute name="intermediateUrl">
                <Value/>
            </Attribute>
            <Attribute name="saml2AuthModuleName">
                <Value/>
            </Attribute>
            <Attribute name="spAccountMapper">
                <Value>com.sun.identity.saml2.plugins.DefaultSPAccountMapper</Value>
            </Attribute>
            <Attribute name="defaultRelayState">
                <Value/>
            </Attribute>
            <Attribute name="wantNameIDEncrypted">
                <Value/>
            </Attribute>
            <Attribute name="signingCertAlias">
                <Value>test</Value>
            </Attribute>
            <Attribute name="responseArtifactMessageEncoding">
                <Value>URI</Value>
            </Attribute>
            <Attribute name="saeAppSecretList"/>
            <Attribute name="useIDPFinder"/>
            <Attribute name="enableIDPProxy">
                <Value>false</Value>
            </Attribute>
            <Attribute name="localAuthURL">
                <Value/>
            </Attribute>
            <Attribute name="encryptionCertAlias">
                <Value>test</Value>
            </Attribute>
            <Attribute name="spAuthncontextMapper">
                <Value>com.sun.identity.saml2.plugins.DefaultSPAuthnContextMapper</Value>
            </Attribute>
            <Attribute name="saeSPUrl">
                <Value>http://machineb.idpproxy.com:80/openam/spsaehandler/metaAlias/proxysp</Value>
            </Attribute>
            <Attribute name="idpProxyCount">
                <Value>0</Value>
            </Attribute>
            <Attribute name="transientUser">
                <Value/>
            </Attribute>
            <Attribute name="autofedEnabled">
                <Value>true</Value>
            </Attribute>
            <Attribute name="wantAttributeEncrypted">
                <Value/>
            </Attribute>
            <Attribute name="wantMNIResponseSigned">
                <Value/>
            </Attribute>
            <Attribute name="wantLogoutRequestSigned">
                <Value/>
            </Attribute>
            <Attribute name="cotlist">
                <Value>cot1</Value>
            </Attribute>
            <Attribute name="ECPRequestIDPListFinderImpl">
                <Value>com.sun.identity.saml2.plugins.ECPIDPFinder</Value>
            </Attribute>
            <Attribute name="relayStateUrlList"/>
            <Attribute name="idpProxyList"/>
            <Attribute name="ECPRequestIDPListGetComplete">
                <Value/>
            </Attribute>
            <Attribute name="spAuthncontextComparisonType">
                <Value>exact</Value>
            </Attribute>
            <Attribute name="wantLogoutResponseSigned">
                <Value/>
            </Attribute>
            <Attribute name="saeSPLogoutUrl">
                <Value/>
            </Attribute>
            <Attribute name="basicAuthUser">
                <Value/>
            </Attribute>
            <Attribute name="wantPOSTResponseSigned">
                <Value/>
            </Attribute>
            <Attribute name="basicAuthPassword">
                <Value/>
            </Attribute>
            <Attribute name="wantArtifactResponseSigned">
                <Value/>
            </Attribute>
            <Attribute name="spAttributeMapper">
                <Value>com.sun.identity.saml2.plugins.DefaultSPAttributeMapper</Value>
            </Attribute>
            <Attribute name="ECPRequestIDPList"/>
            <Attribute name="spSessionSyncEnabled">
                <Value>false</Value>
            </Attribute>
            <Attribute name="spAuthncontextClassrefMapping">
                <Value>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|0|default</Value>
            </Attribute>
            <Attribute name="assertionTimeSkew">
                <Value>300</Value>
            </Attribute>
            <Attribute name="wantMNIRequestSigned">
                <Value/>
            </Attribute>
            <Attribute name="metaAlias"/>
            <Attribute name="wantAssertionEncrypted">
                <Value/>
            </Attribute>
            <Attribute name="basicAuthOn">
                <Value>false</Value>
            </Attribute>
        </SPSSOConfig>
    </EntityConfig>
    


