Sun OpenSSO Enterprise 8.0 Integration Guide

ProcedureTo Configure the Identity Provider OpenSSO Enterprise to Use SAMLv2 Identity Provider Protocols

Before you can enable the SAMLv2 Identity Provider protocols, you must generate, customize, and load each of the following:

Before You Begin
  1. Generate the metadata templates in both Identity Provider and Service Provider environments.

    Use thefamadm command. You can also use the browser-based interface at the following URL:


    • At Identity Provider :

      famadm create-metadata-templ -y idp_entity_id -u amadmin 
                           -f admin_password_file_name -m idp_standard_metadata 
                           -x idp_extended_metadata -i idp_meta_alias

      where idp_meta_alias is /idp

    • At Service Provider:

      famadm create-metadata-templ -y sp_entity_id -u amadmin 
                          -f admin_password_file_name -m sp_standard_metadata 
                          -x sp_extended_metadata -s sp_meta_alias   

      where sp_meta_alias is /sp

  2. Customize Identity Provider and Service Provider extended metadata.

    The Identity Provider extended metadata should be added as an attribute named AuthUrl. This URL attribute is used by the SAML protocols to redirect for authentication purposes. In the following example, AuthUrlredirects to the SiteMinder authentication module.

    <Attribute name="AuthUrl">

    Another option is to make the SiteMinder custom authentication module the default login module in OpenSSO Enterprise. The cost of using this option is that you must specify an LDAP login module for logging in as an administrator.

    The Service Provider extended metadata uses the attribute named transientUser. Set this value to your anonymous user:

     <Attribute name="transientUser">  
  3. Load the Identity Provider and Service Provider metadata.

    First create a Circle of Trust as mentioned in the URL. The Circle of Trust should also be added in the extended metadata.

    In your extended template files, you will see a sample Circle of Trust. Modify the sample to create your Circle of Trust.

    <Attribute name="cotlist">

    Load the hosted metadata in both the Identity Provider and the Service Provider using the famadm command or through OpenSSO Enterprise administration console.

  4. Exchange the metadata Service Provider with the Identity Provider metadata.

  5. Exchange the Identity Provider metadata with the Service Provider.

  6. Load all metadata.

  7. After successful metadata exchange, verify through the OpenSSO Enterprise administration console that SAMLv2 is working properly.

    The following shows a sample UI for SAMLv2 configuration.

    OpenSSO Enterprise console.