Sun OpenSSO Enterprise 8.0 Integration Guide

ProcedureTo Configure the OpenSSO Enterprise Identity Provider and Service Provider for SAML2 protocols

For these configurations, you must have the following:

In Identity Provider, import Identity Provider metadata and Identity Provider extended metadata as hosted metadata. Import Service Provider metadata and Service Provider extended metadata as remote entity metadata.

Before You Begin

Before loading metadata, read through the following steps for the changes that you must make to the metadata. See the SAML2 samples for detailed instructions on how to setup SAML2, See the OpenSSO website for commands and syntax.

  1. Edit the extended metadata XML element <EntityConfig>.

    Change the hosted attribute from true to false.

  2. Generate the metadata templates in both Identity Provider and Service Provider environments.

    You can generate the metadata templates in one of two ways:

    • Use the browser-based URL http://host:port/opensso/famadm.jsp

    • Use the famadm command.

      At the Identity Provider, where idp_meta_alias is /idp:

      famadm create-metadata-templ -y idp_entity_id -u amadmin 
      -f admin_password_file_name -m idp_standard_metadata -x idp_extended_metadata 
      -i idp_meta_alias                                

      At the Service Provider, where sp_meta_alias is /sp:

      famadm create-metadata-templ -y sp_entity_id -u amadmin 
      -f admin_password_file_name -msp_standard_metadata 
      -x sp_extended_metadata -s sp_meta_alias
  3. Customize the extended metadata at the Service Provider.

    Add the Service Provider extended metadata as an attribute. This attribute is used by the SAML protocols to do any post-SSO Authentication process. In this example, the attribute is named spAdapter. In the architecture diagram, this is the SiteMinder Plug-In. The SiteMinder Plug-In uses the OpenSSO Enterprise session to authenticate against SiteMinder and to establish the SiteMinder session. The Service Provider metadata must have the following attributes:

    <Attribute name="spAdapter">
            <Attribute name="spAdapterEnv">
  4. Set the Service Provider extended metadata attribute transientUser to your anonymous user.

     <Attribute name="transientUser">

    Also verify that the OpenSSO Enterprise Service Provider is enabled for Anonymous authentication. See the OpenSSO Enterprise product documentation for more information.

  5. Add the Circle of Trust through the OpenSSO Enterprise administration console.

    Before loading, verify that the hosted attribute in the extended metadata has been changed to false.

  6. Load the hosted metadata in both the Identity Provider and the Service Provider.

    You can use the famadm command or the OpenSSO Enterprise administration console.

  7. Exchange the Service Provider metadata with the Identity Provider.

  8. Exchange the Identity Provider metadata with the Service Provider metadata.

  9. Load the metadata.

  10. After successful metadata exchange, verify through OpenSSO Enterprise administration console that metadata is properly configured.

    OpenSSO Enterprise .
  11. Verify that Single Sign-On works properly.

    Access the enterprise application protected by SiteMinder Service Provider Agent. This should redirect to the OpenSSO Enterprise for authentication where the SAML2 SSO is initiated.