test

Deployment Example: SAML v2 Using Sun OpenSSO Enterprise 8.0

Chapter 11 Configuring OpenSSO Enterprise for SAML v2

This deployment consists of a service provider and an identity provider that communicate for purposes of federation using SAML v2. Towards this end, we configure each instance of OpenSSO Enterprise (respectively) acting as the identity provider and the service provider as hosted. Additionally, we configure each hosted instance with the necessary information to communicate with the remote provider — in essence, with each other. In this chapter, we configure the instances of OpenSSO Enterprise as SAML v2 providers.

11.1 Configuring OpenSSO Enterprise as the Hosted Identity Provider

This section provides the procedures for configuring OpenSSO Enterprise on the identity provider side as a hosted identity provider using the Common Tasks wizard. Use the following list of procedures as a checklist for completing the task.

  1. To Configure the Hosted Identity Provider

  2. To View the Hosted Identity Provider Metadata in XML Format

ProcedureTo Configure the Hosted Identity Provider

Configure the instance of OpenSSO Enterprise deployed in Part II, Building the Identity Provider Environment and situated behind Load Balancer 2, as a hosted identity provider. This procedure creates the idpcot circle of trust.

  1. Access https://lb2.idp-example.com:1081/opensso/console from a web browser.

  2. Log in to the OpenSSO Enterprise console as the administrator.

    Username

    amadmin

    Password

    ossoadmin

    The Common Tasks tab is displayed.

  3. Click Create Hosted Identity Provider under Create SAML v2 Providers.

    The Create a SAML v2 Identity Provider on this Server page is displayed.

  4. Make the following changes on the Create a SAML v2 Identity Provider on this Server page.

    • Select the No radio button for Do you have metadata for this provider?

    • Under metadata properties, type https://lb2.idp-example.com:1081/opensso as the value for Name.

    • Under metadata properties, select test as the value for Signing Key.

    • Under Circle of Trust properties, type idpcot as the value for the New Circle of Trust.

    • Accept the default values for any remaining properties.

  5. Click Configure.

  6. Select Finish to end the task.

    This instance of OpenSSO Enterprise is now configured as a SAML v2 identity provider.

  7. Click the Federation tab to verify the hosted identity provider configurations.

    • Confirm that idpcot was created under the Circle of Trust table with one entity: https://lb2.idp-example.com:1081/opensso|saml2.

    • Confirm that https://lb2.idp-example.com:1081/opensso|saml2 was created under the Entity Providers table.

ProcedureTo View the Hosted Identity Provider Metadata in XML Format

This optional procedure displays, in a browser window, the standard and extended metadata for the hosted identity provider in XML format. The XML can be viewed as displayed or copied into a text file and saved.

Before You Begin

This procedure assumes that you have just completed To Configure the Hosted Identity Provider and are still logged in to the OpenSSO Enterprise console.

  1. Access https://lb2.idp-example.com:1081/opensso/ssoadm.jsp from the web browser.

    ssoadm.jsp is a Java Server Page (JSP) version of the ssoadm command line interface. In this procedure it is used to display the hosted identity provider metadata.

  2. Click export-entity.

    The export-entity page is displayed.

  3. Enter the following values for each option and click Submit.

    entityid

    The EntityID is the unique uniform resource identifier (URI) used to identify a particular provider. In this deployment, type https://lb2.idp-example.com:1081/opensso.

    realm

    The OpenSSO Enterprise realm in which the data resides. In this deployment as all data resides in the top-level realm, type /.

    sign

    Leave this unchecked.

    meta-data-file

    Set this flag to export the standard metadata for the provider.

    extended-data-file

    Set this flag to export the extended metadata for the provider.

    spec

    Type saml2.

