SAML 2 : ForgeRock as Service Provider, authenticating with external IDP


I am trying to integrated ForgeRock AM as Service Provider against external IDP. Do we have sample configuration of ForgeRock as Service provider, Would need Assertion consumer URL, ForgeRock (SP) entity ID.




You can follow the instructions in the SAML2 docs: Configure IDPs, SPs, and CoTs :: AM 7.3.0

In a nutshell, you need to:

  1. Create a Hosted SP

  2. Obtain and import the metadata of the external IDP to create a remote IDP

  3. Create a circle of trust and add both entities to it

  4. Provide the metadata of your hosted AM SP to your external IDP

The assertion consumer URL is part of the metadata and can be accessed at (adapting the URL to your environment).


Hi Nathalie,

Thanks for the reply. When I try to import the metadata of the external IDP to create a remote IDP. It throws error, metadata is good. Attached metadata content




What version of AM have you got?
What error message do you see?
You might need to turn debug level to Message and check the Federation log to find out what the issue with the metadata is.


AM 7.2 - version of AM
Error - Unable to import SAML entity provider.

DEBUG: SAML2MetaSecurityUtils.verifySignature: verifying signature under EntityDescriptor
o.f.o.f.r.r.RemoteEntitiesCollectionProvider: 2023-04-17T05:21:00.217-04:00: Thread[https-jsse-nio-8443-exec-17]: TransactionId[4d3a35cd-44aa-4d0e-b50e-a63a226b5454-11573156]
ERROR: An error occurred while importing a remote entity provider
com.sun.identity.saml2.meta.SAML2MetaException: Certificate found in Signature or KeyDescriptor under element "EntityDescriptor" is not trusted.
[CONTINUED]	at com.sun.identity.saml2.meta.SAML2MetaSecurityUtils.verifySignature(
[CONTINUED]	at com.sun.identity.saml2.meta.SAML2MetaUtils.preProcessSAML2Document(
[CONTINUED]	at com.sun.identity.saml2.meta.SAML2MetaUtils.importSAML2Document(
[CONTINUED]	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[CONTINUED]	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(
[CONTINUED]	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(
[CONTINUED]	at java.base/java.lang.reflect.Method.invoke(

Please check the following FAQ question:
Q. Do I have to import a certificate into the keystore for XML signing or will AM use the certificate provided in the MetaData?. As stated in the article:

When you initially configure federation between AM and the entity provider, you need to import the entity provider’s metadata. The metadata itself can be signed. If it is signed, you must have a way to trust it and typically this means you need to import the certificate into the keystore. However, if you have obtained the metadata from a trusted source, you can remove the Signature block from the metadata and import it without needing to import the certificate.


Thanks for the reply.

We are planning to import the External IDP signing certs to keystore, highlighted below…

Would like to know where do I find ForgeRock Signing and certificates of Metadata in ForgeRock, to be imported to External IDP.

The public certificates of your hosted SP that the external IDP can use to verify signature or encrypt their response are displayed by AM in the metadata and published as per the URL mentioned above:

Note that AM provides default test certificates, which is fine for test purposes, but when developing a solution for production, you should use your own certs.

1 Like

Able to import External IDP metadata

Created keystore using /security-guide/am-keystore.html

Accessing Hosted Entity ID URL

ERROR : org.forgerock.openam.secrets.SecretInitialisationException: Could not load some secret stores

j.s.exportmetadata: 2023-04-20T07:15:14.481-04:00: Thread[https-jsse-nio-8443-exec-5]: TransactionId[595ec13e-03bf-4f51-9d7e-a64ff2f77ffc-7643]
ERROR: An error occurred while retrieving metadata org.forgerock.openam.secrets.SecretInitialisationException: Could not load some secret stores

[CONTINUED]Caused by: java.lang.NullPointerException: null

From the error message, it looks like AM is not able to display the metadata because it can not load some secret store. The relevant info around this in the docs is, for SAML specifically:

And for secrets and secret stores in general:

To produce the metadata for your hosted SP, AM looks for the following secrets (see ref 2 link):
am.default.applications.federation.entity.providers.saml2.sp.encryption and am.default.applications.federation.entity.providers.saml2.sp.signing.

The default values for these are respectively (as per the table in ref 2), test and rsajwtsigningkey. If you changed the default keystore, but not the corresponding mappings, AM is still looking for these aliases, but not finding them, which would cause the error you are seeing. Check ref 3 link for info on configuring the secret stores.