The following sections contain some procedures to perform after installing Access Manager.
If installing the SAML v2 Plug-in for Federation Services on an instance of Access Manager that uses an LDAPv3-compliant directory for a user data store, you must add the sunFMSAML2NameIdentifier object class to all existing users. This object class contains two attributes:
sun-fm-saml2–nameid-info-key is used for searching purposes. The attribute's value takes the form hosted-entity-id|remote-entity-id|idp-nameid.
sun-fm-saml2–nameid-info is used to store all information related to the name identifier. The attribute's value takes the form hosted-entity-id|remote-entity-id|idp-nameid|idp-nameid-qualifier|idp-nameid-format|sp-nameid|sp-nameid-qualifier|hosted-entity-role|is-affiliation.
The values in these attributes are defined in the SAML v2 specifications. For example, hosted-entity-role takes a value of IDPRole or SPRole (based on the configuration of the provider) and is-affiliation specifies whether the federation is affiliation-based (taking a value of true or false). For explanations on the other attributes, see the Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0 specification.
To add sunFMSAML2NameIdentifier to the default amadmin entry, you would run ldapmodify (available in the bin directory) using the following LDIF as input:
DN: uid=amadmin,ou=people,dc=sun,dc=com changetype: modify add: objectclass objectclass: sunFMSAML2NameIdentifier
This task is not required for installations of Access Manager 7.1. It is also not required for installations of Federation Manager that use an LDAPv3-compliant directory as a user data store because the object class is automatically added if not found.
Be sure to set your class path correctly before using ldapmodify.
If installing the SAML v2 Plug-in for Federation Services on an instance of Access Manager, you might have to enable the SAML v2 authentication module using the Access Manager console. The following sections explain the procedure to do this in both legacy and realm mode.
This is only necessary for instances of Access Manager acting as service providers.
Log in to Access Manager as the top-level administrator, by default, amadmin.
Select the Identity Management tab.
Select Services from the View drop down box.
Click Add Service.
Select SAML2 and click OK.
Log out of the Access Manager console.
You can also enable the SAML v2 authentication module using the amadmin command line tool.
Save the following XML code to a file.
<Requests> <OrganizationRequests DN="<root_suffix>"> <RegisterServices> <Service_Name>sunAMAuthSAML2Service</Service_Name> </RegisterServices> </OrganizationRequests> </Requests> |
Load the XML file using the amadmin command line tool to register the SAMLv2 authentication module.
For information on the amadmin command line tool, see Chapter 1, The amadmin Command Line Tool, in Sun Java System Access Manager 7.1 Administration Reference.
The SAML v2 Authentication Module is enabled during installation of Access Manager in Realm mode. The following procedure is for informational purposes.
Log in to Access Manager as the top-level administrator, by default, amadmin.
Select the Access Control tab.
Select the appropriate realm.
Click the Authentication tab.
Click New under Module Instances.
Enter SAML2 as a name.
Select the SAML2 radio button.
Click Create.
Click Save.
Log out of the Access Manager console.