Importing SAML identity provider (IdP) partner metadata using the wsadmin command-line utility
You can use the wsadmin
command line utility to import the IdP
configuration for a SAML trust association interceptor (TAI) single sign-on (SSO) service provider
partner by using a SAML IdP metadata file.
Before you begin
Before you can use the wsadmin
importSAMLIdpMetaData
command, you must configure the SAML TAI with at least one
SSO partner with either the administrative console or the addSAMLTAISSO
command.
Things to consider before you run the importSAMLIdpMetaData
command:
- The truststore:
- If you want your SSO partner to use a custom truststore, you must configure the truststore name
as the value for the
sso_<ssoId>.sp.trustStore
property before you run this command. If there is nosso_<ssoId>.sp.trustStore
property, the default truststore is used. - If a certificate exists in the truststore with the same alias as the value provided the for
signingCertAlias
parameter, the certificate is replaced with the IdP certificate that is obtained with this command. - If the signing certificate in the IdP metadata is in the truststore with a different alias name
than the value provided the for
signingCertAlias
parameter, the certificate is not put into the truststore with the new alias name; an informational message is printed in the logs that contains the alias of the existing certificate.
- If you want your SSO partner to use a custom truststore, you must configure the truststore name
as the value for the
- The
sso_<ssoId>.idp_<idpId>.SingleSignOnUrl
property:- The IdP
HTTP-POST
bindingLocation
that is put into the SAML TAI configuration as thesso_<ssoId>.idp_<idpId>.SingleSignOnUrl
property is a URL that the IdP allows for SP-Initiated login.- For most SAML TAI scenarios, the user cannot be redirected to this URL for login.
- This property is used when the
sso_<id>.sp.login.error.page
property is set to a class that implementscom.ibm.wsspi.security.web.saml.IdentityProviderMapping
for identity provider mapping orcom.ibm.wsspi.security.web.saml.AuthnRequestProvider
for SP-Initiated SSO. - This property is not used when performing IdP-Initiated SSO or bookmark style SP-Initiated login flow.
- The list of configured
sso_<ssoId>.idp_<idpId>.SingleSignOnUrl
for a SSO service provider partner is passed to the custom class that is specified on thesso_<id>.sp.login.error.page
property at runtime. - If your scenario does not include configuring a custom class for the
sso_<id>.sp.login.error.page
property, then theimportSAMLIdpMetaData
command is used just to import the IdP signing certificate. You do not need to run this command more than once per IdP metadata XML file regardless of how many SSO service provider partners use the IdP.
- The IdP
About this task
The importSAMLIdpMetaData
command imports the HTTP-POST binding IdP
configuration from an IdP metadata file for a SAML TAI SSO service provider partner. The
importSAMLIdpMetaData
command imports the following IdP partner data:
- The
SingleSignOnService
HTTP-POST
bindingLocation
assso_<ssoId>.idp_<idpId>.SingleSignOnUrl
. - The
IDPSSODescriptor
X509 Signing Certificate into a truststore.
Avoid trouble: If any of these properties are missing from the IdP
metadata file, the command logs a warning message.
Procedure
Results
Example
idp1CertAlias
:AdminTask.importSAMLIdpMetadata('-idpMetadataFileName /tmp/myIdPmetadata.xml
-ssoId 1 -idpId 1 -signingCertAlias idp1CertAlias')
The
following example imports the SAML IdP partner 1 metadata to the security domain
myDomain1
SAML TAI SSO service provider partner 1 with a signing certificate alias
name
idp1CertAlias
:AdminTask.iportSAMLIdpMetadata('-idpMetadataFileName /tmp/myIdPmetadata.xml
-ssoId 1 -idpId 1 -signingCertAlias idp1CertAlias -securityDomainName myDomain1')