  4. View the XML-formatted metadata in the browser window.

    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<EntityDescriptor entityID="https://lb2.idp-example.com:1081/opensso" 
 xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
  <IDPSSODescriptor WantAuthnRequestsSigned="false" 
   protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
  <KeyDescriptor use="signing">
   <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:X509Data>
    <ds:X509Certificate>
MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh
bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w
ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw
CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK
BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of+
RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY
Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U
QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA
cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC
/FfwWigmrW0Y0Q==
    </ds:X509Certificate>
    </ds:X509Data>
    </ds:KeyInfo>
  </KeyDescriptor>
  <ArtifactResolutionService index="0" isDefault="true" Binding=
   "urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location=
   "https://lb2.idp-example.com:1081/opensso/ArtifactResolver/metaAlias/idp"/>
  <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:
   HTTP-Redirect" Location="https://lb2.idp-example.com:1081/opensso/
   IDPSloRedirect/metaAlias/idp" ResponseLocation="
   https://lb2.idp-example.com:1081/opensso/IDPSloRedirect/metaAlias/idp"/>
  <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:
   HTTP-POST" Location="https://lb2.idp-example.com:1081/opensso/IDPSloPOST/
   metaAlias/idp" ResponseLocation="https://lb2.idp-example.com:1081/opensso/
   IDPSloPOST/metaAlias/idp"/>
  <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" 
   Location="https://lb2.idp-example.com:1081/opensso/IDPSloSoap/metaAlias/idp"/>
  <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:
   HTTP-Redirect" Location="https://lb2.idp-example.com:1081/opensso/
   IDPMniRedirect/metaAlias/idp" ResponseLocation=
   "https://lb2.idp-example.com:1081/opensso/IDPMniRedirect/metaAlias/idp"/>
  <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
   Location="https://lb2.idp-example.com:1081/opensso/IDPMniPOST/metaAlias/idp" 
   ResponseLocation="https://lb2.idp-example.com:1081/opensso/
   IDPMniPOST/metaAlias/idp"/>
  <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" 
   Location="https://lb2.idp-example.com:1081/opensso/IDPMniSoap/metaAlias/idp"/>
  <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
  <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
  <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
  <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
  <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" 
   Location="https://lb2.idp-example.com:1081/opensso/SSORedirect/metaAlias/idp"/>
  <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
   Location="https://lb2.idp-example.com:1081/opensso/SSOPOST/metaAlias/idp"/>
  <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" 
   Location="https://lb2.idp-example.com:1081/opensso/SSOSoap/metaAlias/idp"/>
  <NameIDMappingService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" 
   Location="https://lb2.idp-example.com:1081/opensso/NIMSoap/metaAlias/idp"/>
   <AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" 
    Location="https://lb2.idp-example.com:1081/opensso/AIDReqSoap/
    IDPRole/metaAlias/idp"/>
   <AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:2.0:bindings:URI" 
    Location="https://lb2.idp-example.com:1081/opensso/AIDReqUri/
    IDPRole/metaAlias/idp"/>
  </IDPSSODescriptor>
</EntityDescriptor>

