To Generate and Customize the Identity Provider Template Files

1. As a root user, lo into the Access Manager 1 host.

2. Go to the following directory:

   /opt/SUNWam/saml2/bin

3. Generate the SAMLv2 template files.

   # ./saml2meta template -u amadmin -w 4m4dmin1 -e loadbalancer-3.example.com -d /users/idp -b LoadBalancer-3 -g LoadBalancer-3-enc -m /etc/opt/SUNWam/config/saml2-idp-template.xml -x /etc/opt/SUNWam/config/saml2-idp-extented-template.xml Hosted entity descriptor for realm "/" was written to the file "/etc/opt/SUNWam/config/saml2-idp-template.html" successfully. Hosted entity config for realm "/" was written to the file "/etc/opt/SUNWam/config/saml2-idp-extended-template.html" successfully.

   The saml2-idp-extended-template.xmlis similar to the standard saml2-idp-template.xml file. However, the extended file contains data about the SAMLv2 plug-in that is specific to Federation Manager.

4. Customize the saml2–idp-template.xml file.

   When the file is first generated, default values are automatically generated and placed in the file. You must manually change these values to match the actual deployment environment. In this deployment example, a load balancer with SSL termination is being used. So you must modify the file to use the HTTPS protocol and the load balancer service URL.

   # vi /etc/opt/SUNWam/config/saml2-idp-template.xml

   1. In each location URL and each response location URL, change the protocol http to https.

      Search for each occurrence of location and response location to be sure you have changed each URL.

   2. Globally change all occurrences of AccessManager-1 to LoadBalancer-3.

   3. Globally change all occurrences of 1080 to 9443.

   Save the file.

5. Customize the saml2-sp-extended-template.xml file.

   # vi /etc/opt/SUNWam/config/saml2-idp-extended-template.xml

   1. Modify the following attribute-pair values to enable XML signing.

      <Attribute name="wantArtifactResponseSigned"> <Value>true</Value> <Attribute name="wantLogoutRequestSigned"> <Value>true</Value> <Attribute name="wantLogoutResponseSigned"> <Value>true</Value> <Attribute name="wantMNIRequestSigned"> <Value>true</Value> <Attribute name="wantMNIResponseSigned"> <Value>true</Value> <Attribute name="cotlist"> <Value>saml2_circle_of_trust</Value>

   2. Set the following parameter value:

      <EntityConfig xmlns="urn:sun:fm:SAML:2.0:entityconfig" xmlns:fm="urn:sun:fm:SAML:2.0:entityconfig" hosted="1"

      This indicates that you are using the local hosted configuration. A 0 value indicates that the configuration is provided by a remote host.

6. Load the metadata.

   See 7.3 Loading the Service Provider SAMLv2 Metadata.