Hands On Labs : Configuring OpenAM/Salesforce as IDP and/or SP


I had the opportunity to integrate with OpenAM (/OpenSSO) using Salesforce. In order to do some SAML federation with Salesforce Identity, I would like to have my own hands-on labs to work with.  Working in a cloud with Salesforce, we can have a demo org in few click. Things are different when you have to install/configure a new software. Hopefully, in my past life with Sun Microsystem, I have installed and configured the OpenSSO Security Token Service module for a large customer in energy.


OpenAM and Salesforce support both federated authentication and can act as IdP and/or SP. The credentials (username & password) are validated on the IdP and the SP receives a SAML assertion in an HTTP POST request.
The SAML assertion is a

  • digitally signed XML document which has a valid signature from a trusted identity provider
  • has a limited validity period (token lifetime)
  • and contains a unique federation identifier.

If everything goes well, the user is granted access to the application (SP)

There are two important use cases for SAML Federation :

  • Identity Provider Initiated Login : the user open the login page of their identity provider, enter his/her credentials, and then redirected to a landing/home page at the service provider

    IdP initiated SSO_2016-03-13_9-50-04
  • Service Provider Initiated Login : the user starts by clicking a link to the the service provider (e.g. a bookmark, mailed link, …) and temporarily redirected to the identity provider login page for authentication, then returned to the link they initially requested (also know as deep linking scenario).

    SP initiated SSO bis - 2016-03-13_9-54-56

The most widely used is the Service Provider Initiated Login, and I will concentrate on this use case

Required Steps

I have already describe how to expose your openAM instance on the internet. This is a pre-requisite before doing any configuration in OpenAM.
Below the post I have configured and tested :

I will complete theses scenarios based on tests I have successfully run on my labs.

Thanks for reading.