Document toolboxDocument toolbox

Configuring SAML 2.0 Application for ForgeRock

Owned by Shirly Tsang
Last updated: Sept 26, 2024 by Gary Leicht
9 min read

Before you configure SAML federation for ForgeRock, ensure that you have completed the following:

To configure SAML 2.0 application for ForgeRock, complete the following sections:

Configuring IdP and Service Provider

Complete the following steps to configure entity provider in ForgeRock.

Note

Instructions in the following sections are based on ForgeRock Access Management 6.5.2.3 Build 4ed586d624 and ForgeRock Identity Management 6.5.0.3 revision: 204a28f.

Creating Hosted Identity Provider

  1. Log in to the ForgeRock Access Management console.

  2. On the Access Management page, choose to configure an existing realm or create a new realm.

  3. On the Realm Overview dashboard, select Configure SAMLv2 Provider, as follows:
    The screenshot shows the Realm Overview dashboard. The Configure SAMLv2 Provide tile is highlighted.

  4. On the Configure SAML 2.0 Provider page, select Create Hosted Identity Provider, as follows:

    The screenshot shows the Configure SAML 2.0 Provider page. The Create Hosted Identity Provide tile is highlighted.

  5. In the metadata section, choose the applicable Realm and the Signing Key from the drop-down menu. The Signing Key menu lists keys that are available in the keystore. The key you select will be used as a signing key for the assertions. 

    The screenshot shows the metadata section, which contains a dropdown menu called Realm, a text field called Name, and a dropdown menu called Signing Key.

  6. Ensure that you choose from the existing Circles of Trust or provide one to be created, so you can include this IdP.

  7. On the Create a SAMLv2 Identity Provider on this Server page, click Configure on the right upper corner, as follows:

    The screenshot shows the Create a SAMLv2 Identity Provider on this Server page, and the Configure button is highlighted.

  8. On the Your Identity Provider has been configured page, click Finish, as follows:
    The screenshot shows the Your Identity Provider Has Been Configured page. The Finish button is highlighted.

Configuring Assertions

  1. When you are redirected to the dashboard, click Applications -> Federation from the left navigation.
  2. On the Federation page, click Entity Providers.
  3. Check to ensure that the IdP and Circle of Trust were created. Click the newly created IdP in the Entity Provider section, and then select the Assertion Content tab, as follows:
    The screenshot shows the Federation page with the Assertion Content tab open.
  4. In the NameID Format section, complete the following for the NameID Value Map section:
    1. Current Values: Select the following and click Remove.
      urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified=
    2. New Value: Enter the following value and click Add.
      urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified=mail 
  5. Click Save and then Back to return to the Federation Page.
  6. On the Federation page, select the Assertion Processing tab.
    The screenshot shows the Federation page with the Assertion Processing tab open.
  7. In the Attribute Mapper section, add the following expressions in the New Value textbox, and then click Add. 
    • email=mail
    • firstName=givenname
    • lastName=sn
  8. Click Save and then Back to return to the Federation page.

Importing IdP Metadata

  1. In the Entity Provider section, select the IdP and click Import Identity, as follows:
    The screenshot shows the Entity Provider section. The Import Entity button is highlighted.

  2. On the Import Entity Provider page, complete the following:
    • Realm Name: Select the correct realm name from the drop-down list.
    • Where does the metadata file reside?: Select File.
    • URL where metadata is located: Click Upload and navigate to the metadata file that you have previously downloaded from the SSO Portal. 
  3. Click Upload File, and then click OK after you have uploaded the file. See the following as an example:

Configuring Service Provider

  1. Select the service provider you just created using the imported IdP metadata, and ensure that the following fields are chosen and associated with your desired realm:
    • Authentication Requests Signed
    • Assertions Signed

  2. Scroll down to the NameID Format section and select the Disable NameID persistence checkbox, as follows:


  3. Click Save and then Back to return to the Federation page.

Configuring Circle of Trust

  1. On the Federation page, click the name of the Circle of Trust and ensure that both the IdP and the service provider are selected, as follows:

  2. Click Save.

Configuring LDAP User Attributes

After you have set up your identity provider, you can configure the LDAP user attributes.

