Thursday, November 25, 2010

Steps for configuring OpenAM as IdP (Identity Provider) and Shibboleth as SP (Service Provider)

Following are detailed steps for configuring OpenAM as IdP (Identity Provider) and Shibboleth as SP (Service Provider)

Versions used for configuration:
OpenAM (Identity Provider) – 9.0
Shibboleth (Service Provider) – 2.3.1
OS Version – Ubuntu 9.04
Apache version – 2.2.6

(1) Configure OpenAM with necessary Directory Service configuration on host1.
(2) Configure Shibboleth SP version with some basic configuration on host2.
(3) Generate and save Shibboleth SP metadata using URL – http://host2/Shibboleth.sso/Metadata
(4) Edit the Shibboleth SP metadata and remove all XML digital signature and the nodes.
(5) Copy the generated SP metadata on the IdP server.
(6) Go to “Common Tasks” section and configure “Create Hosted Identity Provider”. If you want to use it in production, make sure to have your credentials in the keystore, for proof-of-concept scenarios the keystore contains one test key.
(7) Add a new “Circle of Trust” name within “Hosted Identity Provider” and save necessary settings.
(8) Grab the newly created OpenSSO IdP metadata XML (you can use either ssoadm.jsp export entity command or access directly /opensso/saml2/jsp/exportmetadata.jsp?entityid=)
(9) Put the metadata in a location which is accessible through a web URL.
(10) Login to the OpenAM UI and go to the Common Tasks section.
(11) Click on “Add Remote Service Provider” link.
(12) Select the file option and upload the Shibboleth Service Provider metadata file.
(13) Select common attributes and finish the setup.
(14) Now edit shibboleth2.xml file on the Shibboleth SP server and do following configurations:
1. In the section, add the site information.
2. Under section, add a block with proper site configuration.
3. In the section, select type=“Chaining” and add entityID of the OpenAM, as that configured in OpenAM metadata.
4. In the section, add line like:

This configuration would be read when shib daemon is restarted.
(15) In the apache config file, include Shibboleth's apache configuration file available in directory /etc/shibboleth/
(16) Restart apache configuration.
(17) Restart shibboleth daemon.
(18) Check the shibboleth log-files to ensure that shibboleth daemon was able to load IdP metadata without any issues.

(a) Test accessing a secure URL from Shibboleth SP server.
(b) Verify that client is redirected to SSO login URL of the IdP.
(c) Enter valid user authentication credentials and verify that client is redirected back to the Service Provider URL.


  1. Very nice explanation on configuration with stepwise.

    Compare Documents

  2. Replies
    1. Sorry .. have not worked on this for a while, so am not in a position to comment if it would work with latest version.