OpenAM as Identity Provider / Fedlet as Service Provider – Federated Single Sign On


In this post, I will show how you can configure OpenAM as Identity Provider (IdP) and use another tomcat instance to install, deploy and configure a Fedlet. A Fedlet is a lightweight way for service providers to quickly federate with a SAML 2.0 identity provider. Let’s describe those steps in the detail.

Required Steps

  1. Configure OpenAM as Identity Provider, define the Circle of Trust (cot) and create a fedlet
  2. Create and Configure Fedlet from your OpenAM (IDP) instance
  3. Install another tomcat instance , deploy the fedlet and test the federation

Step1: Configure OpenAM as IdP

  • Login into your OpenAM instance as amAdmin, click Common Task and click on “Create Hosted Identity Provider”
  • Provide the following information:
    • Do you have metadata for this provider: No
    • Metadata Name: an accessible URL from internet and preferably secure with HTTPS for example
    • Metadata Signing Key: select test from the dropdown
    • Create a new Circle of Trust and provide a name e.g salesforce-cot
    • Create an attribute mapping between the attributes used in SAML assertion and attributes of your local data store
      • Name in Assertion: ssoid
      • Local Attribute Name: uid
    • Click Configure & Finished


IDP / Assertion Content Tab

IDP - Assertion Content - 2016-03-13_15-33-58

IDP / Assertion Processing Tab

IDP Assertion Processing - 2016-03-13_15-34-56

IDP / Service  Tab

IDP Services - 2016-03-13_15-35-50

IDP / Advanced  Tab

IDP Advanced - 2016-03-13_15-36-43

Step2: Create and configure a Fedlet

  • Connect to your OpenAM Idp and click on Common Task, create a Fedlet


    Create your Fedlet - 2016-03-13_14-49-24

Step3: Install another tomcat instance, deploy the fedlet and test the federation

  1. Install another tomcat instance. As I have installed it on the same VM, I need to change the standard tomcat port to avoid conflict. I have added +100 to the following ports:
    1. 8005
    2. 8080
    3. 8009
    4. 8443
  • Open theses port in your firewall to allow access from Internet
  • Configure your tomcat instance to use HTTPS

Open your tomcat configuration file Server.xml and add this section :

<Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="8543" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" keystoreFile="E:/apache-tomcat-8.0.26/certificate/tomcat8_keystore.jks" keystorePass="xxxxx" clientAuth="false" sslProtocol="TLS" URIEncoding="UTF-8"/>	
  • Unzip the Fedlet Zip generated in $HOME/OpenAM-12.0.0/myfledlets/fedlet/
  • Copy the WAR into your $TOMCAT/webapp location folder (I have unzip the fedlet.war in order to change some JSP code, reflecting my needs)
  • Configure the fedlet using this URL :

  • FedletConfiguration_2016-03-13_15-13-05

    Validate Fedlet Setup - 2016-03-13_15-15-15

  • Click on the link Fedlet (SP) Initiated Login

  • Successfull SSO with OpenAM as Idp - 2016-03-13_15-21-49

Fedlet SP / Assertion Content

Fedlet SP Assertion Content - 2016-03-13_15-38-34

Fedlet SP / Assertion Processing

Fedlet SP Assertion Processing - 2016-03-13_15-39-26

Fedlet SP / Services

Fedlet SP Services - 2016-03-13_15-40-19

Fedlet SP / Advanced

Fedlet SP Advanced - 2016-03-13_15-40-56

IdP – Federation Tab

IDP Federation Tab - 2016-03-13_15-41-43

IdP – Circle of Trust

IDP Circle of Trust - 2016-03-13_15-42-18

Thanks for reading.

About Chenda Mok

19 years of hands on experience in software design and development with emphasis on Enterprise Application Integration (EAI), Services Oriented Architecture (SOA) and Identity Management (IDM) solutions. I’m a software engineer, member of the professional service delivery team working for Salesforce. Prior to this, I worked for Oracle as Solution Architect, through SeeBeyond(06/2005), then SUN’s acquisition (04/2009). After my master’s degree in computer science in 1997; I always delivered consulting on architecture, design, implementation on integration’s field. I’m interested in architecture using EAI/SOA/IDM/BPM/Cloud technologies, software development and Java’s related technologies. I may blog about my work/activities at Salesforce, but I do not speak for my employer, past, present or future.
This entry was posted in Salesforce and tagged , , , . Bookmark the permalink.