Help with SAMLv2 OpenAM tutorial

This topic has 9 replies, 4 voices, and was last updated 6 years, 3 months ago by Aker666.

  • Author
    Posts
  • #10288
     Aker666
    Participant

    Hi, I’m trying to complete a tutorial to use SAML and Federation in OpenAM. I’m following this video Video Tutorial so to do the tutorial:

    1 – I’ve created 2 instances of OpenAM:
    * IDP: http://openam.idp.com:8090/openamIDP/
    * SP: http://openam.sp.com:8095/openamSP/

    In both I’ve created a user with these details:
    – ID: test
    – Username: test
    – Email address: [email protected]

    2 – I’ve created an IDP on openamIDP:
    * Metadata:
    – Name: http://openam.idp.com:8090/openamIDP
    – Sign key: test
    * Circle of Trust: CoT
    * Attribute mapping: mail = mail

    3 – I’ve created a SP on openamSP:
    * Metada:
    – Name: http://openam.sp.com:8095/openamSP
    * Circle of Trust: CoT
    * Attribute mapping: Use default provided by IDP

    4 – I’ve created a remote IDP on openamSP:
    * URL to metadata: http://openam.idp.com:8090/openamIDP/saml2/jsp/exportmetadata.jsp

    5 – I’ve created a remote SP on openamIDP:
    * URL to metadata: http://openam.sp.com:8095/openamSP/saml2/jsp/exportmetadata.jsp
    * Circle of Trust: CoT
    * Attribute mapping: mail = mail

    Now, if I’m going to test the SSO. When I try to log in http://openam.sp.com:8095/openamSP/ with the “test” user I access to his User Profile page… and not as it’s supposed to be. What I’m doing wrong or where I did a mistake?

    Regards and thanks.

    • This topic was modified 6 years, 3 months ago by Aker666.
    #10299
     Mike Woodburne
    Participant

    Hey Aker666

    Navigating directly to the SP’s login URL won’t kick off SP initiated federation, all it will do is initiate a regular login to the OpenAM SP with whatever authentication module you have configured as the default. You want to trigger the SP initiated SSO by going to the spSSOInit.jsp page and passing the appropriate query parameters (idpEntityId and metaAlias minimally). Doing this will redirect you to the IDP where you can login and be redirected back to the SP with the appropriate SAML assertion.

    I’d suggest taking a look at the OpenAM documentation on SAML 2.0 for more details:
    https://backstage.forgerock.com/#!/docs/openam/12.0.0/admin-guide#using-saml2-sso-slo (OpenAM 12)
    https://backstage.forgerock.com/#!/docs/openam/13/admin-guide#using-saml2-sso-slo (OpenAM 13)

    If you have more specific questions around the process of initiating SSO, reply back to this thread and we’d be happy to help you out.

    #10302
     Bhargava.bada
    Participant

    Hey Aker666,

    Navigating directly to the SP’s login URL won’t kick off SP initiated federation.
    use the below URL to verify your federation .

    http://openam.sp.com:8095/openamSP/saml2/jsp/spSSOInit.jsp?idpEntityID=http%3A%2F%2Fopenam.idp.com%3A8090%2FopenamIDP&metaAlias=/<if you have any realm or use /sp>/sp&binding=HTTP-POST.

    you can pass realyState=<Application-Url where you want redirect after federation>

    you can follow below blogs to further more info

    http://blogs.forgerock.org/aggregator/category/circle-of-trust/

    http://fczaja.blogspot.in/2012/06/idp-initiated-sso-and-identity_22.html

    • This reply was modified 6 years, 3 months ago by Bhargava.bada.
    #10314
     Aker666
    Participant

    Hi, thanks for your answers and help. I’ve seen the video and I have configured everthing like that but I’m getting a different result.

    When I put the url:

    http://openam.sp.com:8095/openamSP/saml2/jsp/spSSOInit.jsp?idpEntityID=http%3A%2F%2Fopenam.idp.com%3A8090%2FopenamIDP&metaAlias=/sp&binding=HTTP-POST&realyState=http%3A%2F%2Ftfm.web.com:8000

    realyState=http%3A%2F%2Ftfm.web.com:8000 this is my web in Django that I want to protect

    After login I get this URL: http://openam.sp.com:8095/openamSP/Consumer/metaAlias/sp and the message: Single Logout performed satisfactorily. and not redirects to my web.

    But in the URL I have spSSOInit.jsp and not spSingleLogoutInit.jsp And If I put in the URL spSingleLogoutInit.jsp I get the message SP has successfully initiated single logout. so I don’t understand :/

    Where is my mistake?

    • This reply was modified 6 years, 3 months ago by Aker666.
    • This reply was modified 6 years, 3 months ago by Aker666.
    #10321
     Chris Lee
    Participant

    Hi Aker666,
    I think there is a typo, try changing “realyState” to “relayState”.
    Does that help?
    Regards,
    Chris

    #10323
     Aker666
    Participant

    Hi Chris, I have changed the typo error but still get the same message and url :/

    Regards.

    #10352
     Aker666
    Participant

    I have tried the tutorial again.

    The URL that I insert on the web browser is:

    http://openam.sp.com:8095/openamSP/saml2/jsp/spSSOInit.jsp?idpEntityID=http%3A%2F%2Fopenam.idp.com%3A8090%2FopenamIDP&metaAlias=/sp&binding=HTTP-POST&realyState=http%3A%2F%2Ftfm.web.com%3A8000

    And I don’t understand why I’m redirected to:

    http://openam.sp.com:8095/openamSP/Consumer/metaAlias/sp and not to http://openam.sp.com:8095/openamSP/Consumer/metaAlias/sp?resID=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx and I supose that after go to this URL I will be redirected to my website.

    What I’m doing wrong that makes OpenAM not redirect me correct? I want to know how to solve this problem because I’m stuck on my work.

    Regards.

    #10354
     Aker666
    Participant

    Sorry, I wrote here again by mistake &realyState but in the URL that I put on the web browser it’s &relayState

    #10370
     Bhargava.bada
    Participant

    Hi Aker,

    Can you try RelayState instead of relayState.
    As per the document the parameter name is RelayState .

    Thanks
    Bhargava

    #10403
     Aker666
    Participant

    Hi Bhargava, It was a typing error by capitalization. I changed it to &RelayState and now it works.

    Thanks to all for your answers and links.

    Regards!

Viewing 10 posts - 1 through 10 (of 10 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?