Versions Compared

Old Version 4

changes.mady.by.user Sri Raghu

Saved on

compared with

New Version 5

changes.mady.by.user Gary Leicht

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Deploy SAML 2.0 for SSO using the AM console and configure the hosted identity provider and remote service provider. For more information, refer to the ForgeRock documentation.
  • When using a non-root realm with a name such as /CaptivePortalInfoblox, any API endpoint will contain the following path: /realms/root/realms/CaptivePortalInfoblox. When using root realm (‘/’), all API endpoints will contain the following path /realms/root.
  • When configuring hosted identity provider, select a signing key that you have created or imported. Do not leave this blank. Also, choose the circle of trust for the identity provider and remember the name because the service provider must be in the same circle of trust.
  • When configuring the remote service provider, upload the service provider metadata file that you downloaded from the Infoblox Cloud Services Portal. In addition, add attribute mapping where the name in the assertion must be ‘groups’ and the Local Attribute name must be the one that stores the group information. Lastly, remove the transient and persistent NameID formats.

...

ParameterDescriptionUsage

Entity ID

Assertion Consumer Service URL (Service Provider)

The Entity ID is the audience URI for setting up the basic SAML configuration, and the ACS URL directs your IdP where to send the SAML response after authenticating a user. 

In OpenAM, you may skip these parameters and create your own signing key and import the certificate into the truststore used by Open AM. For more information, refer to the ForgeRock documentation.

N/A
Metadata File (Service Provider)The Metadata File is an XML file that contains the service provider information you need to set up the remote service provider in Open AM.
  • In the SERVICE PROVIDER DETAILS section of the Create Authentication Profile dialog on the Infoblox Cloud Services Portal, click Download to download the Metadata file.
  • Upload the metadata file when configuring remote service provider in the Register Service Provider window.
Metadata URL (IdP)The IdP Metadata URL directs you to the XML file that contains the IdP information you need to set up the connection with the IdP. You do not need to enter other details separately if you can obtain the XML file.
  • In Open AM, use the exportmetadata.jsp function to export the metadata. For more information, see the ForgeRock documentation.
  • Enter the export value in the Metadata URL field in the IDENTITY PROVIDER DETAILS section of the Create Authentication Profile dialog on the Infoblox Cloud Services Portal.
Issuer (IdP)The IdP Issuer is the Entity Provider Name.
  • In Open AM, navigate to the SAML 2.0 application -> Sign-On -> View Setup Instructions, and then copy Identity Provider Issuer.
  • Enter the copied value in the Issuer field in the IDENTITY PROVIDER DETAILS section of the Create Authentication Profile dialog on the Infoblox Cloud Services Portal.
SSO URL (IdP)The IdP SSO URL redirects the service provider to Open AM to authenticate and sign on the user.
  • In Open AM, navigate to Applications -> Federation -> Entity Providers -> Entity Providers -> <realm_name> -> Services -> IDP Service Attributes -> Single Sign On Service -> POST.
  • Enter the value in the SSO URL field in the IDENTITY PROVIDER DETAILS section of the Create Authentication Profile dialog on the Infoblox Cloud Services Portal.
Signing Certificate (IdP)The IdP Signing Certificate ensures that data is coming from the expected IdP and service provider. The certificate is used to sign SAML requests, responses, and assertions from the service to relying applications.
  • In Open AM, use the keytool command to retrieve the certificate from the keystore in PEM format. For more information, see the ForgeRock documentation. You can also use the signing key file that you created and imported to the truststore.
  • In the IDENTITY PROVIDER DETAILS section of the Create Authentication Profile dialog on the Infoblox Cloud Services Portal, click Select file for Signing Certificate to locate the downloaded certificate.

...

  • Deploy OpenID Connect for SSO using the AM console and configure the hosted identity provider and remote service provider. For more information, refer to the ForgeRock documentation.
  • When using a non-root realm with a name such as /CaptivePortalInfoblox, any API endpoint will contain the following path: /realms/root/realms/CaptivePortalInfoblox. When using root realm (‘/’), all API endpoints will contain the following path /realms/root.
  • When configuring hosted identity provider, select a signing key that you have created or imported. Do not leave this blank Also, choose the circle of trust for the Identify Provider and remember the name because the service provider must be in the same circle of trust.
  • When configuring the remote service provider, upload the service provider metadata file that you downloaded from the Infoblox Cloud Services Portal. In addition, add attribute mapping where the name in the assertion must be ‘groups’ and the Local Attribute name must be the one that stores the group information. Lastly, remove the transient and persistent NameID formats.

...

ParameterDescriptionUsage
Login Redirect URI (Client)The Login Redirect URI determines where the authorization server redirects the user once the application successfully authorizes and grants an authorization code or access token.
  • Copy the Login Redirect URI from the CLIENT DETAILS section of the Create Authentication Profile dialog on the Infoblox Cloud Services Portal.
  • Enter the copied value in the Login Redirect URIs in the OpenID Connect application.
Client ID (Client)The Client ID is the ID for logging in to the IdP client.
  • In Open AM, navigate to the OpenID Connect application -> General ->  Client ID, and then click Copy to clipboard.
  • Enter the copied value in the Client ID field in the CLIENT DETAILS section of the Create Authentication Profile dialog on the Infoblox Cloud Services Portal.
Client Secret (Client)The Client Secret is the password for logging in to the IdP client.
  • In Open AM, navigate to the OpenID Connect application -> General ->  Client Secret, and then click Copy to clipboard.
  • Enter the copied value in the Client Secret field in the CLIENT DETAILS section of the Create Authentication Profile dialog on the Infoblox Cloud Services Portal.
Issuer (IdP)The Issuer is a discovery URI  that defines the unique identifier for the identity provider.
  • In Open AM, configure OpenID Connect Discovery and retrieve the identity provider URI.
  • Enter the discovery URI in the Issuer field in the IDENTITY PROVIDER DETAILS section of the Create Authentication Profile dialog on the Infoblox Cloud Services Portal.