IBM Tivoli Federated Identity Manager, Version 6.2.2

Configuring a SAML 2.0 service provider federation using CLI

Use CLI commands to configure a SAML 2.0 service provider federation by creating a response file and creating a service provider federation.

About this task

This task requires the use of the command manageItfimFederation. The manageItfimFederation command requires specific parameters to execute operations on a federation. For more information, see the IBM® Tivoli® Federated Identity Manager Administration Guide.

Procedure

  1. Create a response file by issuing the following command in the WebSphere® wsadmin console: 
    wsadmin>$AdminTask manageItfimFederation { -operation createResponseFile 
-fimDomainName fimspdomain -protocol SAML2_0 -role sp -fileId 
/downloads/saml20_sp_properties.xml }
    The following confirmation message shows: 
    FBTADM001I Command completed successfully
  2. Edit the response file to modify the following values:
    Table 1. Response file settings for service provider in SAML 2.0 federation
    Configuration item Description Your value CLI Properties or Names
    Federation name The unique name of the federation. (Required) Any name

    For example, saml20sp

    		 FedName
    Company name The name of the company that is associated with the federation. (Required) Any name

    For example, SP Company Name

    		 CompanyName
    Company URL A URL for a website of the company that is associated with the federation. (Required) URL of the website of your company CompanyUrl
    Provider ID A URL or URN that uniquely identifies the provider.

    By default Tivoli Federated Identity Manager uses the URL of the point of contact server with the federation name and the protocol name, such as /saml20, appended to it.

    		URL

    For example, for a federation named saml_fed: https://sp.example.com/FIM/sps/saml_fed/saml20

    		ProviderId
    Point of Contact Server URL The URL of the point of contact server with the federation name and the protocol name, such as /saml20, appended to it. (Required) A URL

    For example, for a federation named saml_fed: https://sp.example.com/FIM/sps/saml_fed/saml20

    		 BaseUrl
    Select Signing Key

    Keystore in Tivoli Federated Identity Manager key service, where the key is stored.

    		 Enter a signing key for the service provider. If you also select to sign any other messages the specified signing key is used to sign them. (Required)
    Note: Before you complete this task, create the key and import it into the appropriate keystore in the Tivoli Federated Identity Manager key service.

    Keystore name:

    Key alias name:

    This data is provided in the format of 
    "Keystore Name"
_"Alias Name"
    For example, 
    DefaultKeyStore_
testkey
    		 SigningKeyIdentifier
    Single sign-on The URL to which the Service Provider sends authentication requests. True or false.

    Default: false.

    You must enable at least one property.

    For example, set SsoPostEnabled to true.

    SsoPostEnabled

    SsoArtifactEnabled

    SsoRedirectEnabled
    Select Encryption Key

    Keystore in Tivoli Federated Identity Manager key service, where the key is stored.

    A public/private key pair used in encryption. Your partner uses the public key to encrypt data to you.

    Use the private key to decrypt data that your partner sends to you.

    You must specify the key pair to use.

    Note: Before you complete this task, create the key and import it into the appropriate keystore in the Tivoli Federated Identity Manager key service.
    (Required)

    Keystore name:

    Key alias name:

    This data is provided in the format of 
    "Keystore Name"
_"Alias Name"
    For example, 
    DefaultKeyStore_
testkey
    		 EncryptionKeyIdentifier
    Single Logout Profile The URL that the partner contacts to use the Single Logout profile.

    To enable single logout, set at least one property to true. Then, you can choose which binding and provider to use to initiate single logout.

    True or false.

    Default: false.

    You must enable at least one property to enable the single logout profile for the federation.

    For example, set SloSPPostEnabled to true.

    SloIPArtifactEnabled

    SloIPPostEnabled

    SloIPRedirectEnabled

    SloIPSOAPEnabled

    SloSPArtifactEnabled

    SloSPPostEnabled

    SloSPRedirectEnabled

    SloSPSOAPEnabled
    Artifact Resolution Service list

    The Artifact Resolution Service is a SOAP endpoint on the service provider point of contact server where artifacts are exchanged for SAML messages.

    By default, Tivoli Federated Identity Manager configures one SOAP endpoint for the Artifact Resolution Service.

    You can optionally define additional SOAP endpoints.

    		 Specify the assertion resolution service URL, the URL index, and set to true if the endpoint is used as the default. Otherwise, set to false.

    For example, https://sp.example.com/FIM/sps/saml_fed/saml20/soap;0;true

    		 ArtifactResolutionServiceList
    Identity mapping options

    An XSL transformation (XSLT) file containing mapping rules

    		 The type of identity mapping to use. Use an XSLT file for identity mapping, and have the file ready to use for the federation. (Required) XSLT File that corresponds to the SP role for SAML 2.0 federations: /opt/IBM/FIM/examples/mapping_rules/sp_saml_20.xsl MappingRuleFileName
  3. Type the following command in a command prompt to create the Service Provider federation: 
    wsadmin>$AdminTask manageItfimFederation { -operation create 
-fimDomainName fimspdomain -fileId 
/downloads/saml20_sp_properties.xml }
    The following confirmation message shows: 
    FBTADM001I Command completed successfully

What to do next

Continue with Importing a SAML 2.0 service provider into the SAML identity provider federation.
Parent topic: Configuring a SAML federation using CLI

Feedback