SyferLock Help Center

ForgeRock OpenAM 11.0.0 Integration

1. From the main OpenAM console, Click on "Create Hosted Service Provider"

From the main OpenAM console, Click on "Create Hosted Service Provider"

2. Fill in information on this page.

Fill in information on this page.

Fill in information on this page. The metadata Name should already be filled out. Circle of Trust name can be anything unique. Click on ‘Configure’ in the upper right.  OpenAM will confirm the creation of the SP and Circle of Trust.

3. Federation

Follow the instructions here:

http://docs.forgerock.org/en/openam/11.0.0/admin-guide/index

Procedure 16.3, to insert a new signing certificate in the OpenAM  keystore file.  

Make sure to have the CN (“First and Last Name”, when prompted) match the hostname of the OpenAM server.  For this document, we will use the alias ‘signingKey’ to reference this certificate.  

Restart OpenAM.

4. Federation --> Entity Providers

Back in the OpenAM UI, go to Federation->Entity Providers and click on the SP created above.

4.1. Signing and Encryption

Signing and Encryption

Make sure to check off “Authentication Requests Signed” and “Assertions Signed”.  Under Certificates, fill in the information from the previous step, so it looks similar to the screenshot above.

4.2. Assertion Processing

Assertion Processing

Under “Assertion Processing”, scroll down to “Default Relay State URL” and enter “/openam/console”.

4.3. Services

Services

Under “Services”, scroll to the bottom, and change the default “Assertion Consumer Service” to the HTTP-POST method.

5. GridGuard ACC - SAML Configuration

GridGuard ACC - SAML Configuration

In GridGuard ACC, click on “SAML Configuration” fill in hostname of the server, and click on “Generate New Certificate”

Fill in the Label value and change the Issuer, if necessary, to match the Hostname.  Click on OK.

A message indicating “Certificate generated successfully” should appear.

6. SAML - Add SP

SAML - Add SP

Right-click on “SAML Configuration” and select “Add”

Fill in a name for this SP Configuration. In this document, “OpenAM” is used.

Select the IDP Certificate from the previous step.

Click on “Add Service Provider” at the bottom and reselect the SP you just created.

Enter the following URL into the “Import SP Metadata URL” and click “Go”:

Make sure to use the HTTP port of the OpenAM server.  This command will not work if the SSL cert is self-signed.

http://openam.demo.local:<HTTPPORT>/openam/saml2/jsp/exportmetadata.jsp?spentityid=https://openam.demo.local:8449/openam

The page will update and look something like the screenshot above.

6.1. SAML - General Tab

SAML - General Tab

GridGuard requires non-self-signed certificates for the automatic refresh of the “ACS URL” and some of the other values.  If any are empty, click on “Save Changes” on the top, and then re-select the SP.

Select the appropriate SAML Realm (e.g. “saml”) in the “Realm” drop down

Select which attribute is used as the Name Identifier (for AD, this is usually sAMAccountName, but this will depend on your OpenAM environment)

When finished, the page should look something like the screenshot above.  

Click on "Save Changes".

6.2. Reference URLs

Click on "Reference URLs" at the top, and note the Metadata URL:

https://gridguard.demo.local/gridguard/saml/md/OpenAM

Open this page in a browser and save the XML contents to a file “IDPMetadata.xml”.

7. OpenAM - Register Remote Identity Provider

In OpenAM, on the home page, select “Register Remote Identity Provider”

Select “File” or metadata location and another window will pop up.  Browse to the file and upload and close the window.  

Select the same Circle of Trust created earlier, then click “Configure”.

8. Account Mapper

Account Mapper

Navigate to Federation -> Circle of Trust Configuration -> Entity Providers and click on the SP (https://openam.demo.local:8449/openam)

Click on “Assertion Processing” Tab

In “Account Mapper”, check off “Use Name ID as User ID” (this may differ in other OpenAM environments, but this document assumes the SAML NameIdentifier is being used)

9. Authentication Chaining

Authentication Chaining

Navigate to "Access Control" and click on the Top Level Realm

Click on the Authentication Tab

Click on “New” under “Authentication Chaining”

Name it “SAML”

On the next page, click on “Add”, and change the Instance type to “Federation”

Click “Save”, and then “Back to Authentication”

10. Change Organization Authentication

Change Organization Authentication

Change the Organization Authentication to “SAML”

Click “Save“

11. Create Access Account

Navigate to Access Control -> Top Level Realm

You need to do one of the two following steps:

Create a user under "Subjects" that has a valid testing AD account’s sAMAccountName as its ID.

Under “Data Stores”, configure an AD data store to match the one used by GridGuard.  

12. Test Configuration

Now logout, and test the integration with the following URL: https://openam.demo.local:8449/openam/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=https://gridguard.demo.local

Make sure the attribute being returned is mapped to a user source attribute in OpenAM.  This is described in the ForgeRock OpenAM documentation.

Connecting protected resources to the Circle of Trust is also described in the ForgeRock OpenAM documentation, and is outside the scope of this document.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk