SAML2 as ForgeRock OpenAM 13 Authentication Module Instance

Well, you’ve possibly heard about the release of newer version of the ForgeRock Identity Platform with several enhanced capabilities. If not, you can read about it all here. One of the new features in the Access Management component of ForgeRock Identity Platform is SAML2 Authentication Module. What that offers is, after configuring Federation, we could supply all the required details like the IDP entity, the binding method etc. in an Authentication Module instance of the ForgeRock Access Management solution and use it just like any other Authentication Module (LDAP, Database, HOTP etc.). Let’s see how that’s done in a video demonstration that follows this write up. And, by the way, if you’d like to get a quick idea what’s new in the newer version of ForgeRock Access Management solution, read the release notes here.

We’ve already discussed OpenAM Federation on this space before. Here’s list of links from the past:

ForgeRock OpenAM Federation Using SAML v2
Using SAML Assertion Attributes in ForgeRock OpenAM

While the following video walks through the OpenAM Federation Configuration from the scratch, if you feel there are details missing in it, please feel free to have a look at the web logs mentioned above. The main focus of the screen-cast below is only to see how SAML2 is used as an Authentication Module instance in the version 13 of ForgeRock OpenAM.

The following illustration might give a quick idea on what’s demonstrated in the video embedded below this post.

OpenAMFederation
Now on to the screen-cast. Enjoy!

This blog post was first published @ www.fedji.com, included here with permission.

3 Comments

Comments are closed.

  1. akradhak 3 years ago

    Hi,
    This tutorial is very useful.. What if the user is already configured in SP and missing some of the attributes defined IDP?. WIll openam takes care of updating the missing attributes, to existing user profile in SP..Please clarify..

    And also, we are trying to configure a feature, where we want to only update “user profile attributes” in SP to match with IDP and want to mask dynamic user creattion.. How would I do that?.Please clarify. thanks.

  2. Javed Shah 3 years ago

    Regarding the first question: that depends on your attribute mapping. If you ask for attributes to be sent over then yes, the AttributeStatements will be sent over to the SP. You do need to map them over correctly on the SP.

    Not sure I understand what ‘mask dynamic user creation’ is referring to, but you can JIT provision a user also.

  3. gpower 3 years ago

    Hi ,
    I tried to setup an Auth Chain to include SAML2 Auth Module and OTP as a second factor. The SAML2 Auth Module always redirect to the ACS showing the “Single Sign-on succeeded” message. What needs to be done to forward to the OTP module upon the completion of the SAML2 SSO?

©2019 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?