Configuring a SAML 2.0 Identity Provider federation using CLI

Use CLI commands to configure a SAML Identity Provider federation by creating a response file and creating an Identity Provider federation.

1. Create a response file by issuing the following command in the WebSphere® wsadmin console:

   wsadmin>$AdminTask manageItfimFederation { -operation createResponseFile 
   -fimDomainName fimipdomain -role ip -protocol SAML2_0 -fileId 
   /downloads/saml20_ip_properties.xml }

2. Edit the response file to modify the following values:

   Table 1. Response file settings for Identity Provider in SAML 2.0 federation

   Configuration item	Description	Your value	CLI Properties or Names
   Federation name	The unique name of the federation. (Required)	Any name For example, saml20ip	FedName
   Company name	The name of the company that is associated with the federation. (Required)	Any name For example, IDP Company Name	CompanyName
   Company URL	A URL for a website of the company that is associated with the federation. (Required)	URL of the website of your company	CompanyUrl
   Point of Contact Server	The URL of the point of contact server with the federation name and the protocol name, such as /saml20, appended to it. (Required)	A URL For example, for a federation named saml_fed: https://idp.example.com/FIM/sps/saml_fed/saml20	BaseUrl
   Provider ID	A URL or URN that uniquely identifies the provider. By default Tivoli Federated Identity Manager uses the URL of the point of contact server with the federation name and the protocol name, such as /saml20, appended to it.	A URL For example, for a federation named saml_fed:https://idp.example.com/FIM/sps/saml_fed/saml20)	ProviderId
   Select Signing Key Keystore in Tivoli Federated Identity Manager key service, where the key is stored.	Enter a signing key for the Identity Provider. The protocol mandates that a SAML Response that contains the assertion is signed when using the HTTP POST binding. If you also select to sign any other messages the specified signing key is used to sign them. (Required)	Keystore name: Key alias name: This data is provided in the format of "Keystore Name" _"Alias Name" For example, DefaultKeyStore_ testkey	SigningKeyIdentifier
   Select Encryption Key Keystore in Tivoli Federated Identity Manager key service, where the key is stored.	A public/private key pair used in encryption. Your partner uses the public key to encrypt data to you. Use the private key to decrypt data that your partner sends to you. You must specify the key pair to use. Note: Before you complete this task, create the key and import it into the appropriate keystore in the Tivoli Federated Identity Manager key service. (Required)	Keystore name: Key alias name: This data is provided in the format of "Keystore Name" _"Alias Name" For example, DefaultKeyStore_ testkey	EncryptionKeyIdentifier
   Single Sign-on	SAML 2.0 supports single sign-on using different profiles, use this setting to enable them accordingly.	True or false. Default: false. You must enable at least one property. For example, set SsoPostEnabled to true.	SsoPostEnabled SsoArtifactEnabled SsoRedirectEnabled
   Single Logout	To enable single logout, set at least one to true and they can choose which binding and provider that can be used to initiate single logout.	True or false. Default: false. You must enable at least one property to enable the single logout profile for the federation. For example, set SloIPPostEnabled to true.	SloIPArtifactEnabled SloIPPostEnabled SloIPRedirectEnabled SloIPSOAPEnabled SloSPArtifactEnabled SloSPPostEnabled SloSPRedirectEnabled SloSPSOAPEnabled
   Artifact Resolution Service URL	The Artifact Resolution Service is a SOAP endpoint on the Identity Provider point-of-contact server where artifacts are exchanged for SAML messages. By default, Tivoli Federated Identity Manager configures one SOAP endpoint for the Artifact Resolution Service. You can optionally define additional SOAP endpoints.	Specify the assertion resolution service URL, the URL index. Set to true if you use the endpoint use as the default. Set to false otherwise. For example, https://idp.example.com/FIM/sps/saml_fed/saml20/soap;0;true	ArtifactResolutionServiceList
   Artifact Cache Lifetime (seconds)	The artifact cache lifetime in seconds. Default value: 120 seconds.	Use the default value.	ArtifactLifetime
   Amount of time before the issue date that an assertion is considered valid	The number of seconds that an assertion is considered valid before its issue date. Default value: 60	Use the default value	AssertionValidBefore
   Amount of time the assertion is valid after being issued	The number of seconds that an assertion is considered valid after its issue date. Default value: 60	Use the default value	AssertionValidAfter
   Identity mapping options An XSL transformation (XSLT) file containing mapping rules	The type of identity mapping to use. Use an XSLT file for identity mapping, and have the file ready to use for the federation. (Required)	XSLT File that corresponds to the IP role for SAML 2.0 federations: /opt/IBM/FIM/examples/mapping_rules/ip_saml_20_email_nameid.xsl	MappingRuleFileName

3. Type the following command in a command prompt to create the Identity Provider federation:

   wsadmin>$AdminTask manageItfimFederation { -operation create
   -fimDomainName fimipdomain -fileId 
   /downloads/saml20_ip_properties.xml }

   The following confirmation message shows:

   FBTADM001I Command completed successfully