Thursday, October 31, 2013

Install and configure OpenAM for Spring SAML (on Windows)


  • assign a FQDN to 127.0.0.1 in hosts (like localhost.domain.home)
  • Install Tomcat as a service (7 at the moment this post was written)
  • Change the default HTTP port from 8080 to whatever value is required to avoid conflicts (in ...\Tomcat 7.0\conf\server.xml)
  • Restart the service
  • Download OpenAM distribution (I have used OpenAM-12.0.0-SNAPSHOT_nightly_20131021since the stable 10 version had a known issue on signing SAML assertions due to a problem in JDK 7_u25)
  • Extract distribution content, rename OpenAM-12.0.0-SNAPSHOT.war to openam.war
  • Copy openam.war to ...Tomcat 7.0\webapps
  • Browse to http://<server>:<port>/openam
  • Run the custom configuration (the default has a problem with generating the default domain for cookies) 
    • Use .domain.home as cockie domain (notice the leading dot)
    • Use the embedded LDAP (OpenDJ)
  • When the configuration is finnished login with amadmin/<password>
  • Choose "Create a hosted Identity Provider"
    • Choose the test signing key (or another if previously installed) if your SP requires signed/encripted assertions
    • Choose a name for the circle of trust
    • Press Configure
  • Add a SP in the same circle of trust:
    • Choose "Create a remote Service Provider"
    • Use the option to upload the metadata from a file (or specify on URL)
    • Press Configure
  • Configure attributes to be retrieved from data store
    • Go to Access Control->Top Level Realm->Data Stores->Embedded
    • Use the New Value/Add to add required (missing) attributes to be retrieved from the data store (like isMemberOf); 
      • attribute list is more generic and notr specific to the actual data store
      • use a LDAP browser to see actual attributes
  • Configure the mapping between required  assertion attributes (to be sent in SAML Response) and data store attributes:
    • Go to Federation->target IdP->Assertion Processing
    • In Attribute Mapper->Attribute map section use New Value->Add to add mappings (like isMemberOf=isMemberOf)
    • Save
  • Restart OpenAM or Tomcat; without restarting previously configured attribute mapping will not take place
Adding users:
  • Access Control->Top Level Realm
    • Group:add new groups
    • User: add/configure users
      • Be sure to fill in the field that the SP has configured as a potential Name ID (like email) otherwise an exception will be thrown (and recorded in OpenAM log) and an error will be sent back as a SAML Response

On non expected behavior check logs in openam configuration folder (default c:\openam): 
  • C:\openam\openam\debug
  • C:\openam\openam\log





Posted by at

No comments :

Post a Comment

Subscribe to: Post Comments ( Atom )