Sun OpenSSO Enterprise 8.0 Installation and Configuration Guide

ProcedureTo Configure the IDP Discovery Service

  1. Login as a user who has the following privileges:

    • Access to the web container administration console, if you plan to deploy idpdiscovery.war using this console.


    • The capability to execute the web container's deploy command-line utility, if you plan to deploy idpdiscovery.war using the CLI.

  2. Deploy the idpdiscovery.war to the web container using either the web container administration console or CLI command.

  3. Launch the Configurator using the following URL:


    For example:

    If the IDP Discovery Service is not already configured, you will be directed to the Configurator page.

  4. On the Configurator page, specify the following information:

    • Debug Directory:

    • Debug Level: error (default), warning, message, or off.

    • Cookie Type: PERSISTENT (default) or SESSION

    • Cookie Domain:

    • Secure Cookie: True or False (default)

    • Encode Cookie: True (default) or False

  5. Click Configure.

  6. On the SP host machine, use the console to create a Circle of Trust with the IDP Discovery Service URL used as the prefix for the value of the Reader and Writer URL attributes. For example:

    SAML2 Writer Service URL: http://idp-discovery-server-machine:port/idpdiscovery/saml2writer

    SAML2 Reader Service URL: http://idp-discovery-server-machine:port/idpdiscovery/saml2reader

  7. On the IDP host machine, use the console to create a Circle of Trust with the value of the prefix attribute also set to the identity provider discovery service URL. For example:


  8. Generate metadata for both the IDP and the SP using the ssoadm command-line utility with the create-metadata-templ option.

  9. Load the SP metadata into the IDP machine.

  10. Change the value of the host in the IDP metadata from 0 or remote.

  11. Load the IDP metadata into the SP machine.

    After this configuration, the values of the Writer URL and Reader URL in each Circle of Trust are the URL of the IDP Discovery Service.

Next Steps

Perform the SAMLv2 test cases for SP-initiated and IDP-initiated single sign-on and single logout. Each time you perform these operations from the SP side, the Discovery Service logs will show the redirection to the IDP.