Hi,
I am trying to integrated ForgeRock AM as Service Provider against external IDP. Do we have sample configuration of ForgeRock as Service provider, Would need Assertion consumer URL, ForgeRock (SP) entity ID.
Regards,
Mukund.R
Hi,
I am trying to integrated ForgeRock AM as Service Provider against external IDP. Do we have sample configuration of ForgeRock as Service provider, Would need Assertion consumer URL, ForgeRock (SP) entity ID.
Regards,
Mukund.R
Hello,
You can follow the instructions in the SAML2 docs: Configure IDPs, SPs, and CoTs :: AM 7.3.0
In a nutshell, you need to:
Create a Hosted SP
Obtain and import the metadata of the external IDP to create a remote IDP
Create a circle of trust and add both entities to it
Provide the metadata of your hosted AM SP to your external IDP
The assertion consumer URL is part of the metadata and can be accessed at https://openam.example.com:8443/openam/saml2/jsp/exportmetadata.jsp?entityid=myHostedProvider&realm=/mySubRealm
(adapting the URL to your environment).
Hi Nathalie,
Thanks for the reply. When I try to import the metadata of the external IDP to create a remote IDP. It throws error, metadata is good. Attached metadata content
Regards,
Mukund.R
Hello,
What version of AM have you got?
What error message do you see?
You might need to turn debug level to Message and check the Federation log to find out what the issue with the metadata is.
AM 7.2 - version of AM
Error - Unable to import SAML entity provider.
DEBUG: SAML2MetaSecurityUtils.verifySignature: verifying signature under EntityDescriptor
o.f.o.f.r.r.RemoteEntitiesCollectionProvider: 2023-04-17T05:21:00.217-04:00: Thread[https-jsse-nio-8443-exec-17]: TransactionId[4d3a35cd-44aa-4d0e-b50e-a63a226b5454-11573156]
ERROR: An error occurred while importing a remote entity provider
com.sun.identity.saml2.meta.SAML2MetaException: Certificate found in Signature or KeyDescriptor under element "EntityDescriptor" is not trusted.
[CONTINUED] at com.sun.identity.saml2.meta.SAML2MetaSecurityUtils.verifySignature(SAML2MetaSecurityUtils.java:345)
[CONTINUED] at com.sun.identity.saml2.meta.SAML2MetaUtils.preProcessSAML2Document(SAML2MetaUtils.java:602)
[CONTINUED] at com.sun.identity.saml2.meta.SAML2MetaUtils.importSAML2Document(SAML2MetaUtils.java:579)
[CONTINUED] at org.forgerock.openam.federation.rest.remote.RemoteEntitiesCollectionProvider.importEntity(RemoteEntitiesCollectionProvider.java:127)
[CONTINUED] at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[CONTINUED] at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
[CONTINUED] at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[CONTINUED] at java.base/java.lang.reflect.Method.invoke(Method.java:566)
Please check the following FAQ question:
Q. Do I have to import a certificate into the keystore for XML signing or will AM use the certificate provided in the MetaData?. As stated in the article:
When you initially configure federation between AM and the entity provider, you need to import the entity provider’s metadata. The metadata itself can be signed. If it is signed, you must have a way to trust it and typically this means you need to import the certificate into the keystore. However, if you have obtained the metadata from a trusted source, you can remove the Signature block from the metadata and import it without needing to import the certificate.
Thanks for the reply.
We are planning to import the External IDP signing certs to keystore, highlighted below…
Would like to know where do I find ForgeRock Signing and certificates of Metadata in ForgeRock, to be imported to External IDP.
The public certificates of your hosted SP that the external IDP can use to verify signature or encrypt their response are displayed by AM in the metadata and published as per the URL mentioned above:
https://openam.example.com:8443/openam/saml2/jsp/exportmetadata.jsp?entityid=myHostedProvider&realm=/mySubRealm
Note that AM provides default test certificates, which is fine for test purposes, but when developing a solution for production, you should use your own certs.
Able to import External IDP metadata
Created keystore using /security-guide/am-keystore.html
Accessing Hosted Entity ID URL
ERROR : org.forgerock.openam.secrets.SecretInitialisationException: Could not load some secret stores
j.s.exportmetadata: 2023-04-20T07:15:14.481-04:00: Thread[https-jsse-nio-8443-exec-5]: TransactionId[595ec13e-03bf-4f51-9d7e-a64ff2f77ffc-7643]
ERROR: An error occurred while retrieving metadata
com.google.common.util.concurrent.UncheckedExecutionException: org.forgerock.openam.secrets.SecretInitialisationException: Could not load some secret stores
[CONTINUED]Caused by: java.lang.NullPointerException: null
From the error message, it looks like AM is not able to display the metadata because it can not load some secret store. The relevant info around this in the docs is, for SAML specifically:
And for secrets and secret stores in general:
To produce the metadata for your hosted SP, AM looks for the following secrets (see ref 2 link):
am.default.applications.federation.entity.providers.saml2.sp.encryption
and am.default.applications.federation.entity.providers.saml2.sp.signing
.
The default values for these are respectively (as per the table in ref 2), test
and rsajwtsigningkey
. If you changed the default keystore, but not the corresponding mappings, AM is still looking for these aliases, but not finding them, which would cause the error you are seeing. Check ref 3 link for info on configuring the secret stores.