- assign a FQDN to 127.0.0.1 in hosts (like localhost.domain.home)
- Install Tomcat as a service (7 at the moment this post was written)
- Change the default HTTP port from 8080 to whatever value is required to avoid conflicts (in ...\Tomcat 7.0\conf\server.xml)
- Restart the service
- Download OpenAM distribution (I have used OpenAM-12.0.0-SNAPSHOT_nightly_20131021since the stable 10 version had a known issue on signing SAML assertions due to a problem in JDK 7_u25)
- Extract distribution content, rename OpenAM-12.0.0-SNAPSHOT.war to openam.war
- Copy openam.war to ...Tomcat 7.0\webapps
- Browse to http://<server>:<port>/openam
- Run the custom configuration (the default has a problem with generating the default domain for cookies)
- Use .domain.home as cockie domain (notice the leading dot)
- Use the embedded LDAP (OpenDJ)
- When the configuration is finnished login with amadmin/<password>
- Choose "Create a hosted Identity Provider"
- Choose the test signing key (or another if previously installed) if your SP requires signed/encripted assertions
- Choose a name for the circle of trust
- Press Configure
- Add a SP in the same circle of trust:
- Choose "Create a remote Service Provider"
- Use the option to upload the metadata from a file (or specify on URL)
- Press Configure
- Configure attributes to be retrieved from data store
- Go to Access Control->Top Level Realm->Data Stores->Embedded
- Use the New Value/Add to add required (missing) attributes to be retrieved from the data store (like isMemberOf);
- attribute list is more generic and notr specific to the actual data store
- use a LDAP browser to see actual attributes
- Configure the mapping between required assertion attributes (to be sent in SAML Response) and data store attributes:
- Go to Federation->target IdP->Assertion Processing
- In Attribute Mapper->Attribute map section use New Value->Add to add mappings (like isMemberOf=isMemberOf)
- Save
- Restart OpenAM or Tomcat; without restarting previously configured attribute mapping will not take place
Adding users:
- Access Control->Top Level Realm
- Group:add new groups
- User: add/configure users
- Be sure to fill in the field that the SP has configured as a potential Name ID (like email) otherwise an exception will be thrown (and recorded in OpenAM log) and an error will be sent back as a SAML Response
- C:\openam\openam\debug
- C:\openam\openam\log