Administration Console Online Help

Previous Next Open TOC in new window
Content starts here

Create a SAML 2.0 Web Single Sign-on Service Provider partner

Before you begin

Before you configure a SAML 2.0 Service Provider partner:

To create a SAML 2.0 web single sign-on Service Provider partner:

  1. In the left pane, select Security Realms.
  2. On the Summary of Security Realms page, select the name of the realm (for example, myrealm).
  3. On the Settings for Realm Name page select Providers > Credential Mapping.
  4. In the Credential Mapping Providers table, select the SAML 2.0 Credential Mapping provider.
  5. On the Settings for SAML 2.0 Credential Mapping Provider page, select Management.
  6. In the table under Service Provider Partners, click New > New Web Single Sign-On Service Provider Partner.
  7. On the Create a SAML 2.0 Web Single Sign-on Service Provider Partner page:
    1. Specify the name of the Service Provider partner.
    2. In the field next to Path, specify or browse to the full path of the metadata partner file.
    3. Click OK.

    Note: If you click the browser's Back button after clicking OK , the partner name is reset to the default.

  8. On the Settings for SAML 2.0 Credential Mapper page, in the Service Provider Partners table, select the name of your newly-created Service Provider partner.
  9. In the General page, select Enabled to enable interactions between this server and this Service Provider partner.
  10. Configure additional settings as appropriate. For example, you may choose to do one or more of the following:
    1. In the Assertions section, you may specify a Service Provider Name Mapper Class that you want to use for this Service Provider partner. This class is a custom implementation of the interface, which if specified here overrides the default SAML 2.0 credential name mapper class that is used for generating assertions for this particular Service partner.

      For more information about this name mapper class, see Configuring a SAML 2.0 Credential Mapping Provider for SAML 2.0 and API Reference for interface.

    2. Select Generate Attributes to include group information into the assertions so that the Service Provider partner subsequently can extract the groups to which the mapped user belongs in the local security realm.
    3. Select Only Accept Signed Artifact Requests as desired.
    4. Specify whether SAML artifacts are delivered to this Service Provider partner via the HTTP POST binding. If so, you may also specify the URI of a custom web application that generates the HTTP POST form for sending the SAML artifact.
    5. Specify the URI of any custom web application that you might want to use for generating the HTTP POST form for sending the message via the POST binding.
    6. Specify a client user name and password for connecting to the local site's binding. This attribute is optional, but it adds an additional degree of security.
    7. Click Save.

    In the Signing section, the attributes for specifying whether this partner accepts only signed assertions, or whether authentication requests must be signed, are read-only: they are derived from the partner's metadata file. For more information about these configuration options, see Configuring SAML 2.0 Services.

  11. Select Site Info to view information about the Service Provider partner's site. This information is derived from the partner's metadata file and is read-only.
  12. Select Single Sign-on Signing Certificate to view the partner's certificate. This information is read-only and is derived from the Service Provider partner's metadata file, which includes the certificate.
  13. Select Transport Layer Client Certificate to import or view the Service Provider partner's transport layer client certificate. You typically need to coordinate with your partner to obtain this certificate in a secure manner; it is not included in the partner metadata file.
  14. Select Assertion Consumer Service Endpoints to display the endpoints of the Service Provider's ACS.
  15. Select Artifact Resolution Service Endpoints to display the endpoints of the Service Provider's ARS.

    If the Artifact binding is not enabled for this partner, no ARS endpoints information will be available.


The Service Provider partner is created in the local server instance. The information associated with this partner obtained from the partner's metadata file is visible in the Administration Console as read-only data. Modifying this data is not recommended and may produce unpredictable results.

Back to Top