Use CLI commands to configure a SAML Identity Provider federation by creating a response file and creating an Identity Provider federation.
wsadmin>$AdminTask manageItfimFederation { -operation createResponseFile
-fimDomainName fimipdomain -role ip -protocol SAML2_0 -fileId
/downloads/saml20_ip_properties.xml }
Configuration item | Description | Your value | CLI Properties or Names |
---|---|---|---|
Federation name | The unique name of the federation. (Required) | Any name For example, saml20ip |
FedName |
Company name | The name of the company that is associated with the federation. (Required) | Any name For example, IDP Company Name |
CompanyName |
Company URL | A URL for a website of the company that is associated with the federation. (Required) | URL of the website of your company | CompanyUrl |
Point of Contact Server | The URL of the point of contact server with the federation name and the protocol name, such as /saml20, appended to it. (Required) | A URL For example, for a federation named saml_fed: https://idp.example.com/FIM/sps/saml_fed/saml20 |
BaseUrl |
Provider ID | A URL or URN that uniquely identifies the provider. By default Tivoli Federated Identity Manager uses the URL of the point of contact server with the federation name and the protocol name, such as /saml20, appended to it. |
A URL For example, for a federation named saml_fed:https://idp.example.com/FIM/sps/saml_fed/saml20) |
ProviderId |
Select Signing Key Keystore in Tivoli Federated Identity Manager key service, where the key is stored. |
Enter a signing key for the Identity Provider. The protocol mandates that a SAML Response that contains the assertion is signed when using the HTTP POST binding. If you also select to sign any other messages the specified signing key is used to sign them. (Required) |
Keystore name: Key alias name: This
data is provided in the format of
For example,
|
SigningKeyIdentifier |
Select Encryption Key Keystore in Tivoli Federated Identity Manager key service, where the key is stored. |
A public/private key pair used in encryption. Your partner uses the public key to encrypt data to you. Use the private key to decrypt data that your partner sends to you. You must specify the key pair to use. Note: Before you complete
this task, create the key and import it into the appropriate keystore
in the Tivoli Federated
Identity Manager key
service.
|
Keystore name: Key alias name: This
data is provided in the format of
For example,
|
EncryptionKeyIdentifier |
Single Sign-on | SAML 2.0 supports single sign-on using different profiles, use this setting to enable them accordingly. |
True or false. Default: false. You must enable at least one property. For example, set SsoPostEnabled to true. |
SsoPostEnabled SsoArtifactEnabled SsoRedirectEnabled |
Single Logout | To enable single logout, set at least one to true and they can choose which binding and provider that can be used to initiate single logout. |
True or false. Default: false. You must enable at least one property to enable the single logout profile for the federation. For example, set SloIPPostEnabled to true. |
SloIPArtifactEnabled SloIPPostEnabled SloIPRedirectEnabled SloIPSOAPEnabled SloSPArtifactEnabled SloSPPostEnabled SloSPRedirectEnabled SloSPSOAPEnabled |
Artifact Resolution Service URL | The Artifact Resolution Service is a SOAP endpoint
on the Identity Provider point-of-contact server where artifacts are
exchanged for SAML messages. By default, Tivoli Federated Identity Manager configures one SOAP endpoint for the Artifact Resolution Service. You can optionally define additional SOAP endpoints. |
Specify the assertion resolution service URL,
the URL index. Set to true if you use the endpoint use as the default. Set to false otherwise. For example, https://idp.example.com/FIM/sps/saml_fed/saml20/soap;0;true |
|
Artifact Cache Lifetime (seconds) | The artifact cache lifetime in seconds. Default value: 120 seconds. | Use the default value. | ArtifactLifetime |
Amount of time before the issue date that an assertion is considered valid | The number of seconds that an assertion is considered valid before its issue date. Default value: 60 | Use the default value | AssertionValidBefore |
Amount of time the assertion is valid after being issued | The number of seconds that an assertion is considered valid after its issue date. Default value: 60 | Use the default value | AssertionValidAfter |
Identity mapping options An XSL transformation (XSLT) file containing mapping rules |
The type of identity mapping to use. Use an XSLT file for identity mapping, and have the file ready to use for the federation. (Required) | XSLT File that corresponds to the IP role for SAML 2.0 federations: /opt/IBM/FIM/examples/mapping_rules/ip_saml_20_email_nameid.xsl | MappingRuleFileName |
wsadmin>$AdminTask manageItfimFederation { -operation create
-fimDomainName fimipdomain -fileId
/downloads/saml20_ip_properties.xml }
The following confirmation message shows: FBTADM001I Command completed successfully
Continue with Configuring a SAML 2.0 Service Provider federation using CLI.