To Make Changes for SAML v2 (Technical Note: Host Name Changes in a Sun Java System Access Manager 7.1 WAR Deployment)

Technical Note: Host Name Changes in a Sun Java System Access Manager 7.1 WAR Deployment

Previous: Changing the Host Machine Name or Domain in an Access Manager Deployment
Next: To Make Changes for the Liberty Alliance Project Identity Federation Framework

To Make Changes for SAML v2

If the host machine name or domain is configured in an instance of Access Manager that acts as an identity provider or service provider in a SAML v2 environment, use this procedure. As Access Manager has no console support for SAML v2, changes to the URLs configured in the metadata files need to be made on the command-line on both the identity provider and the service provider sides.

Run the following command to export the standard and extended metadata from the identity provider machine.

# /opt/SUNWam/saml2/bin/saml2meta export 
  --runasdn amadmin --password passwd-for-amadmin 
  --realm realm-name --entityid "IDP-OLD-FQDN" 
  --metadata /tmp/metadata.xml --extended /tmp/ext_metadata.xml

Tip –

If you receive the following exception:

com.iplanet.sso.SSOException: Invalid sessionid 
  formatjava.lang.IllegalArgumentException: 
Invalid server id in session id com.iplanet.services.naming.
  ServerEntryNotFoundException: Cannot find server.
   at com.iplanet.sso.providers.dpro.SSOProviderImpl.
    createSSOToken(SSOProviderImpl.java:177)
   at com.iplanet.sso.SSOTokenManager.createSSOToken(SSOTokenManager.java:305)
   at com.sun.identity.authentication.AuthContext.getSSOToken(AuthContext.java:1070)

append the following line to AMConfig.properties, restart Access Manager, and run the saml2meta export again.

com.iplanet.am.naming.ignoreNamingService=true

Run the following command to delete the standard and extended metadata just exported from the identity provider machine.

# /opt/SUNWam/saml2/bin/saml2meta delete 
  --runasdn amadmin --password passwd-for-amadmin 
  --realm realm-name --entityid "IDP-OLD-FQDN"

Descriptor and config for entity "IDP-OLD-FQDN" was deleted successfully.

Change all occurrences of "IDP-OLD-FQDN" to "IDP-NEW-FQDN" in the exported files, /tmp/metadata.xml and /tmp/ext_metadata.xml.

Run the following command to import the modified metadata files to the identity provider.

# /opt/SUNWam/saml2/bin/saml2meta import 
  --runasdn amadmin --password passwd-for-amadmin 
  --realm realm-name --entityid "IDP-OLD-FQDN"
  --metadata /tmp/metadata.xml --extended /tmp/ext_metadata.xml

File "/tmp/metadata.xml" was imported successfully. 
File "/tmp/ext_metadata.xml" was imported successfully.

Run the following command to export the standard and extended metadata from the service provider machine.

# /opt/SUNWam/saml2/bin/saml2meta -i /var/opt/SUNWam/fm/war_staging export 
  --runasdn amadmin --password passwd-for-amadmin 
  --entityid "IDP-OLD-FQDN" 
  --metadata /tmp/metadata.xml --extended /tmp/ext_metadata.xml

Entity descriptor was exported to file "/tmp/metadata.xml" successfully.
Entity config was exported to file "/tmp/ext_metadata.xml" successfully.

Run the following command to delete the standard and extended metadata from the service provider machine.

# /opt/SUNWam/saml2/bin/saml2meta -i /var/opt/SUNWam/fm/war_staging delete 
  --runasdn amadmin --password passwd-for-amadmin 
  --entityid "IDP-OLD-FQDN"

Descriptor and config for entity "IDP-OLD-FQDN" was deleted successfully.

Change all occurrences of "IDP-OLD-FQDN" to "IDP-NEW-FQDN" in the files exported from the service provider machine, /tmp/metadata.xml and /tmp/ext_metadata.xml.

Run the following command to import the modified metadata files to the service provider.

# /opt/SUNWam/saml2/bin/saml2meta -i /var/opt/SUNWam/fm/war_staging import 
  --runasdn amadmin --password passwd-for-amadmin 
  --metadata /tmp/metadata.xml --extended /tmp/ext_metadata.xml

File "/tmp/metadata.xml" was imported successfully. 
File "/tmp/ext_metadata.xml" was imported successfully.