Use the following as your checklist for configuring SAMLv2 metadata for the Access Manager servers:
When you create metadata for the Identity Provider, the Identity Provider entity is added to a circle of trust. A circle of trust is used to group Service Providers and Identity Providers in a secure, trusted environment. Other remote provider entities can be added to the circle of trust. Whenever the SAMLv2 protocol is initiated, the SAMLv2 plug-in determines which circle of trust the requesting entity belongs to, and what other providers are available to interact with it. All entities within the same circle of trust can participate in the SAMLv2 protocols.
As a root user, log into the Access Manager 1 host.
Run the cotcreate command:
# /opt/SUNWam/saml2/bin/saml2meta cotcreate -u amadmin -w 4m4dmin1 -r /users -t saml2_circle_of_trust Circle of trust "saml2_circle_of_trust" is created successfully. |
Federation Manager provides two metadata templates you can customize to meet your needs. For examples of customized metadata templates, see 7.2.1 Sample Metadata Template Files at the end of this chapter.
As a root user, lo into the Access Manager 1 host.
Go to the following directory:
/opt/SUNWam/saml2/bin |
Generate the SAMLv2 template files.
# ./saml2meta template -u amadmin -w 4m4dmin1 -e loadbalancer-3.example.com -d /users/idp -b LoadBalancer-3 -g LoadBalancer-3-enc -m /etc/opt/SUNWam/config/saml2-idp-template.xml -x /etc/opt/SUNWam/config/saml2-idp-extented-template.xml Hosted entity descriptor for realm "/" was written to the file "/etc/opt/SUNWam/config/saml2-idp-template.html" successfully. Hosted entity config for realm "/" was written to the file "/etc/opt/SUNWam/config/saml2-idp-extended-template.html" successfully. |
The saml2-idp-extended-template.xmlis similar to the standard saml2-idp-template.xml file. However, the extended file contains data about the SAMLv2 plug-in that is specific to Federation Manager.
Customize the saml2–idp-template.xml file.
When the file is first generated, default values are automatically generated and placed in the file. You must manually change these values to match the actual deployment environment. In this deployment example, a load balancer with SSL termination is being used. So you must modify the file to use the HTTPS protocol and the load balancer service URL.
# vi /etc/opt/SUNWam/config/saml2-idp-template.xml |
In each location URL and each response location URL, change the protocol http to https.
Search for each occurrence of location and response location to be sure you have changed each URL.
Globally change all occurrences of AccessManager-1 to LoadBalancer-3.
Globally change all occurrences of 1080 to 9443.
Save the file.
Customize the saml2-sp-extended-template.xml file.
# vi /etc/opt/SUNWam/config/saml2-idp-extended-template.xml |
Modify the following attribute-pair values to enable XML signing.
<Attribute name="wantArtifactResponseSigned"> <Value>true</Value> <Attribute name="wantLogoutRequestSigned"> <Value>true</Value> <Attribute name="wantLogoutResponseSigned"> <Value>true</Value> <Attribute name="wantMNIRequestSigned"> <Value>true</Value> <Attribute name="wantMNIResponseSigned"> <Value>true</Value> <Attribute name="cotlist"> <Value>saml2_circle_of_trust</Value> |
Set the following parameter value:
<EntityConfig xmlns="urn:sun:fm:SAML:2.0:entityconfig" xmlns:fm="urn:sun:fm:SAML:2.0:entityconfig" hosted="1" |
This indicates that you are using the local hosted configuration. A 0 value indicates that the configuration is provided by a remote host.
Load the metadata.
When you load the SAMLv2 metadata into Directory Server, the Service Provider entity configuration is created. The entity configuration enables the SAMLv2 plug-in to recognize all SAMLv2 protocol URLs. The SAMLv2 metadata is also used for exchanging data with remote parties.
As a root user, log into the Access Manager 1 host.
Go to the following directory:
/etc/opt/SUNWam/config |
Run the saml2meta command:
# ./saml2meta import -u amadmin -w 4m4dmin1 -r /users -m /etc/opt/SUNWam/config/saml2-idp-template.xml -x /etc/opt/SUNWam/config/saml2-idp-extended-template.xml File “/etc/opt/SUNWam/config/saml12-idp-template.xml” was imported successfully. File “/etc/opt/SUNWam/config/saml2-idp-extended-template.xml” was imported successfully. |
In the following examples, changes to the file are indicated in bold.
