To Configure Single Sign-on Without Data Store Writes (Sun Java System SAML v2 Plug-in for Federation Services User's Guide)

Sun Java System SAML v2 Plug-in for Federation Services User's Guide

To Configure Single Sign-on Without Data Store Writes

This interaction uses auto-federation with the transient name identifier. There is one-to-one mapping between user accounts configured with the identity provider and the service provider based on the value of one attribute. The following procedure describes how to configure single sign-on without writing to the user's data store entry.

Export the identity provider's current extended metadata configuration to a file.

saml2meta [-i staging-directory] export -u amadmin -w password -e IDP-entityID -x IDP-extended-XML-file-name

Edit the following attributes in the exported extended metadata configuration file.
- autofedEnabled takes a value of true.
- autofedAttribute defines the common attribute on the identity provider side. For example, mail.
- attributeMap defines the mapping between the identity provider's attribute and the remote provider's attribute. It takes a value of autofedAttribute-value=remote-provider-attribute. For example:
```
<Attribute name="attributeMap">
<Value>mail=mail</Value>
</Attribute>
```

Remove the identity provider's current extended metadata configuration.

saml2meta [-i staging-directory] delete -u amadmin -w password -e IDP-entityID -c

Import the identity provider's modified extended metadata configuration file.

saml2meta [-i staging-directory] import -u amadmin -w password -x IDP-extended-XML-file-name

Restart the web container.

Export the service provider's current extended metadata configuration to a file.

saml2meta [-i staging-directory] export -u amadmin -w password -e SP-entityID -x SP-extended-XML-file-name

Edit the following attributes in the exported extended metadata configuration file.
- transientUser takes a null value.
- autofedEnabled takes a value of true.
- autofedAttribute defines the common attribute. For example, mail.
- attributeMap defines the mapping between the provider that this metadata is configuring and the remote provider. This attribute takes a value of autofedAttribute-value=remote-provider-attribute. For example:
```
<Attribute name="attributeMap">
<Value>mail=mail</Value>
</Attribute>
```

Remove the service provider's current extended metadata configuration.

saml2meta [-i staging-directory] delete -u amadmin -w password -e SP-entityID -c

Import the service provider's modified extended metadata configuration file.

saml2meta [-i staging-directory] import -u amadmin -w password -x SP-extended-XML-file-name

Restart the web container.

To test, invoke the single sign-on URL with the NameIDFormat=transient query parameter appended to it.

All identity provider users will be mapped to the corresponding user on the service provider side based on the mail attribute but the auto-federation attributes will not be written to the user entry.