IBM Tivoli Federated Identity Manager, Version 6.2.2

Importing a SAML 1.x Identity Provider into the SAML Service Provider federation

To add an Identity Provider to the Service Provider federation, you must import the Identity Provider configuration properties.

Procedure

  1. Type the following command in a command prompt to export the Identity Provider metadata and obtain most of the environmental information: 
    wsadmin>$AdminTask manageItfimFederation { -operation export 
-fimDomainName fimipdomain -federationName saml11ip -fileId 
/downloads/saml11_ip_metadata.xml }
    The following confirmation message shows: 
    FBTADM001I Command completed successfully
  2. Create an Identity Provider response file by issuing the following command in the WebSphere® wsadmin console: 
    wsadmin>$AdminTask manageItfimPartner { -operation createResponseFile 
-fimDomainName fimspdomain -federationName saml11sp -partnerRole ip -fileId 
/downloads/saml11_ip_partner_properties.xml }
    The following confirmation message shows: 
    FBTADM001I Command completed successfully
  3. Edit the response file to modify the following values:
    Table 1. Response file settings for Identity Provider partner in SAML 1.x federation
    Configuration item Description Your value CLI Properties or Names
    Import metadata file To import a metadata file, you need the file name and its location. (Required) The fully specified metadata file name. For example: 
    /downloads/saml11_
ip_metadata.xml
    		 metadataFileName
    Validate Signatures on Artifact Resolution Requests You have the option of validating the SAML message signatures when browser artifact is used. Validate signatures for artifact. (Set to true.) 
    ValidateArtifactResponse
    Validation Key Identifier

    Because Browser POST messages must be signed and validated, you must specify a key to validate the signature.

    If also you select to validate messages when using a browser artifact, use the same validation key to validate them.

    The key you use is the public key that corresponds to the private key that your partner uses to sign messages.

    Note: If you are importing partner data, the key is supplied in the metadata file. Before importing the data, create a keystore, then specify a keystore for the key.

    Before entering partner data manually, obtain the key from the partner and import it into the appropriate keystore in the Tivoli® Federated Identity Manager key service.

    		 Metadata method:
    • Truststore name:
    • Label for key:
    		 
    ValidateKeyIdentifier
    Server Certificate Validation Enable server certificate validation Set to true. 
    UseSoapServerCertAuth
    Select Server Validation Certificate

    The public key for the displayed certificate during SSL communication with your partner.

    Determine the certificate used by you and your partner. You must already have the certificate and keystore for the certificate.
    • Truststore password:
    • Certificate name: 30 access
    		 rtAuthKeyId
    Client authentication information
    Either:
    • Basic authentication
      • Username
      • Password
    • Client certificate authentication
      • Certificate to present to the server of the Identity Provider. The specified certificate is determined by you and your Identity Provider partner.
      • Keystore in Tivoli Federated Identity Manager key service, where the key is stored
      • Password for the keystore

    If your partner requires mutual authentication, determine which type to use.

    • For basic authentication, specify a user name and password.
    • For client certificate authentication, specify the certificate that you and your partner agreed to use.
    Note: Before performing this task, be sure that you and your partner agreed where the certificate to be obtained, and imported it into the keystore in the Tivoli Federated Identity Manager key service.
    		 Disable client authentication by setting the properties on the next column to false.

    UseClientBasicAuth

    UseSoapClientCertAuth
    Validate SAML Assertions Signature Validate the SAML assertions signature. (Optional) Enable SAML signature validation. (Set to true.) 
    com.tivoli.am.fim
.sts.saml.1.1
.assertion.verify
.signatures
    Select Validation Key for Assertion signature Specify the assertion signature validation key to use. Use keystore alias to find public key for signature validation. (Default) SAML11ValidationKey
    Create multiple attribute statements in the Universal User

    Select this option to keep multiple attribute statements in the groups they were received in.

    This option might be necessary if your custom identity mapping rules are written to operate on one or more specific groups of attribute statements.

    If this option is not selected, multiple attribute statements are arranged into a single group (AttributeList) in the STSUniversalUser document.

    		 Set the value to false. SAML11Create

    MultipleUniversal

    UserAttributes
  4. Type the following command in a command prompt to add the new Service Provider partner to the Identity Provider federation: 
    wsadmin>$AdminTask manageItfimPartner { -operation create -fimDomainName 
fimspdomain -federationName saml11sp -partnerName saml11ip -fileId 
/downloads/saml11_ip_partner_properties.xml -signingKeystorePwd testonly}
    The following confirmation message shows: 
    FBTADM001I Command completed successfully
Parent topic: Configuring a SAML federation using CLI

Feedback