To configure LDAP user attributes in ForgeRock, complete the following:

  1. On the Realm Overview dashboard, select Identity Stores -> OpenDJ, as follows:


  2. On the OpenDJ page, click the User Configuration tab.
  3. on the User Configuration page, check to see if isMemberOf is in the LDAP User Attributes list. If not, add isMemberOf. 


  4. Click Save Changes.
  5. Click Applications on the left navigation, and then click the Federation tab -> Entity Providers.
  6. Select the IdP and click the Assertion Processing tab.
  7. Add groups=isMemberOf to the attribute map, as follows:


  8. Click Save.

Configuring Users and Groups

You must set up users and groups in ForgeRock before you can map them to Infoblox Platform user groups.

Adding New Users

To add new users, complete the following:

  1. Log in to the ForgeRock Identity Management console.
  2. Click Manage Users, as follows:


  3. On the User List page, click + New User.
  4. On the New User page, complete all applicable information for the new user, as follows:
  5. Click Save.
  6. Click Save again on the summary page.

Adding User Groups

To add new user groups, complete the following:

  1. Log in to the ForgeRock Access Management console.
  2. On the realm tab, click Identities, and select the Groups tab -> Add Group, as follows:


  3. On the New Identity Group page, enter the Group ID and click Create, as follows:

Adding Users to User Groups

After you have added users and created a user group, you can add users to the user group.

To add users to the user group, complete the following:

  1. Log in to the ForgeRock Access Management console.
  2. On the realm tab, click Identities, and select the Groups tab.
  3. Choose the user group to which you want to add users.
  4. On the User page, select the Members tab and add the required users to the group using their usernames, as follows:


  5. Click Save changes.

Configuring SAML on Infoblox SSO Portal

After you have successfully set up the entity provider in ForgeRock, you can configure SAML on the Infoblox SSO Portal to complete the federation.

To configure SAML on Infoblox SSO Portal, complete the following:

  1. Open a browser window and enter the following URL to retrieve the ForgeRock metadata:

    http://<ServerUrl>/saml2/jsp/exportmetadata.jsp?entityid=<SPentityID>&realm=<realm_name>
    where

    1. [ServerURL] is the full AM/OpenAM server URL. Example: http://host1.example.com:8080/am.
    2. [SPentityID] is the name of the SP entity provider you created in the Entity Provider configuration in ForgeRock.
    3. Realmname is the name of the realm in which the SP entity provider is configured. If the SP entity is configured at the top level realm (/), you can exclude the &realm parameter from the URL.

    Note

    Keep this browser window open when adding configuration data to the Configure SAML page on the Infoblox SSO Portal.

    The following is a sample ForgeRock metadata and the values you need to copy for the SAML configuration on the SSO Portal:



  2. From the ForgeRock metadata, copy the following:
    • Single Sign-On URL, which is located at SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST".
    • Entity ID, which is the entityID. 
    • Signature Certificate (minimum digital signature of SHA-256 is required)
  3. Log in to the Infoblox SSO Portal.
  4. Go to Authentication -> 3rd Party IdP, and then click Configure SAML.
  5. Enter the following values that you have copied from the ForgeRock metadata:
    • IDP Single Sign-On URL:  Paste the Single Sign-On URL here.
    • IDP Issuer URI: Paste the Entity ID here.

    • Signature Certificate: Paste only the X.509 Certificate key, which is the value between "BEGIN CERTIFICATE" and "END CERTIFICATE" or between the XML entries such as <ds:x509Certificate> & </ds:x509Certificate >, depending on your data format). The SSO Portal also supports Base64 certificates with the following file extensions: .crt, .pem, and .ca-bundle. Minimum digital signature of SHA-256 is required.

      Note

      If you receive an error message about the certificate, go to the beginning of the last line of the certificate and hit backspace to remove extra spaces in the previous line. You might need to repeat the same process for any lines that might include extra spaces.

  6. Click Save & Close.
  7. After you have configured the SAML application, you can complete the following configuration in the SSO Portal:
    1. Mapping User Groups
    2. Testing 3rd Party IdP Authentication
    3. Activating 3rd Party IdP Authentication

    You can also perform the following after you set up 3rd party IdP authentication:

Configuring IdP and Service Provider

Complete the following steps to configure entity provider in ForgeRock.

