Sun Java System SAML v2 Plug-in for Federation Services User's Guide

ProcedureTo Enable an Identity Provider for SAML v2 Bootstrapping of Liberty ID-WSF

Before You Begin

See The saml2meta Command-line Reference for more information on the command line interface used in this procedure.

  1. Choose one of the following options to get metadata for the appropriate identity provider.

    The option you choose is dependent on where you are in the process of configuring the identity provider.

    • If metadata for the identity provider you are configuring has not yet been imported, or signing and encryption certificate aliases have not been configured in the existing identity provider metadata, generate standard and extended metadata templates for the identity provider using the saml2meta command line interface.


      saml2meta template -u amadmin -w amadmin_pw -d /idp 
      -b certificate_alias -g enc_certificate_alias -e http://host_machine 
      -m standard_meta_filename -x extended_meta_filename
      
    • If the identity provider metadata has been imported, and signing and encryption keys have all been configured, export the existing extended entity configuration metadata of the identity provider using the saml2meta command line interface.


      saml2meta export -u amadmin -w amadmin_pw -d /idp
       -e http://host_machine -x extended_meta_filename
      
  2. Edit the identity provider's extended entity configuration template by changing the value of discoveryBootstrappingEnabled to true.

    The extended entity configuration template is extended_meta_filename created in the previous step. If the attribute doesn't exist in the metadata, add the following lines above the ending tag </IDPSSOConfig>.


    <Attribute name="discoveryBootstrappingEnabled">
    <Value>true</Value>
    </Attribute>
  3. (Optional) Delete the current metadata for the identity provider using the saml2meta command line interface.

    The option you choose in this step is dependent on the option chosen in the first step of this procedure.

    • If you choose the first option in this procedure's first step, delete the current standard and extended metadata using the saml2meta command line interface.


      saml2meta delete -u amadmin -w amadmin_pw -e http://host_machine
      
    • If you choose the second option in this procedure's first step, delete the current extended metadata only using the saml2meta command line interface.


      saml2meta delete -u amadmin -w amadmin_pw -e http://host_machine -c
  4. Import the new identity provider metadata.

    The option you choose in this step is dependent on the option chosen in the first step of this procedure. circle_of_trust is the name of the circle of trust into which you are importing these files.

    • If you choose the first option in this procedure's first step, import the standard metadata and the modified extended metadata files using the saml2meta command line interface.


      saml2meta import -u amadmin -w amadmin_pw 
      -m standard_meta_filename -x extended_meta_filename -t circle_of_trust
      
    • If you choose the second option in this procedure's first step, import the modified extended metadata using the saml2meta command line interface.


      saml2meta import -u amadmin -w amadmin_pw
       -x extended_meta_filename -t circle_of_trust
      
  5. Add the following line to the end of the AMConfig.properties file to enable Liberty ID-WSF to work with SAML v2 on the identity provider.

    com.sun.identity.liberty.ws.util.providerManagerClass=com.sun.identity.saml2.plugins.SAML2ProviderManager

  6. Restart the web container.