OpenSSO Enterprise includes the IDP Discovery Service Configurator (Configurator.jsp) to configure the service.
Login as a user who has the following privileges:
Access to the web container administration console, if you plan to deploy idpdiscovery.war using this console.
The capability to execute the web container's deploy command-line utility, if you plan to deploy idpdiscovery.war using the CLI.
Deploy the idpdiscovery.war to the web container using either the web container administration console or CLI command.
Launch the Configurator using the following URL:
For example: http://idpdiscoveryhost.example.com:8080/idpdiscovery
If the IDP Discovery Service is not already configured, you will be directed to the Configurator page.
On the Configurator page, specify the following information:
Debug Level: error (default), warning, message, or off.
Cookie Type: PERSISTENT (default) or SESSION
Secure Cookie: True or False (default)
Encode Cookie: True (default) or False
On the SP host machine, use the console to create a Circle of Trust with the IDP Discovery Service URL used as the prefix for the value of the Reader and Writer URL attributes. For example:
SAML2 Writer Service URL: http://idp-discovery-server-machine:port/idpdiscovery/saml2writer
SAML2 Reader Service URL: http://idp-discovery-server-machine:port/idpdiscovery/saml2reader
On the IDP host machine, use the console to create a Circle of Trust with the value of the prefix attribute also set to the identity provider discovery service URL. For example:
Generate metadata for both the IDP and the SP using the ssoadm command-line utility with the create-metadata-templ option.
Load the SP metadata into the IDP machine.
Change the value of the host in the IDP metadata from 0 or remote.
Load the IDP metadata into the SP machine.
After this configuration, the values of the Writer URL and Reader URL in each Circle of Trust are the URL of the IDP Discovery Service.
Perform the SAMLv2 test cases for SP-initiated and IDP-initiated single sign-on and single logout. Each time you perform these operations from the SP side, the Discovery Service logs will show the redirection to the IDP.