WSO2IS integration with OpenAM using SAML2 federated authentication
This article focuses on registering OpenAM (version: 14.1.0) as an Identity Provider in WSO2 Identity Server (version: 5.3.0).
First let’s set up OpenAM
1. Download OpenAM from here.
2. Deploy AM-eval-5.1.0.war file with the appropriate tomcat version.
3. By accessing http://localhost:8080/AM-eval-5.1.0 check whether the configuration is successful.
For more information on setting up OpenAM refer https://backstage.forgerock.com/docs/am/5.1/quick-start-guide/chap-quick-firststeps
Log into OpenAM using the following credentials
username: amadmin
password: changeit
Next let’s create a SAMLv2 service provider in the top level realm.
Create a hosted identity provider
Configure the Identity Provider by giving the Name, Signing key and Circle of Trust
In the next window select “Register a Remote Service Provider”
Upload the following meta data file
<EntityDescriptor entityID="https://localhost:9443/commonauth" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://localhost:9443/commonauth/fedletSloRedirect"
ResponseLocation="https://localhost:9443/commonauth/fedletSloRedirect"/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://localhost:9443/commonauth/fedletSloPOST"
ResponseLocation="https://localhost:9443/commonauth/fedletSloPOST"/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="https://localhost:9443/commonauth/fedletSloSoap"/>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
<AssertionConsumerService isDefault="true" index="0"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://localhost:9443/commonauth"/>
<AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
Location="https://localhost:9443/commonauth"/>
</SPSSODescriptor>
<RoleDescriptor xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:query="urn:oasis:names:tc:SAML:metadata:ext:query"
xsi:type="query:AttributeQueryDescriptorType"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"></RoleDescriptor>
<XACMLAuthzDecisionQueryDescriptor WantAssertionsSigned="false"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
</XACMLAuthzDecisionQueryDescriptor>
</EntityDescriptor>
Select SAML under application tab
Navigate to federation tab and click on https://localhost:9443/commonauth link under Entity Providers
Enable Assertion signing and Post response signing and also set the Name ID format as urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
In Assertion Processing tab set the claims that is required by the SP.
WSO2 Identity Server configuration
Create a new Identity Provider
Give any preferred name for the Identity Provider Name.
Upload the Identity Provider Public Certificate. You can find the OpenAM keystore in /home/AM-eval-5.1.0/AM-eval-5.1.0/keystore.jks. This file needs to be converted to PEM format before uploading.
Under Federated Authenticators select SAML2 Web SSO Configuration.
In WSO2 Identity Server I have configured travelocity.com as a Service Provider.
For more details refer https://docs.wso2.com/display/IS530/Configuring+Single+Sign-On
Now try to log into the travelocity application. Then you will be directed to the OpenAM login page to provide OpenAM credentials to access the travelocity application.