2. Fill in information on this page.
Fill in information on this page. The metadata Name should already be filled out. Circle of Trust name can be anything unique. Click on ‘Configure’ in the upper right. OpenAM will confirm the creation of the SP and Circle of Trust.
Follow the instructions here:
Procedure 16.3, to insert a new signing certificate in the OpenAM keystore file.
Make sure to have the CN (“First and Last Name”, when prompted) match the hostname of the OpenAM server. For this document, we will use the alias ‘signingKey’ to reference this certificate.
4. Federation --> Entity Providers
Back in the OpenAM UI, go to Federation->Entity Providers and click on the SP created above.
4.1. Signing and Encryption
Make sure to check off “Authentication Requests Signed” and “Assertions Signed”. Under Certificates, fill in the information from the previous step, so it looks similar to the screenshot above.
4.2. Assertion Processing
Under “Assertion Processing”, scroll down to “Default Relay State URL” and enter “/openam/console”.
5. GridGuard ACC - SAML Configuration
In GridGuard ACC, click on “SAML Configuration” fill in hostname of the server, and click on “Generate New Certificate”
Fill in the Label value and change the Issuer, if necessary, to match the Hostname. Click on OK.
A message indicating “Certificate generated successfully” should appear.
6. SAML - Add SP
Right-click on “SAML Configuration” and select “Add”
Fill in a name for this SP Configuration. In this document, “OpenAM” is used.
Select the IDP Certificate from the previous step.
Click on “Add Service Provider” at the bottom and reselect the SP you just created.
Enter the following URL into the “Import SP Metadata URL” and click “Go”:
Make sure to use the HTTP port of the OpenAM server. This command will not work if the SSL cert is self-signed.
The page will update and look something like the screenshot above.
6.1. SAML - General Tab
GridGuard requires non-self-signed certificates for the automatic refresh of the “ACS URL” and some of the other values. If any are empty, click on “Save Changes” on the top, and then re-select the SP.
Select the appropriate SAML Realm (e.g. “saml”) in the “Realm” drop down
Select which attribute is used as the Name Identifier (for AD, this is usually sAMAccountName, but this will depend on your OpenAM environment)
When finished, the page should look something like the screenshot above.
Click on "Save Changes".
6.2. Reference URLs
Click on "Reference URLs" at the top, and note the Metadata URL:
Open this page in a browser and save the XML contents to a file “IDPMetadata.xml”.
7. OpenAM - Register Remote Identity Provider
In OpenAM, on the home page, select “Register Remote Identity Provider”
Select “File” or metadata location and another window will pop up. Browse to the file and upload and close the window.
Select the same Circle of Trust created earlier, then click “Configure”.
8. Account Mapper
Navigate to Federation -> Circle of Trust Configuration -> Entity Providers and click on the SP (https://openam.demo.local:8449/openam)
Click on “Assertion Processing” Tab
In “Account Mapper”, check off “Use Name ID as User ID” (this may differ in other OpenAM environments, but this document assumes the SAML NameIdentifier is being used)
9. Authentication Chaining
Navigate to "Access Control" and click on the Top Level Realm
Click on the Authentication Tab
Click on “New” under “Authentication Chaining”
Name it “SAML”
On the next page, click on “Add”, and change the Instance type to “Federation”
Click “Save”, and then “Back to Authentication”
10. Change Organization Authentication
Change the Organization Authentication to “SAML”
11. Create Access Account
Navigate to Access Control -> Top Level Realm
You need to do one of the two following steps:
Create a user under "Subjects" that has a valid testing AD account’s sAMAccountName as its ID.
Under “Data Stores”, configure an AD data store to match the one used by GridGuard.
12. Test Configuration
Now logout, and test the integration with the following URL: https://openam.demo.local:8449/openam/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=https://gridguard.demo.local
Make sure the attribute being returned is mapped to a user source attribute in OpenAM. This is described in the ForgeRock OpenAM documentation.
Connecting protected resources to the Circle of Trust is also described in the ForgeRock OpenAM documentation, and is outside the scope of this document.