Entity descriptor was exported to file, web.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<EntityConfig entityID="https://lb2.idp-example.com:1081/opensso" hosted="true" 
 xmlns="urn:sun:fm:SAML:2.0:entityconfig">
    <IDPSSOConfig metaAlias="/idp">
      <Attribute name="wantNameIDEncrypted">
          <Value/>
      </Attribute>
      <Attribute name="AuthUrl">
          <Value/>
      </Attribute>
      <Attribute name="nameIDFormatMap">
        <Value>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified=</Value>
        <Value>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos=</Value>
        <Value>urn:oasis:names:tc:SAML:1.1:nameid-format:
         WindowsDomainQualifiedName=</Value>
         <Value>urn:oasis:names:tc:SAML:1.1:nameid-format:
          X509SubjectName=</Value>
         <Value>urn:oasis:names:tc:SAML:1.1:nameid-format:
          emailAddress=mail</Value>
       </Attribute>
       <Attribute name="cotlist">
         <Value>idpcot</Value>
       </Attribute>
       <Attribute name="saeIDPUrl">
         <Value>https://lb2.idp-example.com:1081/opensso/idpsaehandler/
          metaAlias/idp</Value>
       </Attribute>
       <Attribute name="idpAuthncontextClassrefMapping">
         <Value>urn:oasis:names:tc:SAML:2.0:ac:classes:
          PasswordProtectedTransport|0||default</Value>
       </Attribute>
       <Attribute name="appLogoutUrl">
         <Value/>
       </Attribute>
       <Attribute name="idpAccountMapper">
         <Value>com.sun.identity.saml2.plugins.
          DefaultIDPAccountMapper</Value>
       </Attribute>
       <Attribute name="autofedEnabled">
         <Value>false</Value>
       </Attribute>
        <Attribute name="signingCertAlias">
            <Value>test</Value>
        </Attribute>
        <Attribute name="assertionCacheEnabled">
            <Value>false</Value>
        </Attribute>
        <Attribute name="idpAuthncontextMapper">
            <Value>com.sun.identity.saml2.plugins.
             DefaultIDPAuthnContextMapper</Value>
        </Attribute>
        <Attribute name="assertionEffectiveTime">
            <Value>600</Value>
        </Attribute>
        <Attribute name="wantMNIResponseSigned">
            <Value/>
        </Attribute>
        <Attribute name="wantMNIRequestSigned">
            <Value/>
        </Attribute>
        <Attribute name="attributeMap">
            <Value>EmailAddress=mail</Value>
            <Value>Telephone=telephonenumber</Value>
        </Attribute>
        <Attribute name="discoveryBootstrappingEnabled">
            <Value>false</Value>
        </Attribute>
        <Attribute name="basicAuthUser">
            <Value/>
        </Attribute>
        <Attribute name="idpAttributeMapper">
            <Value>com.sun.identity.saml2.plugins.
             DefaultIDPAttributeMapper</Value>
        </Attribute>
        <Attribute name="idpECPSessionMapper">
            <Value>com.sun.identity.saml2.plugins.
             DefaultIDPECPSessionMapper</Value>
        </Attribute>
        <Attribute name="basicAuthPassword">
            <Value/>
        </Attribute>
        <Attribute name="basicAuthOn">
            <Value>false</Value>
        </Attribute>
        <Attribute name="wantLogoutResponseSigned">
            <Value/>
        </Attribute>
        <Attribute name="wantLogoutRequestSigned">
            <Value/>
        </Attribute>
        <Attribute name="encryptionCertAlias">
            <Value/>
        </Attribute>
        <Attribute name="wantArtifactResolveSigned">
            <Value/>
        </Attribute>
        <Attribute name="assertionNotBeforeTimeSkew">
            <Value>600</Value>
        </Attribute>
        <Attribute name="autofedAttribute">
            <Value/>
        </Attribute>
        <Attribute name="saeAppSecretList"/>
    </IDPSSOConfig>
</EntityConfig>

Entity configuration was exported to file, web.

  5. Log out of the OpenSSO Enterprise console.

11.2 Configuring OpenSSO Enterprise as the Hosted Service Provider

This section provides the procedures for configuring OpenSSO Enterprise on the service provider side as a hosted service provider using the Common Tasks wizard. Use the following list of procedures as a checklist for completing the task.

  1. To Configure the Hosted Service Provider

  2. To View the Hosted Service Provider Metadata in XML Format

ProcedureTo Configure the Hosted Service Provider

Configure the instance of OpenSSO Enterprise deployed in Part III, Building the Service Provider Environment, situated behind Load Balancer 2 on the service provider side, as a hosted service provider. This procedure creates the spcot circle of trust.

  1. Access https://lb4.sp-example.com:1081/opensso/console from a web browser.

  2. Log in to the OpenSSO Enterprise console as the administrator.

    Username

    amadmin

    Password

    ossoadmin

    The Common Tasks tab is displayed.

  3. Click Create Hosted Service Provider under Create SAML v2 Providers.

    The Create a SAML v2 Service Provider on this Server page is displayed.

  4. Make the following changes on the Create a SAML v2 Service Provider on this Server page.

    • Select the No radio button for Do you have metadata for this provider?

    • Under metadata properties, type https://lb4.sp-example.com:1081/opensso as the value for Name.

    • Under metadata properties, select test as the value for Signing Key.

    • Under Circle of Trust properties, select the Add to New radio button and type spcot as the value for the New Circle of Trust.

    • Accept the default values for any remaining properties.

  5. Click Configure.

    A pop up screen is displayed that reads:


    Service provider is configured.
You can modify the provider's profile under the Federation tab.

Do you want to create a remote identity provider?

