Chapter 10 Configuring SAMLv2 Metadata for the Access Manager Servers
Use the following as your checklist for configuring SAMLv2 metadata for the Access Manager servers:
10.1 Creating a Circle of Trust
When you create metadata for the Identity Provider, the Identity Provider entity is added to a circle of trust. A circle of trust is used to group Service Providers and Identity Providers in a secure, trusted environment. Other remote provider entities can be added to the circle of trust. Whenever the SAMLv2 protocol is initiated, the SAMLv2 plug-in determines which circle of trust the requesting entity belongs to, and what other providers are available to interact with it. All entities within the same circle of trust can participate in the SAMLv2 protocols.
To Create a Circle of Trust
-
As a root user, log into the Access Manager 1 host.
-
Run the cotcreate command:
# /opt/SUNWam/saml2/bin/saml2meta cotcreate -u amadmin -w 4m4dmin1 -r /users -t saml2_circle_of_trust Circle of trust "saml2_circle_of_trust" is created successfully.
10.2 Configuring the SAMLv2 Identity Provider Metadata
Federation Manager provides two metadata templates you can customize to meet your needs. For examples of customized metadata templates, see 7.2.1 Sample Metadata Template Files at the end of this chapter.
To Generate and Customize the Identity
Provider Template Files
-
As a root user, lo into the Access Manager 1 host.
-
Go to the following directory:
/opt/SUNWam/saml2/bin
-
Generate the SAMLv2 template files.
# ./saml2meta template -u amadmin -w 4m4dmin1 -e loadbalancer-3.example.com -d /users/idp -b LoadBalancer-3 -g LoadBalancer-3-enc -m /etc/opt/SUNWam/config/saml2-idp-template.xml -x /etc/opt/SUNWam/config/saml2-idp-extented-template.xml Hosted entity descriptor for realm "/" was written to the file "/etc/opt/SUNWam/config/saml2-idp-template.html" successfully. Hosted entity config for realm "/" was written to the file "/etc/opt/SUNWam/config/saml2-idp-extended-template.html" successfully.
The saml2-idp-extended-template.xmlis similar to the standard saml2-idp-template.xml file. However, the extended file contains data about the SAMLv2 plug-in that is specific to Federation Manager.
-
Customize the saml2–idp-template.xml file.
When the file is first generated, default values are automatically generated and placed in the file. You must manually change these values to match the actual deployment environment. In this deployment example, a load balancer with SSL termination is being used. So you must modify the file to use the HTTPS protocol and the load balancer service URL.
# vi /etc/opt/SUNWam/config/saml2-idp-template.xml
-
In each location URL and each response location URL, change the protocol http to https.
Search for each occurrence of location and response location to be sure you have changed each URL.
-
Globally change all occurrences of AccessManager-1 to LoadBalancer-3.
-
Globally change all occurrences of 1080 to 9443.
Save the file.
-
-
Customize the saml2-sp-extended-template.xml file.
# vi /etc/opt/SUNWam/config/saml2-idp-extended-template.xml
-
Modify the following attribute-pair values to enable XML signing.
<Attribute name="wantArtifactResponseSigned"> <Value>true</Value> <Attribute name="wantLogoutRequestSigned"> <Value>true</Value> <Attribute name="wantLogoutResponseSigned"> <Value>true</Value> <Attribute name="wantMNIRequestSigned"> <Value>true</Value> <Attribute name="wantMNIResponseSigned"> <Value>true</Value> <Attribute name="cotlist"> <Value>saml2_circle_of_trust</Value>
-
Set the following parameter value:
<EntityConfig xmlns="urn:sun:fm:SAML:2.0:entityconfig" xmlns:fm="urn:sun:fm:SAML:2.0:entityconfig" hosted="1"
This indicates that you are using the local hosted configuration. A 0 value indicates that the configuration is provided by a remote host.
-
-
Load the metadata.
10.3 Loading the SAMLv2 Metadata
When you load the SAMLv2 metadata into Directory Server, the Service Provider entity configuration is created. The entity configuration enables the SAMLv2 plug-in to recognize all SAMLv2 protocol URLs. The SAMLv2 metadata is also used for exchanging data with remote parties.
To Load Customized Identity Provider Configuration
Files
-
As a root user, log into the Access Manager 1 host.
-
Go to the following directory:
/etc/opt/SUNWam/config
-
Run the saml2meta command:
# ./saml2meta import -u amadmin -w 4m4dmin1 -r /users -m /etc/opt/SUNWam/config/saml2-idp-template.xml -x /etc/opt/SUNWam/config/saml2-idp-extended-template.xml File “/etc/opt/SUNWam/config/saml12-idp-template.xml” was imported successfully. File “/etc/opt/SUNWam/config/saml2-idp-extended-template.xml” was imported successfully.
10.4 Sample Identity Provider Metadata Template Files
In the following examples, changes to the file are indicated in bold.
