Setting Up SAML Single Sign-on

The following procedures explain how to configure and access instances of OpenSSO Enterprise for single sign-on using SAML 1.x assertions. Machine A (exampleA.com) is the source site which authenticates the user and creates the SAML authentication assertion. Machine B (exampleB.com) is the destination site which consumes the assertion and generates a SSOToken for the user.

If both machines are in the same domain, the cookie names must be different. You can change the cookie name by modifying the Coopkie Name property in Configuration>Servers and Sites>Security, located in the OpenSSO Enterprise console.

This section contains the following procedures:

• To Set Up SAML Single Sign-on

• To Verify the SAML Single Sign-on Configurations

To Set Up SAML Single Sign-on

This procedure assumes the following values:

1. Write down or copy the value of the Site ID attribute from the destination site (machine B).

   1. Login to the console running at exampleB.com as the default administrator, amadmin.

   2. Click the Federation tab.

   3. Click the SAML button.

   4. Click the sole entry listed under Site Identifiers.

      This takes you to the Edit site identifier page.

   5. Write down or copy the value of the Site ID attribute.

   6. Click Cancel.

   7. Log out of this instance of OpenSSO Enterprise.

2. Configure the source site (machine A) to trust the destination site (machine B) AND write down or copy the value of the Site ID attribute from the source site.

   1. Login to the console running at exampleA.com as the default administrator, amadmin.

   2. Click the Federation tab.

   3. Click New under Trusted Partners.

      This takes you to the Select trusted partner type and profile page.

   4. Check Artifact and Post under Destination and click Next.

      This takes you to the Add New Trusted Partner page.

   5. Set the values of the following attributes to configure machine B as a trusted partner of machine A:

      name	Type the name of the trusted partner. The name will be displayed in the trusted partner table.
      Source ID	Type the Site ID copied from the destination site, machine B, in the previous step.
      Target	The value of this attribute contains the host's domain or domain with port. Do not include the accompanying protocol. For example, exampleB.com and exampleB.com:58080 are valid but, http://exampleB.com:58080.
      SAML URL	http://exampleB.com:58080/opensso/SAMLAwareServlet
      HOST LIST	exampleB.com
      POST URL	http://exampleB.com:58080/opensso/SAMLPOSTProfileServlet

   6. Click Finish.

   7. Click Save.

   8. Click the sole entry listed under Site Identifiers.

      This takes you to the Edit site identifier page.

   9. Write down or copy the value of the Site ID attribute.

   10. Click Cancel to go to previous page.

   11. Log out of OpenSSO Enterprise.

3. Configure the destination site (machine B) to trust the source site (machine A).

   1. Login to the OpenSSO Enterprise console running at exampleB.com as the default administrator, amadmin.

   2. Click the Federation tab.

   3. Click New under Trusted Partners.

      This takes you to the Select trusted partner type and profile page.

   4. Check Artifact and Post under Source and click Next.

      This takes you to the Add New Trusted Partner page.

   5. Set the values of the following attributes to configure machine A as a trusted partner of machine B:

      Name	Type the name of the trusted partner. This will appear in the Trusted Partners table.
      Source ID	Type the Site ID you copied from the source site, machine A, in the previous step.
      SOAP URL	http://exampleA.com:58080/opensso/SAMLSOAPReceiver
      Issuer	exampleA.com:58080

      ---

      Note –

      If machine B uses https, check SSL under Authentication Type. Be sure to modify the protocol in the other attributes as necessary.

      ---

   6. Click Finish.

   7. Click Save.

   8. Log out of OpenSSO Enterprise.

To Verify the SAML Single Sign-on Configurations

1. Login to the OpenSSO Enterprise console running at exampleA.com as the default administrator, amadmin.

2. To initialize single sign-on from machine A, do one of the following:

   • Access the following URL to use the SAML Artifact profile:

     http://exampleA.com:58080/opensso/SAMLAwareServlet?TARGET=exampleB.com_Target_URL

   • Access the following URL to use the SAML POST profile:

     http://exampleA.com:58080/opensso/SAMPOSTProfileServlet?TARGET=exampleB.com_Target_URL

     ---

     Note –

     XML signing must be enabled before running the SAML POST profile. .

     ---

   exampleB.com_Target_URL is any URL on the exampleB.com site to which the user will be redirected after a successful single sign-on. For testing purpose, this could be the login page as in TARGET=http://exampleB.com:58080/opensso/UI/Login. If the administrator successfully accesses the OpenSSO Enterprise console on the destination site without manual authentication, an SSOtoken has been created for the principal on the destination site and single sign-on has been properly established.