Sun OpenSSO Enterprise 8.0 Integration Guide

ProcedureTo Configure the OpenSSO Enterprise Identity and Service Providers for SAML2 Protocols

  1. Generate the metadata templates on both Identity Provider and Service Provider environments.

    Use the famadm command, or used use a browser to go to the following URL:


    • At the Identity Provider:

      famadm create-metadata-templ -y idp_entity_id 
      -u amadmin -f admin_password_file_name -m idp_standard_metadata 
      -x idp_extended_metadata -i idp_meta_alias                              

      where idp_meta_alias is /idp

    • At the Service Provider:

    famadm create-metadata-templ -y sp_entity_id 
    -u amadmin -f admin_password_file_name -m sp_standard_metadata 
    -x sp_extended_metadata -s sp_meta_alias

    where sp_meta_alias is /sp

  2. Customize the Service Provider extended metadata.

    Add the Service Provider extended metadata as an attribute named as spAdapter. This attribute is used by the SAML protocols to do any post single sign-on authentication processes. In the architecture diagram, this the Oracle Access Manager Plug-in. The OAMPlugin uses the OpenSSO Enterprise session to authenticate against Oracle Access Manager and establish ObSSOCookie. The Service Provider metadata must have the following attributes:

    <Attribute name="spAdapter">
    <Attribute name="spAdapterEnv">
  3. Set the value for transientUser to the anonymous user.

    The Service Provider extended metadata has an attribute named as transientUser. Make sure that the OpenSSO Enterprise Service Provider is enabled for Anonymous authentication.

    <Attribute name="transientUser">
  4. Create a circle of trust.

    The circle of trust should also be added in your extended metadata.

  5. Load the metadata.

  6. Edit the following attribute to one of your circle of trust.

    The extended template files contains a sample circle of trust.

    <Attribute name="cotlist">

    You can also add the circle of trust through the OpenSSO Enterprise administration console.

  7. Load the hosted metadata in both the Identity Provider and Service Provider.

    You can use the famadm command or the OpenSSO Enterprise administration console.

  8. Exchange the metadata between Identity Provider and Service Provider.

    and load the metadata.

    1. Import the Identity Provider metadata into the Service Provider metadata.

    2. Import the Service Provider metadata into the Identity Provider metadata.

    3. Change the hosted attribute value in the extended metadata to false.

    4. Load all metadata.

  9. Verify through OpenSSO Enterprise administration console that the metadata is configured properly.

    OpenSSO Enterprise console, Federation tab