IDP initiated SSO help required

Tagged: , ,

This topic has 0 replies, 1 voice, and was last updated 4 years, 8 months ago by MohiniM.

  • Author
    Posts
  • #20657
     MohiniM
    Participant

    I’m trying to setup OpenAM for use in an IDP initiated flow.
    A 3rd party IDP will send a SAML Assertion which needs to be validated.
    After verifying the assertion, I need to retrieve additional information about the caller and target application and finally call an internal service to generate a session for the user in the target application.
    I need to redirect the user to a custom URL based on values received in the request
    To begin with, I tried the following setup in OpenAM with no success
    Registering a remote IDP (metadata file below)
    Hosted SP
    After that, I have tried to call http://localhost:9000/openam/idpssoinit?metaAlias=null&spEntityID=/sp, along with a SAML assertion in the request body. (The other thing that I have noticed is that in case of a remote IDP Provider the metaAlias field in OpenAM is blank. Is this how its supposed be or is there a screen where we can add the details?)

    I receive the following error message “HTTP Status 400 – Error processing AuthnRequest. Error retrieving metadata”.

    Looking into the source code, it seems that only hosted IDPs can be used in IDP initiated SSO.

    I’m not entirely sure I have OpenAM setup correctly to fulfill my requirements. Could someone please suggest how I should proceed.

    IDP metadata file
    ————————

    <EntityDescriptor xmlns=”urn:oasis:names:tc:SAML:2.0:metadata” entityID=”idp”>
    <IDPSSODescriptor WantAuthnRequestsSigned=”false” protocolSupportEnumeration=”urn:oasis:names:tc:SAML:2.0:protocol”>
    <KeyDescriptor use=”signing”>
    <ds:KeyInfo xmlns:ds=”http://www.w3.org/2000/09/xmldsig#”&gt;
    <ds:X509Data>
    <ds:X509Certificate>
    PUBLIC_KEY
    </ds:X509Certificate>
    </ds:X509Data>
    </ds:KeyInfo>
    </KeyDescriptor>
    <SingleSignOnService Binding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST” Location=”http://localhost:8090/SAMLWeb/openam/SSOPOST/metaAlias/idp”/&gt;
    </IDPSSODescriptor>
    </EntityDescriptor>

    • This topic was modified 4 years, 8 months ago by Peter Major.
Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?