Sun OpenSSO Enterprise 8.0 Integration Guide

ProcedureTo Configure the Identity Provider OpenSSO Enterprise for SAMLv2 Identity Provider Protocols

  1. Generate the metadata templates on both Identity Provider and Service Provider environments.

    You can use one of the following methods:

    • Use the famadm command.

    • Use a browser:


    1. At the Identity Provider, run the following command:

      famadm create-metadata-templ -y idp_entity_id -u amadmin
      -f admin_password_file_name -m idp_standard_metadata 
      -x idp_extended_metadata -i idp_meta_alias 

      where idp_meta_alias is "/idp".

    2. At the Service Provider, run the following command:

      famadm create-metadata-templ -y sp_entity_id -u amadmin
      -f admin_password_file_name -m sp_standard_metadata 
      -x sp_extended_metadata -s sp_meta_alias 

      where sp_meta_alias is "/sp".

  2. Customize extended metadata.

    Use one of the following options:

    • To the Identity Provider extended metadata, add an attribute named AuthUrl.

      This URL attribute is used by the SAML protocols to redirect to an OpenSSO Enterprise authentication module. In this use case, the redirect is to the custom Oracle Authentication Module. Example:

      <Attribute name="AuthUrl">
    • Make the custom Oracle authentication module as the default login module in OpenSSO Enterprise.

      A consequence of using this option is that you have to specify an LDAP login module for logging in as adminstrator. The Service Provider extended metadata has an attribute named as transientUser. Set this value to your anonymous user. Example:

      <Attribute name="transientUser">
  3. Change the hosted attribute in the Identity Provider and Service Provider extended metadata when loading remote metadata.

    For a remote Identity Provider or Service Provider, set the value to "false" or "0".

  4. Load the metadata.

    1. Create circle of trust.

      Add the circle of trust to the extended metadata. In the extended template files, you will see a sample circle of trust. Edit the following to correspond to your circle of trust.

      <Attribute name="cotlist">
    2. Load the hosted metadata in both the Identity Provider and Service Provider.

      You can use either the famadm command or the OpenSSO Enterprise console.

    3. Exchange the metadata .

      Import the Service Provider metadata into the Identity Provider, and import the Identity Provider metadata into the Service Provider.

    4. Load the metadata.

  5. After successfully exchanging the metadata, verify through the OpenSSO Enterprise administration console that the metadata has been configured correctly.

    OpenSSO Enterprise console, Federation tab