  7. In an editor, edit the extended metadata so it looks like:

    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <EntityConfig entityID="machineb.idpproxy.com" hosted="true" xmlns="urn:sun:fm:SAML:2.0:entityconfig">
        <IDPSSOConfig metaAlias="/proxyidp">
            <Attribute name="idpAuthncontextMapper">
                <Value>com.sun.identity.saml2.plugins.DefaultIDPAuthnContextMapper</Value>
            </Attribute>
            <Attribute name="appLogoutUrl">
                <Value/>
            </Attribute>
            <Attribute name="attributeMap"/>
            <Attribute name="autofedAttribute">
                <Value/>
            </Attribute>
            <Attribute name="wantNameIDEncrypted">
                <Value/>
            </Attribute>
            <Attribute name="signingCertAlias">
                <Value>test</Value>
            </Attribute>
            <Attribute name="idpSessionSyncEnabled">
                <Value>false</Value>
            </Attribute>
            <Attribute name="idpAuthncontextClassrefMapping">
                <Value>http://foo.example.com/assurance/loa2|2||</Value>
                <Value>http://foo.example.com/assurance/loa3|3||</Value>
                <Value>http://foo.example.com/assurance/loa4|4||</Value>
                <Value>http://foo.example.com/assurance/loa1|1||default</Value>
                <Value>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|0||default</Value>
            </Attribute>
            <Attribute name="saeAppSecretList"/>
            <Attribute name="encryptionCertAlias">
                <Value>test</Value>
            </Attribute>
            <Attribute name="assertionEffectiveTime">
                <Value>600</Value>
            </Attribute>
            <Attribute name="autofedEnabled">
                <Value>false</Value>
            </Attribute>
            <Attribute name="wantMNIResponseSigned">
                <Value/>
            </Attribute>
            <Attribute name="discoveryBootstrappingEnabled">
                <Value>false</Value>
            </Attribute>
            <Attribute name="wantLogoutRequestSigned">
                <Value/>
            </Attribute>
            <Attribute name="cotlist">
                <Value>cot1</Value>
            </Attribute>
            <Attribute name="AuthUrl">
                <Value/>
            </Attribute>
            <Attribute name="relayStateUrlList"/>
            <Attribute name="wantArtifactResolveSigned">
                <Value/>
            </Attribute>
            <Attribute name="idpAccountMapper">
                <Value>com.sun.identity.saml2.plugins.DefaultIDPAccountMapper</Value>
            </Attribute>
            <Attribute name="wantLogoutResponseSigned">
                <Value/>
            </Attribute>
            <Attribute name="basicAuthUser">
                <Value/>
            </Attribute>
            <Attribute name="assertionNotBeforeTimeSkew">
                <Value>600</Value>
            </Attribute>
            <Attribute name="basicAuthPassword">
                <Value/>
            </Attribute>
            <Attribute name="idpECPSessionMapper">
                <Value>com.sun.identity.saml2.plugins.DefaultIDPECPSessionMapper</Value>
            </Attribute>
            <Attribute name="wantMNIRequestSigned">
                <Value/>
            </Attribute>
            <Attribute name="assertionCacheEnabled">
                <Value>false</Value>
            </Attribute>
            <Attribute name="idpAttributeMapper">
                <Value>com.sun.identity.saml2.plugins.DefaultIDPAttributeMapper</Value>
            </Attribute>
            <Attribute name="nameIDFormatMap">
                <Value>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName=</Value>
                <Value>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos=</Value>
                <Value>urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName=</Value>
                <Value>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress=mail</Value>
                <Value>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified=</Value>
            </Attribute>
            <Attribute name="metaAlias"/>
            <Attribute name="basicAuthOn">
                <Value>false</Value>
            </Attribute>
            <Attribute name="saeIDPUrl">
                <Value>http://machineb.idpproxy.com:80/openam/idpsaehandler/metaAlias/proxyidp</Value>
            </Attribute>
        </IDPSSOConfig>
        <SPSSOConfig metaAlias="/proxysp">
            <Attribute name="useNameIDAsSPUserID">
                <Value>false</Value>
            </Attribute>
            <Attribute name="appLogoutUrl">
                <Value/>
            </Attribute>
            <Attribute name="attributeMap"/>
            <Attribute name="spAdapterEnv"/>