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="loadbalancer-3.example.com"> <IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <KeyDescriptor use="signing"> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <X509Data> <X509Certificate> MIICZDCCAg6gAwIBAgICBr8wDQYJKoZIhvcNAQEEBQAwgZIxCzAJBgNVBAYTAlVTMRMwEQYDVQQI EwpDYWxpZm9ybmlhMRQwEgYDVQQHEwtTYW50YSBDbGFyYTEeMBwGA1UEChMVU3VuIE1pY3Jvc3lz dGVtcyBJbmMuMRowGAYDVQQLExFJZGVudGl0eSBTZXJ2aWNlczEcMBoGA1UEAxMTQ2VydGlmaWNh dGUgTWFuYWdlcjAeFw0wNzAzMDcyMTUwMDVaFw0xMDEyMDEyMTUwMDVaMDsxFDASBgNVBAoTC2V4 YW1wbGUuY29tMSMwIQYDVQQDExpMb2FkQmFsYW5jZXItMy5leGFtcGxlLmNvbTCBnzANBgkqhkiG 9w0BAQEFAAOBjQAwgYkCgYEAlOhN9HddLMpE3kCjkPSOFpCkDxTNuhMhcgBkYmSEF/iJcQsLX/ga pO+W1SIpwqfsjzR5ZvEdtc/8hGumRHqcX3r6XrU0dESM6MW5AbNNJsBnwIV6xZ5QozB4wL4zREhw zwwYejDVQ/x+8NRESI3ym17tDLEuAKyQBueubgjfic0CAwEAAaNgMF4wEQYJYIZIAYb4QgEBBAQD AgZAMA4GA1UdDwEB/wQEAwIE8DAfBgNVHSMEGDAWgBQ7oCE35Uwn7FsjS01w5e3DA1CrrjAYBgNV HREEETAPgQ1tYWxsYUBzdW4uY29tMA0GCSqGSIb3DQEBBAUAA0EAGhJhep7X2hqWJWQoXFcdU7eQ </KeyDescriptor> <KeyDescriptor use="encryption"> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <X509Data> EwpDYWxpZm9ybmlhMRQwEgYDVQQHEwtTYW50YSBDbGFyYTEeMBwGA1UEChMVU3VuIE1pY3Jvc3lz dGVtcyBJbmMuMRowGAYDVQQLExFJZGVudGl0eSBTZXJ2aWNlczEcMBoGA1UEAxMTQ2VydGlmaWNh dGUgTWFuYWdlcjAeFw0wNzAzMDcyMjAxMTVaFw0xMDEyMDEyMjAxMTVaMDsxFDASBgNVBAoTC2V4 YW1wbGUuY29tMSMwIQYDVQQDExpMb2FkQmFsYW5jZXItMy5leGFtcGxlLmNvbTCBnzANBgkqhkiG HREEETAPgQ1tYWxsYUBzdW4uY29tMA0GCSqGSIb3DQEBBAUAA0EAEgbmnOz2Rvpj9bludb9lEeVa OA46zRiyt4BPlbgIaFyG6P7GWSddMi/14EimQjjDbr4ZfvlEdPJmimHExZY3KQ== </KeyInfo> </EncryptionMethod> </KeyDescriptor> <ArtifactResolutionService index="0" isDefault="1"/> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" ResponseLocation="https://LoadBalancer-3.example.com:9443/ amserver/IDPMniRedirect/metaAlias/idp"/> <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://LoadBalancer-3.example.com:9443/amserver/ IDPMniSoap/metaAlias/idp"/> <NameIDFormat> urn:oasis:names:tc:SAML:2.0:nameid-format:persistent </NameIDFormat> <NameIDFormat> urn:oasis:names:tc:SAML:2.0:nameid-format:transient </NameIDFormat> <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://LoadBalancer-3.example.com:9443/amserver/ SSORedirect/metaAlias/idp"/> <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://LoadBalancer-3.example.com:9443/amserver/ SSOSoap/metaAlias/idp"/> </IDPSSODescriptor> </EntityDescriptor> |
<EntityConfig xmlns="urn:sun:fm:SAML:2.0:entityconfig" xmlns:fm="urn:sun:fm:SAML:2.0:entityconfig" hosted="1" entityID="loadbalancer-3.example.com"> <IDPSSOConfig metaAlias="/users/idp"> <Attribute name="signingCertAlias"> <Value>LoadBalancer-3</Value> <Value>LoadBalancer-3-enc</Value> </Attribute> </Attribute> <Attribute name="basicAuthUser"> <Attribute name="basicAuthPassword"> <Value></Value> <Value>false</Value> </Attribute> <Attribute name="autofedAttribute"> <Value></Value> </Attribute> <Attribute name="assertionEffectiveTime"> <Value>600</Value> </Attribute> <Attribute name="idpAuthncontextMapper"> </Attribute> <Attribute name="idpAuthncontextClassrefMapping"> </Attribute> <Attribute name="idpAccountMapper"> </Attribute> <Attribute name="idpAttributeMapper"> </Attribute> <Attribute name="attributeMap"> <Value>EmailAddress=mail</Value> <Value>Telephone=telephonenumber</Value> </Attribute> <Attribute name="wantNameIDEncrypted"> <Value></Value> </Attribute> <Attribute name="wantArtifactResolveSigned"> <Value>true</Value> </Attribute> <Attribute name="wantLogoutRequestSigned"> <Value>true</Value> </Attribute> <Attribute name="wantLogoutResponseSigned "> <Value>true</Value> </Attribute> <Attribute name="wantMNIRequestSigned"> <Value>true</Value> </Attribute> <Attribute name="wantMNIResponseSigned"> <Value>true</Value> </Attribute> <Attribute name="cotlist"> <Value>saml2_circle_of_trust</Value> </Attribute> </IDPSSOConfig> </EntityConfig> |