WSO2IS integration with OpenAM using SAML2 federated authentication

Dewni Weeraman
Jul 25, 2017 · 3 min read

This article focuses on registering OpenAM (version: 14.1.0) as an Identity Provider in WSO2 Identity Server (version: 5.3.0).

First let’s set up OpenAM
1. Download OpenAM from here.
2. Deploy AM-eval-5.1.0.war file with the appropriate tomcat version.
3. By accessing http://localhost:8080/AM-eval-5.1.0 check whether the configuration is successful.

For more information on setting up OpenAM refer https://backstage.forgerock.com/docs/am/5.1/quick-start-guide/chap-quick-firststeps

Logging page for OpenAM

Log into OpenAM using the following credentials
username: amadmin
password: changeit

Next let’s create a SAMLv2 service provider in the top level realm.

Create a hosted identity provider

Configure the Identity Provider by giving the Name, Signing key and Circle of Trust

In the next window select “Register a Remote Service Provider”

Upload the following meta data file

<EntityDescriptor entityID="https://localhost:9443/commonauth" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://localhost:9443/commonauth/fedletSloRedirect"
ResponseLocation="https://localhost:9443/commonauth/fedletSloRedirect"/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://localhost:9443/commonauth/fedletSloPOST"
ResponseLocation="https://localhost:9443/commonauth/fedletSloPOST"/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="https://localhost:9443/commonauth/fedletSloSoap"/>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
<AssertionConsumerService isDefault="true" index="0"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://localhost:9443/commonauth"/>
<AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
Location="https://localhost:9443/commonauth"/>
</SPSSODescriptor>
<RoleDescriptor xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:query="urn:oasis:names:tc:SAML:metadata:ext:query"
xsi:type="query:AttributeQueryDescriptorType"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"></RoleDescriptor>
<XACMLAuthzDecisionQueryDescriptor WantAssertionsSigned="false"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
</XACMLAuthzDecisionQueryDescriptor>
</EntityDescriptor>

Select SAML under application tab

Navigate to federation tab and click on https://localhost:9443/commonauth link under Entity Providers

Enable Assertion signing and Post response signing and also set the Name ID format as urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

In Assertion Processing tab set the claims that is required by the SP.

WSO2 Identity Server configuration

Create a new Identity Provider
Give any preferred name for the Identity Provider Name.
Upload the Identity Provider Public Certificate. You can find the OpenAM keystore in /home/AM-eval-5.1.0/AM-eval-5.1.0/keystore.jks. This file needs to be converted to PEM format before uploading.
Under Federated Authenticators select SAML2 Web SSO Configuration.

In WSO2 Identity Server I have configured travelocity.com as a Service Provider.
For more details refer https://docs.wso2.com/display/IS530/Configuring+Single+Sign-On

Now try to log into the travelocity application. Then you will be directed to the OpenAM login page to provide OpenAM credentials to access the travelocity application.

Dewni Weeraman

Written by

Software Engineer at WSO2 | Graduate of University of Westminster

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade