5

I am trying to configure openam as Identity provider to test my SAML based service provider application.

I have searched a lot and saw documentation of openam. There are lots of thing supported by openam which probably I do not need at this moment. I don't wish to read whole documentation which will take lot of time reading things I do not want to test right now. I even saw chatpet 9 "Managing SAML 2.0 SSO" at http://docs.forgerock.org/en/openam/10.0.0/admin-guide/index/index.html But it requires lot of things to be configured before this.

Is there any quick start guide to test it as saml based IdP?

EDIT

Not a quick, detailed is also fine. But I want OpenAm as Identity provider. SP is an application hosted on Jetty which we have developed. Also tell me what changed do I have to make on SP like what urls of application should respond with what.

hridayesh
  • 1,123
  • 1
  • 14
  • 36

2 Answers2

3

There is no one-fits-all answer to your question really. Setting up SAMLv2 Federation largely depends on the actual SP implementation, some SPs can work with SAML metadata, some don't.. The simplest way to set up federation between two OpenAM instances for reference would be something like:

  • Create Hosted IdP wizard on node1
  • Create Hosted SP wizard on node2
  • On both nodes remove the persistent NameID-Format, so both will have transient at the top of the list
  • Register Remote SP wizard on node1, with URL: node2/openam/saml2/jsp/exportmetadata.jsp
  • Register Remote IdP wizard on node2, with URL: node1/openam/saml2/jsp/exportmetadata.jsp
  • On node2 in the Hosted SP setting set the transient user to "anonymous"

After all this you can test Federation by using:

  • /openam/spssoinit?metaAlias=/sp&idpEntityID=node1_entityid on node2
  • /openam/idpssoinit?metaAlias=/idp&spEntityID=node2_entityid on node1

I've used the default metaAlias values, but those should be visible on the console pages. Similarly by downloading the metadata you can see the actual entity IDs for the given entities.

Based on this, you should see now that with an OpenAM IdP you could at least test SAML support using the idpssoinit URL (if your SP supports unsolicited responses), but from the other way around it pretty much depends on your SP implementation how you need to actually trigger a SAML authentication.

Peter Major
  • 2,975
  • 4
  • 16
  • 17
  • Looks like this setup works where SP is also in one of OpenAm server. In my case SP is a jetty application. – hridayesh Apr 29 '13 at 12:30
  • Yes, note the "between two OpenAM instances" part.. However after setting up the metadata on both ends, you can easily use these spssoinit/idpssoinit URLs to actually test federation between your entities. – Peter Major Apr 29 '13 at 12:38
  • Thanks for answering. Sorry for my bad english if I miss out something. I think in my case I should not need to setup node2, only need to register SP to node1. For this I need metadata file. ps: I have added some more details on question for better clafication. – hridayesh Apr 29 '13 at 15:33
  • If this is an in-house developed SP, then you should be familiar with the SAML spec, hence setting up a SAML metadata shouldn't be that difficult, also you should know how the given endpoints should respond to different queries. If you are using some external SAML tool, then you should get familiar with its documentation to be able to construct the metadata... – Peter Major Apr 30 '13 at 17:01
  • I have a question. I am trying SSO between my web application and zendesk. Zendesk supports opeam saml implementation. So openam instance will be the hosted indentity provider and zendesk will be the remote service provider. Am I right on this? How should I configure these things. Thanks! – Jeevan Patil Jan 07 '15 at 17:33
1

This seems like a simple setup.

Patrik Svensson
  • 13,536
  • 8
  • 56
  • 77
Stefan Rasmusson
  • 5,445
  • 3
  • 21
  • 48
  • This does not provide an answer to the question. To critique or request clarification from an author, leave a comment below their post. – von v. Apr 24 '13 at 11:46
  • 1
    @vonv. How does providing a quick start guide for setting up OpenAM as IDP not answer the question "Is there any quick start guide to test it as saml based IdP?"? – Stefan Rasmusson Apr 24 '13 at 11:51
  • It's a message from the review system. But if I have gone to your answer directly what I would say is that, you should provide some content that answers the question. As Matt already mentioned, links can be invalid in the future. Also, please remember we try to provide good contents here. If all we put in here are links to some sites then it wouldn't be good content, isn't it? – von v. Apr 24 '13 at 12:00
  • I can agree that I should have posted a sumary in the answer – Stefan Rasmusson Apr 24 '13 at 12:03
  • In my case service provider is just a web application which is not created on shib. How can I get Metadata file. What things/urls should be supported by application. – hridayesh Apr 24 '13 at 14:53