In AMConfig.properties, set com.sun.identity.jss.donotInstallAtHighestPriority equal to true.
AMConfig.properties is located in the /etc/opt/product-directory/config directory in Access Manager and in the /staging-directory/web-src/WEB-INF/classes directory in Federation Manager.
Follow the instructions in the XMLSIG sample to setup a keystore and import the signing and encryption certificates to the keystore.
In Access Manager, the sample is located in the /AccessManager-base/product-directory/samples/saml/xmlsig directory. In Federation Manager, the sample is located in the /FederationManager-base/SUNWam/fm/samples/saml/xmlsig directory.
The certificate alias assigned during this process will be used in the following steps to identify the certificate.
Regenerate the metadata files so that they include the signing and encryption key information.
For identity provider metadata, run the following command:
saml2meta template [-i war-staging] -u admin -w admin-password -d idp-metaAlias -b idp-signing-key-alias -g idp-encryption-key-alias -e idp-entityID -m standard-XML-file-name -x extended-XML-file-name
For example:
saml2meta template -u amadmin -w 11111111 -d /idp -b test -g test -e idp.sun.com -m idpMeta.xml -x idpExt.xml
For service provider metadata, run the following command:
saml2meta template [-i war-staging] -u admin -w admin-password -s sp-metaAlias -a sp-signing-key-alias -f sp-encryption-key-alias -e sp-entityID -m standard-XML-file-name -x extended-XML-file-name
For example:
saml2meta template -u amadmin -w 11111111 -s /idp -a test -f test -e sp.sun.com -m spMeta.xml -x spExt.xml
Enable the appropriate XML signing and encryption features by modifying the generated metadata files.
XML signing is required for the Web Browser POST Profile.
You can turn on XML signing and encryption features by changing the value of the following attributes to true:
Identity Provider Standard Metadata Configuration File Attribute
wantAuthnRequestsSigned
Service Provider Standard Metadata Configuration File Attributes
AuthnRequestsSigned
WantAssertionsSigned
Identity Provider Extended Metadata Configuration File Attributes
wantNameIDEncrypted
wantArtifactResolveSigned
WantLogoutRequestSigned
WantLogoutResponseSigned
WantMNIRequestSigned
WantMNIResponseSigned
Service Provider Extended Metadata Configuration File Attributes
wantAttributeEncrypted
wantAssertionEncrypted
wantNameIDEncrypted
wantArtifactResponseSigned
WantLogoutRequestSigned
WantLogoutResponseSigned
WantMNIRequestSigned
WantMNIResponseSigned
Remove the hosted identity provider metadata by running the following command:
saml2meta delete -u amadmin -w admin-password -e idp-entityID
Import the new hosted identity provider metadata by running the following command:
saml2meta import -u amadmin -w admin-password -m standard-XML-file-name -x extended-XML-file-name -t COT-name
Remove the remote service provider metadata by running the following command:
saml2meta delete -u amadmin -w admin-password -e sp-entityID
Get the new remote service provider metadata.
The instructions in this step assume a testing environment where you are in control of both the identity provider server and the service provider server.
Import the new remote service provider metadata by running the following command:
saml2meta import -u amadmin -w admin-password -m standard-XML-file-name -x extended-XML-file-name -t COT-name
Remove the remote identity provider metadata by running the following command:
saml2meta delete -u amadmin -w admin-password -e idp-entityID
Get the new remote identity provider metadata.
The instructions in this step assume a testing environment where you are in control of both the identity provider server and the service provider server.
Import the new remote identity provider metadata by running the following command:
saml2meta import -u amadmin -w admin-password -m standard-XML-file-name -x extended-XML-file-name -t COT-name
Remove the hosted service provider metadata by running the following command:
saml2meta delete -u amadmin -w admin-password -e sp-entityID
Import the new hosted service provider metadata by running the following command:
saml2meta import -u amadmin -w admin-password -m standard-XML-file-name -x extended-XML-file-name -t COT-name
Restart your web container.