Sun Java System SAML v2 Plug-in for Federation Services User's Guide

ProcedureTo Configure Single Sign-on without Service Provider User Account

In some deployments, the service provider side of an interaction might not store user accounts. The single sign-on solution is for all identity provider user accounts to be mapped to one service provider user account. Any attributes inside the AttributeStatement will be set as properties of the single sign-on token. The following procedure maps an identity provider user to a service provider anonymous user and passes two attributes to the service provider.

  1. Export the identity provider's current extended metadata configuration to a file.

    saml2meta [-i staging-directory] export -u amadmin -w password -e IDP-entityID -x IDP-extended-XML-file-name

  2. Edit attributeMap in the exported extended metadata configuration file.

    attributeMap defines the mapping between the provider that this metadata is configuring and the remote provider. This attribute takes a value of autofedAttribute-value=remote-provider-attribute. For example:

    <Attribute name="attributeMap">
    <Value>mail=mail</Value>
    <Value>employeeNumber=employeeNumber</Value>
    </Attribute>
  3. Remove the identity provider's current extended metadata configuration.

    saml2meta [-i staging-directory] delete -u amadmin -w password -e IDP-entityID -c

  4. Import the identity provider's modified extended metadata configuration file.

    saml2meta [-i staging-directory] import -u amadmin -w password -x IDP-extended-XML-file-name

  5. Restart the web container.

  6. Export the service provider's current extended metadata configuration to a file.

    saml2meta [-i staging-directory] export -u amadmin -w password -e SP-entityID -x SP-extended-XML-file-name

  7. Edit the following attributes in the exported extended metadata configuration file.

    • transientUser will take a value of one of the existing transient user identifiers on the service provider side, for example, anonymous.

    • attributeMap defines the mapping between the provider that this metadata is configuring and the remote provider. This attribute takes a value of autofedAttribute_value=remote_provider_attribute. For example:

      <Attribute name="attributeMap">
      <Value>mail=mail</Value>
      <Value>employeeNumber=employeeNumber</Value>
      </Attribute>
  8. Remove the service provider's current extended metadata configuration.

    saml2meta [-i staging-directory] delete -u amadmin -w password -e SP-entityID -c

  9. Import the service provider's modified extended metadata configuration file.

    saml2meta [-i staging-directory] import -u amadmin -w password -x SP-extended-XML-file-name

  10. Restart the web container.

  11. To test, invoke the single sign-on URL with the NameIDFormat=transient query parameter appended to it.

    All identity provider users will be mapped to anonymous on the service provider side. mail and employeeNumber will be set as properties in the identity provider user's single sign-on token. For more information on the single sign-on URL, see JavaServer Pages.