Note

Instructions in the following sections are based on ForgeRock Access Management 6.5.2.3 Build 4ed586d624 and ForgeRock Identity Management 6.5.0.3 revision: 204a28f.

Creating Hosted Identity Provider

  1. Log in to the ForgeRock Access Management console.

  2. On the Access Management page, choose to configure an existing realm or create a new realm.

  3. On the Realm Overview dashboard, select Configure SAMLv2 Provider, as follows:

  4. On the Configure SAML 2.0 Provider page, select Create Hosted Identity Provider, as follows:


  5. In the metadata section, choose the applicable Realm and the Signing Key from the drop-down menu. The Signing Key menu lists keys that are available in the keystore. The key you select will be used as a signing key for the assertions. 



  6. Ensure that you choose from the existing Circles of Trust or provide one to be created, so you can include this IdP.

  7. On the Create a SAMLv2 Identity Provider on this Server page, click Configure on the right upper corner, as follows:



  8. On the Your Identity Provider has been configured page, click Finish, as follows

Configuring Assertions

  1. When you are redirected to the dashboard, click Applications -> Federation from the left navigation.
  2. On the Federation page, click Entity Providers.
  3. Check to ensure that the IdP and Circle of Trust were created. Click the newly created IdP in the Entity Provider section, and then select the Assertion Content tab, as follows:

  4. In the NameID Format section, complete the following for the NameID Value Map section:
    1. Current Values: Select the following and click Remove.
      urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified=
    2. New Value: Enter the following value and click Add.
      urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified=mail 
  5. Click Save and then Back to return to the Federation Page.
  6. On the Federation page, select the Assertion Processing tab.

  7. In the Attribute Mapper section, add the following expressions in the New Value textbox, and then click Add. 
    • email=mail
    • firstName=givenname
    • lastName=sn
  8. Click Save and then Back to return to the Federation page.

Importing IdP Metadata

  1. In the Entity Provider section, select the IdP and click Import Identity, as follows:


  2. On the Import Entity Provider page, complete the following:
    • Realm Name: Select the correct realm name from the drop-down list.
    • Where does the metadata file reside?: Select File.
    • URL where metadata is located: Click Upload and navigate to the metadata file that you have previously downloaded from the SSO Portal. 
  3. Click Upload File, and then click OK after you have uploaded the file. See the following as an example:

    The screenshot shows the Import Entity Provider page. The Realm Name field shows the name of the realm in the drop-down menu. The Where Does The Metadata File Reside field shows the path and name of the selected file.

Configuring Service Provider

  1. Select the service provider you just created using the imported IdP metadata, and ensure that the following fields are chosen and associated with your desired realm:
    • Authentication Requests Signed
    • Assertions Signed
      The screenshot shows the configuration dialog, where the Authentication Requests Signed checkbox and Assertions Signed checkbox are selected.
  2. Scroll down to the NameID Format section and select the Disable NameID persistence checkbox, as follows:
    The screenshot shows the NameID Format section, where the Disable NameID Persistence checkbox is selected.

  3. Click Save and then Back to return to the Federation page.

Configuring Circle of Trust

  1. On the Federation page, click the name of the Circle of Trust and ensure that both the IdP and the service provider are selected, as follows:
    The screenshot shows the Realm section, which contains the Available list on the left, the Selected list on the right, and the Add, Remove, and other buttons in the middle. The Selected pane contains the IdP and the service provider.
  2. Click Save.

Configuring LDAP User Attributes

After you have set up your identity provider, you can configure the LDAP user attributes.

To configure LDAP user attributes in ForgeRock, complete the following:

  1. On the Realm Overview dashboard, select Identity Stores -> OpenDJ, as follows:
    The screenshot shows the Realm Overview dashboard. The Identity Stores item is highlighted.

  2. On the OpenDJ page, click the User Configuration tab.
  3. on the User Configuration page, check to see if isMemberOf is in the LDAP User Attributes list. If not, add isMemberOf. 
    The screenshot shows the LDAP user attributes.

  4. Click Save Changes.
  5. Click Applications on the left navigation, and then click the Federation tab -> Entity Providers.
  6. Select the IdP and click the Assertion Processing tab.
  7. Add groups=isMemberOf to the attribute map, as follows:
    The screenshot shows the Attribute Mapper section, where the Current Values list contains groups equal isMemberOf.

