Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

how to Configure openam as Identity provider(IdP) to test SAML based SSO

Tags:

single-sign-on

saml

openam

I am trying to configure openam as Identity provider to test my SAML based service provider application.

I have searched a lot and saw documentation of openam. There are lots of thing supported by openam which probably I do not need at this moment. I don't wish to read whole documentation which will take lot of time reading things I do not want to test right now. I even saw chatpet 9 "Managing SAML 2.0 SSO" at http://docs.forgerock.org/en/openam/10.0.0/admin-guide/index/index.html But it requires lot of things to be configured before this.

Is there any quick start guide to test it as saml based IdP?

EDIT

Not a quick, detailed is also fine. But I want OpenAm as Identity provider. SP is an application hosted on Jetty which we have developed. Also tell me what changed do I have to make on SP like what urls of application should respond with what.

like image 801
hridayesh Avatar asked Oct 04 '22 07:10

hridayesh

2 Answers

There is no one-fits-all answer to your question really. Setting up SAMLv2 Federation largely depends on the actual SP implementation, some SPs can work with SAML metadata, some don't.. The simplest way to set up federation between two OpenAM instances for reference would be something like:

  • Create Hosted IdP wizard on node1
  • Create Hosted SP wizard on node2
  • On both nodes remove the persistent NameID-Format, so both will have transient at the top of the list
  • Register Remote SP wizard on node1, with URL: node2/openam/saml2/jsp/exportmetadata.jsp
  • Register Remote IdP wizard on node2, with URL: node1/openam/saml2/jsp/exportmetadata.jsp
  • On node2 in the Hosted SP setting set the transient user to "anonymous"

After all this you can test Federation by using:

  • /openam/spssoinit?metaAlias=/sp&idpEntityID=node1_entityid on node2
  • /openam/idpssoinit?metaAlias=/idp&spEntityID=node2_entityid on node1

I've used the default metaAlias values, but those should be visible on the console pages. Similarly by downloading the metadata you can see the actual entity IDs for the given entities.

Based on this, you should see now that with an OpenAM IdP you could at least test SAML support using the idpssoinit URL (if your SP supports unsolicited responses), but from the other way around it pretty much depends on your SP implementation how you need to actually trigger a SAML authentication.

like image 177
Peter Major Avatar answered Oct 29 '22 04:10

Peter Major

This seems like a simple setup.

like image 31
Stefan Rasmusson Avatar answered Oct 29 '22 02:10

Stefan Rasmusson
Sign in to Comment

Related questions

How to retrieve user info fra a Active Directory Security Group using LDAP and PHP
SiteMinder SSO Custom Login page
RubyOnRails kind of Single Sign On strategy for devise
OIDC Session Management in a SPA (Single-Sign-Out)
Connect Kubernetes to AD
NTLM V2 SSO Java Servlet Filter [closed]
Umbraco membership integration with SAML Web SSO
PingFederate Single Log-Off - How does it work?
how to setup SSL for CAS and Client (different machines)
ASP.Net Single Sign On CrossDomain with OneLogin and DotNetOpenAuth
Way to single sign on between PHP, Python, Ruby applications
Does Azure B2C provide "true" single sign-on between multiple applications
How to configure SSO for Azure AD B2C?
What have people done to improve the OpenID user experience, particularly as a relying party?
How to implement Single Sign On using Spring and Active Directory
How can I restrict client access to only one group of users in keycloak?
Good single sign-on solution for Laravel [closed]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!