Sun Java System SAML v2 Plug-in for Federation Services User's Guide

Adding the sunFMSAML2NameIdentifier Object Class

If installing the SAML v2 Plug-in for Federation Services on an instance of Access Manager that uses an LDAPv3-compliant directory for a user data store, you must add the sunFMSAML2NameIdentifier object class to all existing users. This object class contains two attributes:

Note –

The values in these attributes are defined in the SAML v2 specifications. For example, hosted-entity-role takes a value of IDPRole or SPRole (based on the configuration of the provider) and is-affiliation specifies whether the federation is affiliation-based (taking a value of true or false). For explanations on the other attributes, see the Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0 specification.

To add sunFMSAML2NameIdentifier to the default amadmin entry, you would run ldapmodify (available in the bin directory) using the following LDIF as input:

DN: uid=amadmin,ou=people,dc=sun,dc=com
changetype: modify
add: objectclass
objectclass: sunFMSAML2NameIdentifier

This task is not required for installations of Access Manager 7.1. It is also not required for installations of Federation Manager that use an LDAPv3-compliant directory as a user data store because the object class is automatically added if not found.

Caution – Caution –

Be sure to set your class path correctly before using ldapmodify.