Example 10–1 Modified saml2-idp-template.xml File
<EntityDescriptor
xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
entityID="loadbalancer-3.example.com">
<IDPSSODescriptor
WantAuthnRequestsSigned="false"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>
MIICZDCCAg6gAwIBAgICBr8wDQYJKoZIhvcNAQEEBQAwgZIxCzAJBgNVBAYTAlVTMRMwEQYDVQQI
EwpDYWxpZm9ybmlhMRQwEgYDVQQHEwtTYW50YSBDbGFyYTEeMBwGA1UEChMVU3VuIE1pY3Jvc3lz
dGVtcyBJbmMuMRowGAYDVQQLExFJZGVudGl0eSBTZXJ2aWNlczEcMBoGA1UEAxMTQ2VydGlmaWNh
dGUgTWFuYWdlcjAeFw0wNzAzMDcyMTUwMDVaFw0xMDEyMDEyMTUwMDVaMDsxFDASBgNVBAoTC2V4
YW1wbGUuY29tMSMwIQYDVQQDExpMb2FkQmFsYW5jZXItMy5leGFtcGxlLmNvbTCBnzANBgkqhkiG
9w0BAQEFAAOBjQAwgYkCgYEAlOhN9HddLMpE3kCjkPSOFpCkDxTNuhMhcgBkYmSEF/iJcQsLX/ga
pO+W1SIpwqfsjzR5ZvEdtc/8hGumRHqcX3r6XrU0dESM6MW5AbNNJsBnwIV6xZ5QozB4wL4zREhw
zwwYejDVQ/x+8NRESI3ym17tDLEuAKyQBueubgjfic0CAwEAAaNgMF4wEQYJYIZIAYb4QgEBBAQD
AgZAMA4GA1UdDwEB/wQEAwIE8DAfBgNVHSMEGDAWgBQ7oCE35Uwn7FsjS01w5e3DA1CrrjAYBgNV
HREEETAPgQ1tYWxsYUBzdW4uY29tMA0GCSqGSIb3DQEBBAUAA0EAGhJhep7X2hqWJWQoXFcdU7eQ
</KeyDescriptor>
<KeyDescriptor use="encryption">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
EwpDYWxpZm9ybmlhMRQwEgYDVQQHEwtTYW50YSBDbGFyYTEeMBwGA1UEChMVU3VuIE1pY3Jvc3lz
dGVtcyBJbmMuMRowGAYDVQQLExFJZGVudGl0eSBTZXJ2aWNlczEcMBoGA1UEAxMTQ2VydGlmaWNh
dGUgTWFuYWdlcjAeFw0wNzAzMDcyMjAxMTVaFw0xMDEyMDEyMjAxMTVaMDsxFDASBgNVBAoTC2V4
YW1wbGUuY29tMSMwIQYDVQQDExpMb2FkQmFsYW5jZXItMy5leGFtcGxlLmNvbTCBnzANBgkqhkiG
HREEETAPgQ1tYWxsYUBzdW4uY29tMA0GCSqGSIb3DQEBBAUAA0EAEgbmnOz2Rvpj9bludb9lEeVa
OA46zRiyt4BPlbgIaFyG6P7GWSddMi/14EimQjjDbr4ZfvlEdPJmimHExZY3KQ==
</KeyInfo>
</EncryptionMethod>
</KeyDescriptor>
<ArtifactResolutionService
index="0"
isDefault="1"/>
<SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
<SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
<ManageNameIDService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
ResponseLocation="https://LoadBalancer-3.example.com:9443/
amserver/IDPMniRedirect/metaAlias/idp"/>
<ManageNameIDService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="https://LoadBalancer-3.example.com:9443/amserver/
IDPMniSoap/metaAlias/idp"/>
<NameIDFormat>
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
</NameIDFormat>
<NameIDFormat>
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
</NameIDFormat>
<SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://LoadBalancer-3.example.com:9443/amserver/
SSORedirect/metaAlias/idp"/>
<SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="https://LoadBalancer-3.example.com:9443/amserver/
SSOSoap/metaAlias/idp"/>
</IDPSSODescriptor>
</EntityDescriptor>
|
Example 10–2 Modified saml2-idp-metadata-template.xml File
<EntityConfig xmlns="urn:sun:fm:SAML:2.0:entityconfig"
xmlns:fm="urn:sun:fm:SAML:2.0:entityconfig"
hosted="1"
entityID="loadbalancer-3.example.com">
<IDPSSOConfig metaAlias="/users/idp">
<Attribute name="signingCertAlias">
<Value>LoadBalancer-3</Value>
<Value>LoadBalancer-3-enc</Value>
</Attribute>
</Attribute>
<Attribute name="basicAuthUser">
<Attribute name="basicAuthPassword">
<Value></Value>
<Value>false</Value>
</Attribute>
<Attribute name="autofedAttribute">
<Value></Value>
</Attribute>
<Attribute name="assertionEffectiveTime">
<Value>600</Value>
</Attribute>
<Attribute name="idpAuthncontextMapper">
</Attribute>
<Attribute name="idpAuthncontextClassrefMapping">
</Attribute>
<Attribute name="idpAccountMapper">
</Attribute>
<Attribute name="idpAttributeMapper">
</Attribute>
<Attribute name="attributeMap">
<Value>EmailAddress=mail</Value>
<Value>Telephone=telephonenumber</Value>
</Attribute>
<Attribute name="wantNameIDEncrypted">
<Value></Value>
</Attribute>
<Attribute name="wantArtifactResolveSigned">
<Value>true</Value>
</Attribute>
<Attribute name="wantLogoutRequestSigned">
<Value>true</Value>
</Attribute>
<Attribute name="wantLogoutResponseSigned ">
<Value>true</Value>
</Attribute>
<Attribute name="wantMNIRequestSigned">
<Value>true</Value>
</Attribute>
<Attribute name="wantMNIResponseSigned">
<Value>true</Value>
</Attribute>
<Attribute name="cotlist">
<Value>saml2_circle_of_trust</Value>
</Attribute>
</IDPSSOConfig>
</EntityConfig>
|
- © 2010, Oracle Corporation and/or its affiliates