  8. Click Save.

Configuring Users and Groups

You must set up users and groups in ForgeRock before you can map them to Infoblox Platform user groups.

Adding New Users

To add new users, complete the following:

  1. Log in to the ForgeRock Identity Management console.
  2. Click Manage Users, as follows:
    The screenshot shows the Quick Start dashboard. The Manage Users tile is highlighted.

  3. On the User List page, click + New User.
  4. On the New User page, complete all applicable information for the new user, as follows:
    The screenshot shows the text fields New User page, which contains fields Username, First Name, Last Name, Email Address, Password, and Retype Password.
  5. Click Save.
  6. Click Save again on the summary page.

Adding User Groups

To add new user groups, complete the following:

  1. Log in to the ForgeRock Access Management console.
  2. On the realm tab, click Identities, and select the Groups tab -> Add Group, as follows:
    The screenshot shows the Identities tab. The Add Group button is highlighted.

  3. On the New Identity Group page, enter the Group ID and click Create, as follows:
    The screenshot shows the New Identity Group page. The Create button is highlighted.

Adding Users to User Groups

After you have added users and created a user group, you can add users to the user group.

To add users to the user group, complete the following:

  1. Log in to the ForgeRock Access Management console.
  2. On the realm tab, click Identities, and select the Groups tab.
  3. Choose the user group to which you want to add users.
  4. On the User page, select the Members tab and add the required users to the group using their usernames, as follows:
    The screenshot shows the User page. In the Members tab, the Members field contains the usernames.

  5. Click Save changes.

Configuring SAML on Infoblox SSO Portal

After you have successfully set up the entity provider in ForgeRock, you can configure SAML on the Infoblox SSO Portal to complete the federation.

To configure SAML on Infoblox SSO Portal, complete the following:

  1. Open a browser window and enter the following URL to retrieve the ForgeRock metadata:

    http://<ServerUrl>/saml2/jsp/exportmetadata.jsp?entityid=<SPentityID>&realm=<realm_name>
    where

    1. [ServerURL] is the full AM/OpenAM server URL. Example: http://host1.example.com:8080/am.
    2. [SPentityID] is the name of the SP entity provider you created in the Entity Provider configuration in ForgeRock.
    3. Realmname is the name of the realm in which the SP entity provider is configured. If the SP entity is configured at the top level realm (/), you can exclude the &realm parameter from the URL.

    Note

    Keep this browser window open when adding configuration data to the Configure SAML page on the Infoblox SSO Portal.

    The following is a sample ForgeRock metadata and the values you need to copy for the SAML configuration on the SSO Portal:

    The screenshot shows the sample ForgeRock metadata and highlights the entityID, Signature Certificate, and Single Sign-on URL.

  2. From the ForgeRock metadata, copy the following:
    • Single Sign-On URL, which is located at SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST".
    • Entity ID, which is the entityID. 
    • Signature Certificate
  3. Log in to the Infoblox SSO Portal.
  4. Go to Authentication -> 3rd Party IdP, and then click Configure SAML.
  5. Enter the following values that you have copied from the ForgeRock metadata:
    • IDP Single Sign-On URL:  Paste the Single Sign-On URL here.
    • IDP Issuer URI: Paste the Entity ID here.

    • Signature Certificate: Paste only the X.509 Certificate key, which is the value between "BEGIN CERTIFICATE" and "END CERTIFICATE" or between the XML entries such as <ds:x509Certificate> & </ds:x509Certificate >, depending on your data format). The SSO Portal also supports Base64 certificates with the following file extensions: .crt, .pem, and .ca-bundle.

      Note

      If you receive an error message about the certificate, go to the beginning of the last line of the certificate and hit backspace to remove extra spaces in the previous line. You might need to repeat the same process for any lines that might include extra spaces.
  6. Click Save & Close.
  7. After you have configured the SAML application, you can complete the following configuration in the SSO Portal:
    1. Mapping User Groups
    2. Testing 3rd Party IdP Authentication
    3. Activating 3rd Party IdP Authentication

    You can also perform the following after you set up 3rd party IdP authentication: