From Bright Pattern Documentation
< 5.3:Saml2-single-sign-on-integration-guide
Revision as of 04:10, 29 May 2024 by BpDeeplTranslateMaintenance (talk | contribs) (Updated via BpDeleteTranslateTags script)
Create IdP at ForgeRock Instance
Procedure
Step 1: Create a hosted identity provider
- Log in to your ForgeRock instance (i.e., “http://<FQDN>:8080/openam”).
- After successful login, go to Top Level Realms > Configure SAMLv2 Provider > Create Hosted Identity Provider.
- Set name to http://<FQDN>:8080/openam
- Set signing key to test.
- In the Circle of trust section, select Add to new.
- Provide a name for the Circle of trust (e.g., “COT1”)
- Click Configure.
- On the next screen, click Finish.
Step 2: Enable SAML 2.0
- In your ForgeRock instance, go to Top Level Realms > Application > SAML.
- On the Entity Providers section on the next screen, click New.
- Choose the SAMLv2 option.
- Edit the Entity Provider properties in the General section using value http://<BPSPHostname>/agentdesktop/sso/redirect
- Edit the Meta Alias properties using value http://<BPSPHostname>/agentdesktop/sso/redirect
- In the Service Provider section, in the "Signing certificate alias" field, type test.
- Save changes.
Step 3: Add the entity provider
- Go to Circle of Trust Configuration and choose the current Circle of Trust (i.e., “COT1”).
- Add the second created entity provider.
- Save changes.
Step 4: Set the name for sign-on
- Go to the Circle of Trust Configuration option and choose IDP Entity provider.
- In Certificate Aliases > Signing, add "test" value.
- Name ID format
- NameID Format List: remove all values except urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
- NameID Value Map: remove all and add next value: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified=uid
- NameID Format List: remove all values except urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
Step 4: Change your HTTP method
- Go to the Circle of Trust Configuration option and choose SP Entity provider.
- Go to the Services tab.
- Change to "POST" Single Logout Service and Manage NameID Service options.
- Change parameters in Assertion Consumer Service:
- Set default HTTP-POST.
- Change value to http://<BPSPhostname>/agentdesktop/sso/redirect
- Set default HTTP-POST.
- Change index to 0.
After you have created the identity provider in your ForgeRock instance, you are ready to Export Metadata.