Sun Java System SAML v2 Plug-in for Federation Services User's Guide

Access Manager Postinstallation

The following sections contain some procedures to perform after installing Access Manager.

Adding the sunFMSAML2NameIdentifier Object Class

If installing the SAML v2 Plug-in for Federation Services on an instance of Access Manager that uses an LDAPv3-compliant directory for a user data store, you must add the sunFMSAML2NameIdentifier object class to all existing users. This object class contains two attributes:


Note –

The values in these attributes are defined in the SAML v2 specifications. For example, hosted-entity-role takes a value of IDPRole or SPRole (based on the configuration of the provider) and is-affiliation specifies whether the federation is affiliation-based (taking a value of true or false). For explanations on the other attributes, see the Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0 specification.


To add sunFMSAML2NameIdentifier to the default amadmin entry, you would run ldapmodify (available in the bin directory) using the following LDIF as input:

DN: uid=amadmin,ou=people,dc=sun,dc=com
changetype: modify
add: objectclass
objectclass: sunFMSAML2NameIdentifier

This task is not required for installations of Access Manager 7.1. It is also not required for installations of Federation Manager that use an LDAPv3-compliant directory as a user data store because the object class is automatically added if not found.


Caution – Caution –

Be sure to set your class path correctly before using ldapmodify.


Enabling the SAML v2 Authentication Module

If installing the SAML v2 Plug-in for Federation Services on an instance of Access Manager, you might have to enable the SAML v2 authentication module using the Access Manager console. The following sections explain the procedure to do this in both legacy and realm mode.


Note –

This is only necessary for instances of Access Manager acting as service providers.


ProcedureTo Enable the SAML v2 Authentication Module in Legacy Mode

  1. Log in to Access Manager as the top-level administrator, by default, amadmin.

  2. Select the Identity Management tab.

  3. Select Services from the View drop down box.

  4. Click Add Service.

  5. Select SAML2 and click OK.

  6. Log out of the Access Manager console.

ProcedureTo Enable the SAML v2 Authentication Module in Legacy Mode Using amadmin

You can also enable the SAML v2 authentication module using the amadmin command line tool.

  1. Save the following XML code to a file.


    <Requests>
    <OrganizationRequests DN="<root_suffix>">
       <RegisterServices>
           <Service_Name>sunAMAuthSAML2Service</Service_Name>
       </RegisterServices>
    </OrganizationRequests>
    </Requests>
  2. Load the XML file using the amadmin command line tool to register the SAMLv2 authentication module.

    For information on the amadmin command line tool, see Chapter 1, The amadmin Command Line Tool, in Sun Java System Access Manager 7.1 Administration Reference.

ProcedureTo Enable the SAML v2 Authentication Module in Realm Mode

The SAML v2 Authentication Module is enabled during installation of Access Manager in Realm mode. The following procedure is for informational purposes.

  1. Log in to Access Manager as the top-level administrator, by default, amadmin.

  2. Select the Access Control tab.

  3. Select the appropriate realm.

  4. Click the Authentication tab.

  5. Click New under Module Instances.

  6. Enter SAML2 as a name.

  7. Select the SAML2 radio button.

  8. Click Create.

  9. Click Save.

  10. Log out of the Access Manager console.