test

Sun Java System Access Manager 7.1 Federation and SAML Administration Guide

SAML Operations

This section contains procedures illustrating how to use the Access Manager SAML Service. They are:

Setting Up SAML Single Sign-on

The following procedures explain how to configure and access instances of Access Manager for single sign-on using SAML 1.x assertions. Machine A (exampleA.com) is the source site which authenticates the user and creates the SAML authentication assertion. Machine B (exampleB.com) is the destination site which consumes the assertion and generates a SSOToken for the user.

Note –

If both machines are in the same domain, the cookie names must be different. You can change the cookie name by modifying the com.iplanet.am.cookie.name property in AMConfig.properties, located in /etc/opt/SUNWam/config/.

This section contains the following procedures:

ProcedureTo Set Up SAML Single Sign-on

This procedure assumes the following values:

Deployment URI 

amserver

Port 

58080 

Protocol 

http

  1. Write down or copy the value of the Site ID attribute from the destination site (machine B).

    1. Login to the Access Manager console running at exampleB.com as the default administrator, amadmin.

    2. Click the Federation tab.

    3. Click the SAML tab.

    4. Click the sole entry listed under Site Identifiers.

      This takes you to the Edit site identifier page.

    5. Write down or copy the value of the Site ID attribute.

    6. Click Cancel.

    7. Log out of this instance of Access Manager.

  2. Configure the source site (machine A) to trust the destination site (machine B) AND write down or copy the value of the Site ID attribute from the source site.

    1. Login to the Access Manager console running at exampleA.com as the default administrator, amadmin.

    2. Click the Federation tab.

    3. Click the SAML tab.

    4. Click New under Trusted Partners.

      This takes you to the Select trusted partner type and profile page.

    5. Check Artifact and Post under Destination and click Next.

      This takes you to the Add New Trusted Partner page.

    6. Set the values of the following attributes to configure machine B as a trusted partner of machine A:

      Source ID 

      Type the Site ID copied from the destination site, machine B, in the previous step. 

      Target 

      The value of this attribute contains the host's domain or domain with port. Do not include the accompanying protocol. For example, exampleB.com and exampleB.com:58080 are valid but, http://exampleB.com:58080.

      SAML URL 

      http://exampleB.com:58080/amserver/SAMLAwareServlet

      HOST LIST 

      exampleB.com

      POST URL 

      http://exampleB.com:58080/amserver/SAMLPOSTProfileServlet

    7. Click Finish.

    8. Click Save.

    9. Click the sole entry listed under Site Identifiers.

      This takes you to the Edit site identifier page.

    10. Write down or copy the value of the Site ID attribute.

    11. Click Cancel to go to previous page.

    12. Log out of Access Manager.

  3. Configure the destination site (machine B) to trust the source site (machine A).

    1. Login to the Access Manager console running at exampleB.com as the default administrator, amadmin.

    2. Click the top-level realm under Access Control.

    3. Click the Authentication tab.

    4. Click New under Module Instances.

    5. Type a value in the Name field.

    6. Select the SAML radio button and click OK.

    7. Click Save.

    8. Click Access Control in the upper left corner.

    9. Click the Federation tab.

    10. Click the SAML tab.

    11. Click New under Trusted Partners.

      This takes you to the Select trusted partner type and profile page.

    12. Check Artifact and Post under Source and click Next.

      This takes you to the Add New Trusted Partner page.

    13. Set the values of the following attributes to configure machine A as a trusted partner of machine B:

      Source ID 

      Type the Site ID you copied from the source site, machine A, in the previous step. 

      SOAP URL 

      http://exampleA.com:58080/amserver/SAMLSOAPReceiver

      Issuer 

      exampleA.com:58080

      Note –

      If machine B uses https, check SSL under Authentication Type. Be sure to modify the protocol in the other attributes as necessary.

    14. Click Finish.

    15. Click Save.

    16. Log out of Access Manager.

ProcedureTo Verify the SAML Single Sign-on Configurations

  1. Login to the Access Manager console running at exampleA.com as the default administrator, amadmin.

  2. To initialize single sign-on from machine A, do one of the following:

    • Access the following URL to use the SAML Artifact profile:

      http://exampleA.com:58080/amserver/SAMLAwareServlet?TARGET=exampleB.com_Target_URL

    • Access the following URL to use the SAML POST profile:

      http://exampleA.com:58080/amserver/SAMPOSTProfileServlet?TARGET=exampleB.com_Target_URL

      Note –

      XML signing must be enabled before running the SAML POST profile. See Signing Liberty ID-FF Requests and Responses for details.

    exampleB.com_Target_URL is any URL on the exampleB.com site to which the user will be redirected after a successful single sign-on. For testing purpose, this could be the login page as in TARGET=http://exampleB.com:58080/amserver/UI/Login. If the administrator successfully accesses the Access Manager console on the destination site without manual authentication, we know that an SSOtoken has been created for the principal on the destination site and single sign-on has been properly established.