            <Attribute name="useIntroductionForIDPProxy">
                <Value>false</Value>
            </Attribute>
            <Attribute name="autofedAttribute">
            </Attribute>
            <Attribute name="spAdapter">
                <Value/>
            </Attribute>
            <Attribute name="intermediateUrl">
                <Value/>
            </Attribute>
            <Attribute name="saml2AuthModuleName">
                <Value/>
            </Attribute>
            <Attribute name="spAccountMapper">
                <Value>com.sun.identity.saml2.plugins.DefaultSPAccountMapper</Value>
            </Attribute>
            <Attribute name="defaultRelayState">
                <Value/>
            </Attribute>
            <Attribute name="wantNameIDEncrypted">
                <Value/>
            </Attribute>
            <Attribute name="signingCertAlias">
                <Value>test</Value>
            </Attribute>
            <Attribute name="responseArtifactMessageEncoding">
                <Value>URI</Value>
            </Attribute>
            <Attribute name="saeAppSecretList"/>
            <Attribute name="enableIDPProxy">
                <Value>false</Value>
            </Attribute>
            <Attribute name="localAuthURL">
                <Value/>
            </Attribute>
            <Attribute name="encryptionCertAlias">
                <Value>test</Value>
            </Attribute>
            <Attribute name="spAuthncontextMapper">
                <Value>com.sun.identity.saml2.plugins.DefaultSPAuthnContextMapper</Value>
            </Attribute>
            <Attribute name="saeSPUrl">
                <Value>http://machineb.idpproxy.com:80/openam/spsaehandler/metaAlias/proxysp</Value>
            </Attribute>
            <Attribute name="idpProxyCount">
                <Value>0</Value>
            </Attribute>
            <Attribute name="transientUser">
                <Value>anonymous
                <Value/>
            </Attribute>
            <Attribute name="autofedEnabled">
                <Value>false</Value>
            </Attribute>
            <Attribute name="wantAttributeEncrypted">
                <Value/>
            </Attribute>
            <Attribute name="wantMNIResponseSigned">
                <Value/>
            </Attribute>
            <Attribute name="wantLogoutRequestSigned">
                <Value/>
            </Attribute>
            <Attribute name="cotlist">
                <Value>cot1</Value>
            </Attribute>
            <Attribute name="ECPRequestIDPListFinderImpl">
                <Value>com.sun.identity.saml2.plugins.ECPIDPFinder</Value>
            </Attribute>
            <Attribute name="relayStateUrlList"/>
            <Attribute name="idpProxyList"/>
            <Attribute name="ECPRequestIDPListGetComplete">
                <Value/>
            </Attribute>
            <Attribute name="spAuthncontextComparisonType">
                <Value>exact</Value>
            </Attribute>
            <Attribute name="wantLogoutResponseSigned">
                <Value/>
            </Attribute>
            <Attribute name="saeSPLogoutUrl">
                <Value/>
            </Attribute>
            <Attribute name="basicAuthUser">
                <Value/>
            </Attribute>
            <Attribute name="wantPOSTResponseSigned">
                <Value/>
            </Attribute>
            <Attribute name="basicAuthPassword">
                <Value/>
            </Attribute>
            <Attribute name="wantArtifactResponseSigned">
                <Value/>
            </Attribute>
            <Attribute name="spAttributeMapper">
                <Value>com.sun.identity.saml2.plugins.DefaultSPAttributeMapper</Value>
            </Attribute>
            <Attribute name="ECPRequestIDPList"/>
            <Attribute name="spSessionSyncEnabled">
                <Value>false</Value>
            </Attribute>
            <Attribute name="spAuthncontextClassrefMapping">
                <Value>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|0|default</Value>
                <Value>http://foo.example.com/assurance/loa4|4|</Value>
                <Value>http://foo.example.com/assurance/loa2|2|</Value>
                <Value>http://foo.example.com/assurance/loa3|3|</Value>
                <Value>http://foo.example.com/assurance/loa1|1|default</Value>
            </Attribute>
            <Attribute name="assertionTimeSkew">
                <Value>300</Value>
            </Attribute>
            <Attribute name="wantMNIRequestSigned">
                <Value/>
            </Attribute>
            <Attribute name="metaAlias"/>
            <Attribute name="wantAssertionEncrypted">
                <Value/>
            </Attribute>
            <Attribute name="basicAuthOn">
                <Value>false</Value>
            </Attribute>
        </SPSSOConfig>
    </EntityConfig>
    


