OpenAM as Identity Provider / Fedlet as Service Provider – Federated Single Sign On

Context

In this post, I will show how you can configure OpenAM as Identity Provider (IdP) and use another tomcat instance to install, deploy and configure a Fedlet. A Fedlet is a lightweight way for service providers to quickly federate with a SAML 2.0 identity provider. Let’s describe those steps in the detail.

Required Steps

  1. Configure OpenAM as Identity Provider, define the Circle of Trust (cot) and create a fedlet
  2. Create and Configure Fedlet from your OpenAM (IDP) instance
  3. Install another tomcat instance , deploy the fedlet and test the federation

Step1: Configure OpenAM as IdP

  • Login into your OpenAM instance as amAdmin, click Common Task and click on “Create Hosted Identity Provider”
  • Provide the following information:
    • Do you have metadata for this provider: No
    • Metadata Name: an accessible URL from internet and preferably secure with HTTPS for example https://cmok.kwaoo.me:8443/OpenAM-13.0.0
    • Metadata Signing Key: select test from the dropdown
    • Create a new Circle of Trust and provide a name e.g salesforce-cot
    • Create an attribute mapping between the attributes used in SAML assertion and attributes of your local data store
      • Name in Assertion: ssoid
      • Local Attribute Name: uid
    • Click Configure & Finished

 

IDP / Assertion Content Tab


IDP - Assertion Content - 2016-03-13_15-33-58

IDP / Assertion Processing Tab


IDP Assertion Processing - 2016-03-13_15-34-56

IDP / Service  Tab


IDP Services - 2016-03-13_15-35-50

IDP / Advanced  Tab


IDP Advanced - 2016-03-13_15-36-43

Step2: Create and configure a Fedlet

  • Connect to your OpenAM Idp and click on Common Task, create a Fedlet

    CreateAFedlet-2016-03-13_14-52-57


    Create your Fedlet - 2016-03-13_14-49-24

Step3: Install another tomcat instance, deploy the fedlet and test the federation

  1. Install another tomcat instance. As I have installed it on the same VM, I need to change the standard tomcat port to avoid conflict. I have added +100 to the following ports:
    1. 8005
    2. 8080
    3. 8009
    4. 8443
  • Open theses port in your firewall to allow access from Internet
  • Configure your tomcat instance to use HTTPS

Open your tomcat configuration file Server.xml and add this section :

<Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="8543" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" keystoreFile="E:/apache-tomcat-8.0.26/certificate/tomcat8_keystore.jks" keystorePass="xxxxx" clientAuth="false" sslProtocol="TLS" URIEncoding="UTF-8"/>	
  • Unzip the Fedlet Zip generated in $HOME/OpenAM-12.0.0/myfledlets/fedlet/Fedlet.zip
  • Copy the WAR into your $TOMCAT/webapp location folder (I have unzip the fedlet.war in order to change some JSP code, reflecting my needs)
  • Configure the fedlet using this URL :  https://cmok.kwaoo.me:8543/fedlet/

  • FedletConfiguration_2016-03-13_15-13-05


    Validate Fedlet Setup - 2016-03-13_15-15-15

  • Click on the link Fedlet (SP) Initiated Login

  • Successfull SSO with OpenAM as Idp - 2016-03-13_15-21-49

Fedlet SP / Assertion Content


Fedlet SP Assertion Content - 2016-03-13_15-38-34

Fedlet SP / Assertion Processing


Fedlet SP Assertion Processing - 2016-03-13_15-39-26

Fedlet SP / Services


Fedlet SP Services - 2016-03-13_15-40-19

Fedlet SP / Advanced


Fedlet SP Advanced - 2016-03-13_15-40-56

IdP – Federation Tab


IDP Federation Tab - 2016-03-13_15-41-43

IdP – Circle of Trust


IDP Circle of Trust - 2016-03-13_15-42-18

 
Thanks for reading.

Advertisements

About Chenda Mok

19 years of hands on experience in software design and development with emphasis on Enterprise Application Integration (EAI), Services Oriented Architecture (SOA) and Identity Management (IDM) solutions. I’m a software engineer, member of the professional service delivery team working for Salesforce. Prior to this, I worked for Oracle as Solution Architect, through SeeBeyond(06/2005), then SUN’s acquisition (04/2009). After my master’s degree in computer science in 1997; I always delivered consulting on architecture, design, implementation on integration’s field. I’m interested in architecture using EAI/SOA/IDM/BPM/Cloud technologies, software development and Java’s related technologies. I may blog about my work/activities at Salesforce, but I do not speak for my employer, past, present or future.
This entry was posted in Salesforce and tagged , , , . Bookmark the permalink.