test

Sun Java System SAML v2 Plug-in for Federation Services User's Guide

ProcedureTo Enable XML Signing and Encryption

  1. In AMConfig.properties, set com.sun.identity.jss.donotInstallAtHighestPriority equal to true.

    Note –

    AMConfig.properties is located in the /etc/opt/product-directory/config directory in Access Manager and in the /staging-directory/web-src/WEB-INF/classes directory in Federation Manager.

  2. Follow the instructions in the XMLSIG sample to setup a keystore and import the signing and encryption certificates to the keystore.

    In Access Manager, the sample is located in the /AccessManager-base/product-directory/samples/saml/xmlsig directory. In Federation Manager, the sample is located in the /FederationManager-base/SUNWam/fm/samples/saml/xmlsig directory.

    Note –

    The certificate alias assigned during this process will be used in the following steps to identify the certificate.

  3. Regenerate the metadata files so that they include the signing and encryption key information.

    • For identity provider metadata, run the following command:

      saml2meta template [-i war-staging] -u admin -w admin-password -d idp-metaAlias -b idp-signing-key-alias -g idp-encryption-key-alias -e idp-entityID -m standard-XML-file-name -x extended-XML-file-name

      For example:

      saml2meta template -u amadmin -w 11111111 -d /idp -b test -g test -e idp.sun.com -m idpMeta.xml -x idpExt.xml

    • For service provider metadata, run the following command:

      saml2meta template [-i war-staging] -u admin -w admin-password -s sp-metaAlias -a sp-signing-key-alias -f sp-encryption-key-alias -e sp-entityID -m standard-XML-file-name -x extended-XML-file-name

      For example:

      saml2meta template -u amadmin -w 11111111 -s /idp -a test -f test -e sp.sun.com -m spMeta.xml -x spExt.xml

  4. Enable the appropriate XML signing and encryption features by modifying the generated metadata files.

    Note –

    XML signing is required for the Web Browser POST Profile.

    You can turn on XML signing and encryption features by changing the value of the following attributes to true:

    • Identity Provider Standard Metadata Configuration File Attribute

      • wantAuthnRequestsSigned

    • Service Provider Standard Metadata Configuration File Attributes

      • AuthnRequestsSigned

      • WantAssertionsSigned

    • Identity Provider Extended Metadata Configuration File Attributes

      • wantNameIDEncrypted

      • wantArtifactResolveSigned

      • WantLogoutRequestSigned

      • WantLogoutResponseSigned

      • WantMNIRequestSigned

      • WantMNIResponseSigned

    • Service Provider Extended Metadata Configuration File Attributes

      • wantAttributeEncrypted

      • wantAssertionEncrypted

      • wantNameIDEncrypted

      • wantArtifactResponseSigned

      • WantLogoutRequestSigned

      • WantLogoutResponseSigned

      • WantMNIRequestSigned

      • WantMNIResponseSigned

  5. Remove the hosted identity provider metadata by running the following command:

    saml2meta delete -u amadmin -w admin-password -e idp-entityID

  6. Import the new hosted identity provider metadata by running the following command:

    saml2meta import -u amadmin -w admin-password -m standard-XML-file-name -x extended-XML-file-name -t COT-name

  7. Remove the remote service provider metadata by running the following command:

    saml2meta delete -u amadmin -w admin-password -e sp-entityID

  8. Get the new remote service provider metadata.

    The instructions in this step assume a testing environment where you are in control of both the identity provider server and the service provider server.

    1. Copy spMeta.xml and spExtended.xml from the service provider machine.

    2. Change hosted="1" to hosted="0" in spExtended.xml.

  9. Import the new remote service provider metadata by running the following command:

    saml2meta import -u amadmin -w admin-password -m standard-XML-file-name -x extended-XML-file-name -t COT-name

  10. Remove the remote identity provider metadata by running the following command:

    saml2meta delete -u amadmin -w admin-password -e idp-entityID

  11. Get the new remote identity provider metadata.

    The instructions in this step assume a testing environment where you are in control of both the identity provider server and the service provider server.

    1. Copy idpMeta.xml and idpExtended.xml from the identity provider machine.

    2. Change hosted="1" to hosted="0" in idpExtended.xml.

  12. Import the new remote identity provider metadata by running the following command:

    saml2meta import -u amadmin -w admin-password -m standard-XML-file-name -x extended-XML-file-name -t COT-name

  13. Remove the hosted service provider metadata by running the following command:

    saml2meta delete -u amadmin -w admin-password -e sp-entityID

  14. Import the new hosted service provider metadata by running the following command:

    saml2meta import -u amadmin -w admin-password -m standard-XML-file-name -x extended-XML-file-name -t COT-name

  15. Restart your web container.