  8. Update now the IdP Proxy metadata using the modified metadta result from the 2 steps above. Here how to do it:
    1. Deleting the IdP Proxy entity ID
      1. Log in as amadmin in the OpenAM console of the IdP Proxy, if you are not already in
      2. Go to the federation tab, scroll down to the Entity Providers list and click the IdP Proxy Entity, i.e the entry machineb.idpproxy.com
      3. Delete the machineb.idpproxy.com entity
    2. Adding the modified metadata
      1. In the console, go to the ssoadm.jsp page
        http://machinec.idp.com/openam/ssoadm.jsp
        

      2. Look for the import-entity option and click on it
      3. In the import-entity screen specify the following:
        • Realm where entity resides: /
        • Standard metadata to be imported: Paste here the IdP Proxy standard metadata that we got from the Step 3 Point 6
        • Extended entity configuration to be imported: Paste here the edited extended metadata that resulted from Step 6 Point 7
        • Specify name of the Circle of Trust this entity belongs:
        • Specify metadata specification, either wsfed, idff or saml2, defaults to saml2: saml2
          Click the submit button
          A message indicating that the metadata was imported successfully should appear
  9. Adding more configuration to the IdP Proxy
    1. Go to the federation tab, scroll down to the Entity Providers list and click the IdP Proxy Entity, i.e the entry machineb.idpproxy.com
    2. Select the IDP tab of the IdP Proxy
    3. Select the Advanced tab of the IdP part of the IDP Proxy
    4. Scroll down to the "IDP Finder Implementation" and specify:
      • IDP Finder implementation class: com.sun.identity.saml2.plugins.SAML2IDPProxyFRImpl
      • IdP Finder JSP: proxyidpfinder.jsp
      • Enable Proxy IDP Finder for all SPs: checked
    5. Save the configuration

Step 4: Testing the scenario

To test the scenario, we will need to have the three machines up and running-

The client machine can be another machine or one of the machines where we set up the scenario.

We will test with an SP initiated Single Sign-On and will indicate that we want to send the Authentication Request to the machineb.idpproxy.com, using a transient NameID Format

  1. Open a browser in the client machine
  2. In the location bar use the following URL:
    http://machinea.sp.com/openam/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=machineb.idpproxy.com&NameIDFormat=transient&AuthnContextClassRef=http://foo.example.com/assurance/loa1
    
  3. If your configuration was set up correctly you should see a screen giving you the option to select one of the remote IdPs configured in the IdP Proxy that fulfill the LOA requested:
    IDP Selection


    Welcome to the Federation Broker

    You are here because you initiated a request in the Service Provider machinea.sp.com and
    You asked for the Assurance level http://foo.example.com/assurance/loa1:

    Please select your preferred IdP:
    o machinec.idp.com

    <Submit>


  4. If you select the machinec.idp.com and click the submit button you will now see the login screen of that machinec (the IdP)
    1. Provide the user and password, for example we can use the "demo" user account with password "changeit"
  5. If the configuration was set up correctly we will return to the Service Provider machinea.sp.com and see the following message in our browser:
    Single Sign-on succeeded.
    
  • No labels