  6. Click No on the pop up screen.

    The OpenSSO Enterprise console is displayed and this instance is now configured as a SAML v2 service provider.

ProcedureTo View the Hosted Service Provider Metadata in XML Format

This optional procedure displays, in a browser window, the standard and extended metadata for the hosted service provider in XML format. The XML can be viewed as displayed or copied into a text file and saved.

Before You Begin

This procedure assumes that you have just completed To Configure the Hosted Service Provider and are still logged in to the OpenSSO Enterprise console.

  1. Access https://lb4.sp-example.com:1081/opensso/ssoadm.jsp from the web browser.

    ssoadm.jsp is a Java Server Page (JSP) version of the ssoadm command line interface. In this procedure it is used to display the hosted service provider metadata.

  2. Click export-entity.

    The export-entity page is displayed.

  3. Enter the following values for each option and click Submit.

    entityid

    The EntityID is the unique uniform resource identifier (URI) used to identify a particular provider. In this deployment, type https://lb4.sp-example.com:1081/opensso.

    realm

    The OpenSSO Enterprise realm in which the data resides. In this deployment as all data resides in the top-level realm, type /.

    sign

    Leave this box unchecked.

    meta-data-file

    Set this flag to export the standard metadata for the provider.

    extended-data-file

    Set this flag to export the extended metadata for the provider.

    spec

    Type saml2.

  4. View the XML-formatted metadata in the browser window.

    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<EntityDescriptor entityID="https://lb4.sp-example.com:1081/opensso" 
  xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
  <SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned=
   "false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
   <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" 
    Location="https://lb4.sp-example.com:1081/opensso/SPSloRedirect/metaAlias/sp" 
    ResponseLocation="https://lb4.sp-example.com:1081/opensso/
    SPSloRedirect/metaAlias/sp"/>
   <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
    Location="https://lb4.sp-example.com:1081/opensso/SPSloPOST/metaAlias/sp" 
    ResponseLocation="https://lb4.sp-example.com:1081/opensso/SPSloPOST/metaAlias/sp"/>
   <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" 
    Location="https://lb4.sp-example.com:1081/opensso/SPSloSoap/metaAlias/sp"/>
   <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:
    HTTP-Redirect" Location="https://lb4.sp-example.com:1081/opensso/SPMniRedirect/
    metaAlias/sp" ResponseLocation="https://lb4.sp-example.com:1081/opensso/
    SPMniRedirect/metaAlias/sp"/>
   <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:
    HTTP-POST" Location="https://lb4.sp-example.com:1081/opensso/SPMniPOST/
    metaAlias/sp" ResponseLocation="https://lb4.sp-example.com:1081/opensso/
    SPMniPOST/metaAlias/sp"/>
   <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" 
    Location="https://lb4.sp-example.com:1081/opensso/SPMniSoap/metaAlias/sp" 
    ResponseLocation="https://lb4.sp-example.com:1081/opensso/SPMniSoap/metaAlias/sp"/>
   <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
   <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
   <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
   <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
   <AssertionConsumerService index="0" isDefault="true" Binding="urn:oasis:names:tc:
    SAML:2.0:bindings:HTTP-Artifact" Location="https://lb4.sp-example.com:1081/opensso/
    Consumer/metaAlias/sp"/>
   <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:
    HTTP-POST" Location="https://lb4.sp-example.com:1081/opensso/
    Consumer/metaAlias/sp"/>
   <AssertionConsumerService index="2" Binding="urn:oasis:names:tc:SAML:2.0:
    bindings:PAOS" Location="https://lb4.sp-example.com:1081/opensso/Consumer/
    ECP/metaAlias/sp"/>
   </SPSSODescriptor>
   <IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration=
    "urn:oasis:names:tc:SAML:2.0:protocol">
        <KeyDescriptor use="signing">
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:X509Data>
                    <ds:X509Certificate>
MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh
bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w
ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw
CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK
BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of+
RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY
Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U
QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA
cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC
/FfwWigmrW0Y0Q==
                    </ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </KeyDescriptor>
    <ArtifactResolutionService index="0" isDefault="true" Binding="urn:oasis:
     names:tc:SAML:2.0:bindings:SOAP" Location="https://lb4.sp-example.com:1081/
     opensso/ArtifactResolver/metaAlias/idp"/>
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" 
     Location="https://lb4.sp-example.com:1081/opensso/IDPSloRedirect/metaAlias/idp" 
     ResponseLocation="https://lb4.sp-example.com:1081/opensso/IDPSloRedirect/
     metaAlias/idp"/>
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
     Location="https://lb4.sp-example.com:1081/opensso/IDPSloPOST/metaAlias/idp" 
     ResponseLocation="https://lb4.sp-example.com:1081/opensso/IDPSloPOST/
     metaAlias/idp"/>
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" 
     Location="https://lb4.sp-example.com:1081/opensso/IDPSloSoap/metaAlias/idp"/>
    <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" 
     Location="https://lb4.sp-example.com:1081/opensso/IDPMniRedirect/metaAlias/idp" 
     ResponseLocation="https://lb4.sp-example.com:1081/opensso/IDPMniRedirect/
     metaAlias/idp"/>
    <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
     Location="https://lb4.sp-example.com:1081/opensso/IDPMniPOST/metaAlias/idp" 
     ResponseLocation="https://lb4.sp-example.com:1081/opensso/IDPMniPOST/
     metaAlias/idp"/>
    <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" 
     Location="https://lb4.sp-example.com:1081/opensso/IDPMniSoap/metaAlias/idp"/>
    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:
     persistent</NameIDFormat>
    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:
     transient</NameIDFormat>
    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:
     emailAddress</NameIDFormat>
    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:
     unspecified</NameIDFormat>
    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:
     HTTP-Redirect" Location="https://lb4.sp-example.com:1081/opensso/
     SSORedirect/metaAlias/idp"/>
    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
     Location="https://lb4.sp-example.com:1081/opensso/SSOPOST/metaAlias/idp"/>
    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" 
     Location="https://lb4.sp-example.com:1081/opensso/SSOSoap/metaAlias/idp"/>
     <NameIDMappingService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" 
      Location="https://lb4.sp-example.com:1081/opensso/NIMSoap/metaAlias/idp"/>
      <AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" 
       Location="https://lb4.sp-example.com:1081/opensso/AIDReqSoap/IDPRole/
       metaAlias/idp"/>
      <AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:2.0:bindings:URI" 
       Location="https://lb4.sp-example.com:1081/opensso/AIDReqUri/IDPRole/
       metaAlias/idp"/>
   </IDPSSODescriptor>
</EntityDescriptor>

