Single Sign-on

Name identifiers are used by the identity provider and the service provider to communicate with each other regarding a user. Single sign-on interactions can support both persistent and transient identifiers. A persistent identifier is saved to a particular user entry as the value of two attributes. A transient identifier is temporary and no data will be written to the user's data store entry.

In some deployments, there might be no user account on the service provider side of an interaction. In this case, single sign-on with the transient name identifier is used. All users passed from the identity provider to the service provider will be mapped to this one user account. All attributes defined in the AttributeStatement will be set as properties of the specific user's single sign-on token. The following procedures describe some interactions using the transient name identifier.

• To Use the Transient Name Identifier

• To Configure Single Sign-on without Service Provider User Account

To Use the Transient Name Identifier

1. Append the NameIDFormat=transient query parameter to the URL that initiates a single sign-on JavaServer Page™ (JSP™).

   spSSOInit.jsp and idpSSOInit.jsp both initiate single sign-on interactions.

2. To test, invoke the URL.

   For more information, see JavaServer Pages.

To Configure Single Sign-on without Service Provider User Account

In some deployments, the service provider side of an interaction might not store user accounts. The single sign-on solution is for all identity provider user accounts to be mapped to one service provider user account. Any attributes inside the AttributeStatement will be set as properties of the single sign-on token. The following procedure maps an identity provider user to a service provider anonymous user and passes two attributes to the service provider.

1. Export the identity provider's current extended metadata configuration to a file.

   saml2meta [-i staging-directory] export -u amadmin -w password -e IDP-entityID -x IDP-extended-XML-file-name

2. Edit attributeMap in the exported extended metadata configuration file.

   attributeMap defines the mapping between the provider that this metadata is configuring and the remote provider. This attribute takes a value of autofedAttribute-value=remote-provider-attribute. For example:

   <Attribute name="attributeMap">
   <Value>mail=mail</Value>
   <Value>employeeNumber=employeeNumber</Value>
   </Attribute>

3. Remove the identity provider's current extended metadata configuration.

   saml2meta [-i staging-directory] delete -u amadmin -w password -e IDP-entityID -c

4. Import the identity provider's modified extended metadata configuration file.

   saml2meta [-i staging-directory] import -u amadmin -w password -x IDP-extended-XML-file-name

5. Restart the web container.

6. Export the service provider's current extended metadata configuration to a file.

   saml2meta [-i staging-directory] export -u amadmin -w password -e SP-entityID -x SP-extended-XML-file-name

7. Edit the following attributes in the exported extended metadata configuration file.

   • transientUser will take a value of one of the existing transient user identifiers on the service provider side, for example, anonymous.

   • attributeMap defines the mapping between the provider that this metadata is configuring and the remote provider. This attribute takes a value of autofedAttribute_value=remote_provider_attribute. For example:

     <Attribute name="attributeMap">
     <Value>mail=mail</Value>
     <Value>employeeNumber=employeeNumber</Value>
     </Attribute>

8. Remove the service provider's current extended metadata configuration.

   saml2meta [-i staging-directory] delete -u amadmin -w password -e SP-entityID -c

9. Import the service provider's modified extended metadata configuration file.

   saml2meta [-i staging-directory] import -u amadmin -w password -x SP-extended-XML-file-name

10. Restart the web container.

11. To test, invoke the single sign-on URL with the NameIDFormat=transient query parameter appended to it.

    All identity provider users will be mapped to anonymous on the service provider side. mail and employeeNumber will be set as properties in the identity provider user's single sign-on token. For more information on the single sign-on URL, see JavaServer Pages.