Page tree

Contents

Before you configure SAML federation for ForgeRock, ensure that you have completed the following:

To create SAML 2.0 federation for your ForgeRock, 3rd party IdP, complete the following tasks:

  1. 66125913
  2. 66125913
  3. 66125913
  4. 66125913

Configuring IdP and Service Provider

Complete the following steps to configure entity provider in ForgeRock.

Note

Instructions in the following sections are based on ForgeRock Access Management 6.5.2.3 Build 4ed586d624 and ForgeRock Identity Management 6.5.0.3 revision: 204a28f.

Creating Hosted Identity Provider

  1. Log in to the ForgeRock Access Management console.
  2. On the Access Management page, choose to configure an existing realm or create a new realm.

  3. On the Realm Overview dashboard, select Configure SAMLv2 Provider, as follows:

  4. On the Configure SAML 2.0 Provider page, select Create Hosted Identity Provider, as follows:


  5. In the metadata section, choose the applicable Realm and the Signing Key from the drop-down menu. The Signing Key menu lists keys that are available in the keystore. The key you select will be used as a signing key for the assertions. 



  6. Ensure that you choose from the existing Circles of Trust or provide one to be created, so you can include this IdP.

  7. On the Create a SAMLv2 Identity Provider on this Server page, click Configure on the right upper corner, as follows:



  8. On the Your Identity Provider has been configured page, click Finish, as follows:

Configuring Assertions

  1. When you are redirected to the dashboard, click Applications -> Federation from the left navigation.
  2. On the Federation page, click Entity Providers.
  3. Check to ensure that the IdP and Circle of Trust were created. Click the newly created IdP in the Entity Provider section, and then select the Assertion Content tab, as follows:

  4. In the NameID Format section, complete the following for the NameID Value Map section:
    1. Current Values: Select the following and click Remove.
      urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified=
    2. New Value: Enter the following value and click Add.
      urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified=mail 
  5. Click Save and then Back to return to the Federation Page.
  6. On the Federation page, select the Assertion Processing tab.

  7. In the Attribute Mapper section, add the following expressions in the New Value textbox, and then click Add
    • email=mail
    • firstName=givenname
    • lastName=sn
  8. Click Save and then Back to return to the Federation page.

Importing IdP Metadata

  1. In the Entity Provider section, select the IdP and click Import Identity, as follows:


  2. On the Import Entity Provider page, complete the following:
    • Realm Name: Select the correct realm name from the drop-down list.
    • Where does the metadata file reside?: Select File.
    • URL where metadata is located: Click Upload and navigate to the metadata file that you have previously downloaded from the SSO Portal. 
  3. Click Upload File, and then click OK after you have uploaded the file. See the following as an example:

Configuring Service Provider

  1. Select the service provider you just created using the imported IdP metadata, and ensure that the following fields are chosen and associated with your desired realm:
    • Authentication Requests Signed
    • Assertions Signed

  2. Scroll down to the NameID Format section and select the Disable NameID persistence checkbox, as follows:


  3. Click Save and then Back to return to the Federation page.

Configuring Circle of Trust

  1. On the Federation page, click the name of the Circle of Trust and ensure that both the IdP and the service provider are selected, as follows:

  2. Click Save.

Configuring LDAP User Attributes

After you have set up your identity provider, you can configure the LDAP user attributes.

To configure LDAP user attributes in ForgeRock, complete the following:

  1. On the Realm Overview dashboard, select Identity Stores -> OpenDJ, as follows:


  2. On the OpenDJ page, click the User Configuration tab.
  3. on the User Configuration page, check to see if isMemberOf is in the LDAP User Attributes list. If not, add isMemberOf


  4. Click Save Changes.
  5. Click Applications on the left navigation, and then click the Federation tab -> Entity Providers.
  6. Select the IdP and click the Assertion Processing tab.
  7. Add groups=isMemberOf to the attribute map, as follows:


  8. Click Save.


Configuring Users and Groups

You must set up users and groups in ForgeRock before you can map them to the BloxOne user groups.

Adding New Users

To add new users, complete the following:

  1. Log in to the ForgeRock Identity Management console.
  2. Click Manage Users, as follows:


  3. On the User List page, click + New User.
  4. On the New User page, complete all applicable information for the new user, as follows:
  5. Click Save.
  6. Click Save again on the summary page.

Adding User Groups

To add new user groups, complete the following:

  1. Log in to the ForgeRock Access Management console.
  2. On the realm tab, click Identities, and select the Groups tab -> Add Group, as follows:


  3. On the New Identity Group page, enter the Group ID and click Create, as follows:


Adding Users to User Groups

After you have added users and created a user group, you can add users to the user group.

To add users to the user group, complete the following:

  1. Log in to the ForgeRock Access Management console.
  2. On the realm tab, click Identities, and select the Groups tab.
  3. Choose the user group to which you want to add users.
  4. On the User page, select the Members tab and add the required users to the group using their usernames, as follows:


  5. Click Save changes.

Configuring SAML on Infoblox SSO Portal

After you have successfully set up the entity provider in ForgeRock, you can configure SAML on the Infoblox SSO Portal to complete the federation.

To configure SAML on Infoblox SSO Portal, complete the following:

  1. Open a browser window and enter the following URL to retrieve the ForgeRock metadata:

    http://<ServerUrl>/saml2/jsp/exportmetadata.jsp?entityid=<SPentityID>&realm=<realm_name>
    where

    1. [ServerURL] is the full AM/OpenAM server URL. Example: http://host1.example.com:8080/am.
    2. [SPentityID] is the name of the SP entity provider you created in the Entity Provider configuration in ForgeRock.
    3. Realmname is the name of the realm in which the SP entity provider is configured. If the SP entity is configured at the top level realm (/), you can exclude the &realm parameter from the URL.

    Note

    Keep this browser window open when adding configuration data to the Configure SAML page on the Infoblox SSO Portal.

    The following is a sample ForgeRock metadata and the values you need to copy for the SAML configuration on the SSO Portal:



  2. From the ForgeRock metadata, copy the following:
    • Single Sign-On URL, which is located at SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST".
    • Entity ID, which is the entityID. 
    • Signature Certificate
  3. Log in to the Infoblox SSO Portal.
  4. Go to Authentication -> 3rd Party IdP, and then click Configure SAML.
  5. Enter the following values that you have copied from the ForgeRock metadata:
    • IDP Single Sign-On URL:  Paste the Single Sign-On URL here.
    • IDP Issuer URI: Paste the Entity ID here.
    • Signature Certificate: Paste only the X.509 Certificate key, which is the value between "BEGIN CERTIFICATE" and "END CERTIFICATE" or between the XML entries such as <ds:x509Certificate> & </ds:x509Certificate >, depending on your data format). The SSO Portal also supports Base64 certificates with the following file extensions: .crt.pem, and .ca-bundle.

      Note

      If you receive an error message about the certificate, go to the beginning of the last line of the certificate and hit backspace to remove extra spaces in the previous line. You might need to repeat the same process for any lines that might include extra spaces.
  6. Click Save & Close.
  7. After you have configured the SAML application, you can complete the following configuration in the SSO Portal:
    1. Mapping User Groups (Optional)
    2. Testing 3rd Party IdP Authentication
    3. Activating 3rd Party IdP Authentication

    You can also perform the following after you set up 3rd party IdP authentication:



  • No labels

This page has no comments.