Entity descriptor was exported to file, web.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<EntityConfig entityID="https://lb4.sp-example.com:1081/opensso" hosted="true" 
 xmlns="urn:sun:fm:SAML:2.0:entityconfig">
    <SPSSOConfig metaAlias="/sp">
        <Attribute name="wantNameIDEncrypted">
            <Value/>
        </Attribute>
        <Attribute name="idpProxyList"/>
        <Attribute name="spAccountMapper">
            <Value>com.sun.identity.saml2.plugins.DefaultSPAccountMapper</Value>
        </Attribute>
        <Attribute name="enableIDPProxy">
            <Value>false</Value>
        </Attribute>
        <Attribute name="ECPRequestIDPListGetComplete">
            <Value/>
        </Attribute>
        <Attribute name="cotlist">
            <Value>spcot</Value>
        </Attribute>
        <Attribute name="transientUser">
            <Value>anonymous</Value>
        </Attribute>
        <Attribute name="spAuthncontextComparisonType">
            <Value>exact</Value>
        </Attribute>
        <Attribute name="wantAssertionEncrypted">
            <Value/>
        </Attribute>
        <Attribute name="spAdapter">
            <Value/>
        </Attribute>
        <Attribute name="spAuthncontextClassrefMapping">
            <Value>urn:oasis:names:tc:SAML:2.0:ac:classes:
             PasswordProtectedTransport|0|default</Value>
        </Attribute>
        <Attribute name="appLogoutUrl">
            <Value/>
        </Attribute>
        <Attribute name="saml2AuthModuleName">
            <Value/>
        </Attribute>
        <Attribute name="autofedEnabled">
            <Value>true</Value>
        </Attribute>
        <Attribute name="localAuthURL">
            <Value/>
        </Attribute>
        <Attribute name="spAttributeMapper">
            <Value>com.sun.identity.saml2.plugins.DefaultSPAttributeMapper</Value>
        </Attribute>
        <Attribute name="signingCertAlias">
            <Value/>
        </Attribute>
        <Attribute name="wantMNIResponseSigned">
            <Value/>
        </Attribute>
        <Attribute name="wantMNIRequestSigned">
            <Value/>
        </Attribute>
        <Attribute name="attributeMap">
            <Value>EmailAddress=EmailAddress</Value>
            <Value>Telephone=Telephone</Value>
        </Attribute>
        <Attribute name="saeSPUrl">
            <Value>https://lb4.sp-example.com:1081/opensso/spsaehandler/
             metaAlias/sp</Value>
        </Attribute>
        <Attribute name="responseArtifactMessageEncoding">
            <Value>URI</Value>
        </Attribute>
        <Attribute name="idpProxyCount">
            <Value>0</Value>
        </Attribute>
        <Attribute name="basicAuthUser">
            <Value/>
        </Attribute>
        <Attribute name="useIntroductionForIDPProxy">
            <Value>false</Value>
        </Attribute>
        <Attribute name="wantArtifactResponseSigned">
            <Value/>
        </Attribute>
        <Attribute name="intermediateUrl">
            <Value/>
        </Attribute>
        <Attribute name="defaultRelayState">
            <Value/>
        </Attribute>
        <Attribute name="basicAuthPassword">
            <Value/>
        </Attribute>
        <Attribute name="wantPOSTResponseSigned">
            <Value/>
        </Attribute>
        <Attribute name="wantAttributeEncrypted">
            <Value/>
        </Attribute>
        <Attribute name="basicAuthOn">
            <Value>false</Value>
        </Attribute>
        <Attribute name="spAdapterEnv"/>
        <Attribute name="saeSPLogoutUrl">
            <Value>https://lb4.sp-example.com:1081/opensso/samples/
             saml2/sae/saeSPApp.jsp</Value>
        </Attribute>
        <Attribute name="ECPRequestIDPListFinderImpl">
            <Value>com.sun.identity.saml2.plugins.ECPIDPFinder</Value>
        </Attribute>
        <Attribute name="wantLogoutResponseSigned">
            <Value/>
        </Attribute>
        <Attribute name="wantLogoutRequestSigned">
            <Value/>
        </Attribute>
        <Attribute name="encryptionCertAlias">
            <Value/>
        </Attribute>
        <Attribute name="spAuthncontextMapper">
            <Value>com.sun.identity.saml2.plugins.DefaultSPAuthnContextMapper</Value>
        </Attribute>
        <Attribute name="assertionTimeSkew">
            <Value>300</Value>
        </Attribute>
        <Attribute name="ECPRequestIDPList"/>
        <Attribute name="autofedAttribute">
            <Value>mail</Value>
        </Attribute>
        <Attribute name="saeAppSecretList">
            <Value>url=https://lb4.sp-example.com:1081/opensso/samples/saml2/sae/
             saeSPApp.jsp|type=symmetric|secret=AQICIbz4afzilWzbmo6QD9lQ9
             U4kEBrMlvZy</Value>
        </Attribute>
    </SPSSOConfig>
    <IDPSSOConfig metaAlias="/idp">
        <Attribute name="description">
            <Value/>
        </Attribute>
        <Attribute name="signingCertAlias">
            <Value>test</Value>
        </Attribute>
        <Attribute name="encryptionCertAlias">
            <Value/>
        </Attribute>
        <Attribute name="basicAuthOn">
            <Value>false</Value>
        </Attribute>
        <Attribute name="basicAuthUser">
            <Value/>
        </Attribute>
        <Attribute name="basicAuthPassword">
            <Value/>
        </Attribute>
        <Attribute name="autofedEnabled">
            <Value>false</Value>
        </Attribute>
        <Attribute name="autofedAttribute">
            <Value/>
        </Attribute>
        <Attribute name="assertionEffectiveTime">
            <Value>600</Value>
        </Attribute>
        <Attribute name="idpAuthncontextMapper">
            <Value>com.sun.identity.saml2.plugins.DefaultIDPAuthnContextMapper</Value>
        </Attribute>
        <Attribute name="idpAuthncontextClassrefMapping">
            <Value>urn:oasis:names:tc:SAML:2.0:ac:classes:
              PasswordProtectedTransport|0||default</Value>
        </Attribute>
        <Attribute name="idpAccountMapper">
            <Value>com.sun.identity.saml2.plugins.DefaultIDPAccountMapper</Value>
        </Attribute>
        <Attribute name="idpAttributeMapper">
            <Value>com.sun.identity.saml2.plugins.DefaultIDPAttributeMapper</Value>
        </Attribute>
        <Attribute name="assertionIDRequestMapper">
            <Value>com.sun.identity.saml2.plugins.DefaultAssertionIDRequestMapper</Value>
        </Attribute>
        <Attribute name="nameIDFormatMap">
            <Value>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress=mail</Value>
            <Value>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName=</Value>
            <Value>urn:oasis:names:tc:SAML:1.1:nameid-format:
             WindowsDomainQualifiedName=</Value>
            <Value>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos=</Value>
            <Value>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified=</Value>
        </Attribute>
        <Attribute name="idpECPSessionMapper">
            <Value>com.sun.identity.saml2.plugins.DefaultIDPECPSessionMapper</Value>
        </Attribute>
        <Attribute name="attributeMap"/>
        <Attribute name="wantNameIDEncrypted">
            <Value/>
        </Attribute>
        <Attribute name="wantArtifactResolveSigned">
            <Value/>
        </Attribute>
        <Attribute name="wantLogoutRequestSigned">
            <Value/>
        </Attribute>
        <Attribute name="wantLogoutResponseSigned">
            <Value/>
        </Attribute>
        <Attribute name="wantMNIRequestSigned">
            <Value/>
        </Attribute>
        <Attribute name="wantMNIResponseSigned">
            <Value/>
        </Attribute>
        <Attribute name="cotlist">
            <Value>spcot</Value>
        </Attribute>
        <Attribute name="discoveryBootstrappingEnabled">
            <Value>false</Value>
        </Attribute>
        <Attribute name="assertionCacheEnabled">
            <Value>false</Value>
        </Attribute>
        <Attribute name="assertionNotBeforeTimeSkew">
            <Value>600</Value>
        </Attribute>
        <Attribute name="saeAppSecretList"/>
        <Attribute name="saeIDPUrl">
            <Value>https://lb4.sp-example.com:1081/opensso/idpsaehandler/metaAlias/
             idp</Value>
        </Attribute>
        <Attribute name="AuthUrl">
            <Value/>
        </Attribute>
        <Attribute name="appLogoutUrl">
            <Value/>
        </Attribute>
    </IDPSSOConfig>
</EntityConfig>

Entity configuration was exported to file, web.

  5. Log out of the OpenSSO Enterprise console.

11.3 Configuring the Hosted Service Provider to Communicate with the Remote Identity Provider

After configuring the providers, enable the hosted service provider to communicate with the remote identity provider by loading the identity provider metadata into the instance of OpenSSO Enterprise acting as the service provider.

ProcedureTo Import the Remote Identity Provider Metadata into the Hosted Service Provider

  1. Access https://lb4.sp-example.com:1081/opensso/console from a web browser.

  2. Log in to the OpenSSO Enterprise console as the administrator.

    Username

    amadmin

    Password

    ossoadmin

    The Common Tasks tab is displayed.

  3. Click Register Remote Identity Provider under Create SAML v2 Providers.

    The Create a SAML v2 Remote Identity Provider page is displayed.

  4. Make the following changes on the Create a SAML v2 Remote Identity Provider page.

    • Select the URL radio button for Where does the metadata file reside?

    • Type https://lb2.idp-example.com:1081/opensso/saml2/jsp/exportmetadata.jsp as the value of URL where metadata is located.

    • Under Circle of Trust, select the Add to Exiting radio button and select the spcot circle of trust from the drop down menu.

  5. Click Configure.

  6. Select Finish to end the task.