AM SSO using SAML & configuring Active directory as IDP

Hello guys am trying to configure new SSO configuration with a password-based application using AM module but am still new and a bit lost would appreciate some guideness on how to properly configure it
I suppose that this this should be done from configuring new Identity gateway.

one more thing I’ve managed to configure the AM using saml protocol and ForgeRock is my IDP now I want to make my AD as the IDP and make the users authenticate from it, managed to add a new identity store and load the current schema in it and successfully retrieved users and groups but yet cannot authenticate the users and sso won’t enable them to login to the configure application using SAML protocol

Hi @MohamedSaad96,

First, a reminder that modules/chains are deprecated in latest AM releases. As a replacement, you should consider using the LDAP Decision node in an authentication tree.

I understand that you’ve configured AM as a SAML2 IDP, is that correct? And the SP is hosted at some other organisation? So I should assume that you’ve setup the SAML2 circle of trust between AM (IDP) and the SP, as mentioned here: SAML v2.0 :: AM 7.3.0? And you said that you’re initiating the SAML2 flow against AM - so via the JSP endpoint, standalone mode? IDP initiated? Note that IDP initiated flow is not recommended, the flow should start at the SP (so SP initiated SSO), which will then request the assertion from the IDP (here AM) as per the SAML flow.

And I do not understand AD in that picture: do you mean that you would like to use AD as the authentication means within the AM journey as the IDP?


Hello Patrick,
Thank you very much for your cooperation.

regarding the AD yes I want it to be the main source of authentication,
I have configured an authentication tree and trying to let an AD user access the AM it gives me login failure.
when I change the authentication settings in my created sub realm of the authentication tree that I’ve created and try to login with AD user it gives me authentication failed. Also,
I tried to change the configuration of the top level realm particularly organization authentication configuration I get two things :
1- amadmin user cannot open the AM console anymore
2- AD users still cannot access the AM but I get login failure message