/
Using OpenAM as the IdP
Document toolboxDocument toolbox

Using OpenAM as the IdP

Owned by Shirly Tsang
Jan 21, 2025

SAML Authentication

To integrate SAML with OpenAM or ForgeRock AM as the IdP, you must complete the following prerequisites:

  • Deploy SAML 2.0 for SSO using the AM console and configure the hosted identity provider and remote service provider. For more information, refer to the ForgeRock documentation.
  • When using a non-root realm with a name such as /CaptivePortalInfoblox, any API endpoint will contain the following path: /realms/root/realms/CaptivePortalInfoblox. When using root realm (‘/’), all API endpoints will contain the following path /realms/root.
  • When configuring hosted identity provider, select a signing key that you have created or imported. Do not leave this blank. Also, choose the circle of trust for the identity provider and remember the name because the service provider must be in the same circle of trust.
  • When configuring the remote service provider, upload the service provider metadata file that you downloaded from the Infoblox Portal. In addition, add attribute mapping where the name in the assertion must be ‘groups’ and the Local Attribute name must be the one that stores the group information. Lastly, remove the transient and persistent NameID formats.

To configure remote service provider, complete the following:

Navigate to Realms -> <captive portal  name> Configure SAML Provider > Create Remote Service Provider, and complete the followng:

  • Select File for Where does the metadata file reside?
  • Click Upload -> choose a <file> -> select Metadata XML File -> Upload File
  • Add attribute mapping where the name in assertion must be groups and Local Attribute equals isMemberof -> click Add.
  • Add attribute mapping for email.
  • Click Configure.

Note

Note, that attribute mapping can be configured in Applications -> Federation -> Entity Providers > http://captiveportal.infoblox.internal/ > Assertion Processing.

  • groups=isMemberof -> click Add.

  • email=<email-attribute> -> click Add.

  • Click Save.

To configure NameID format, complete the following:

Navigate to Applications > Federation > Entity Providers > <captive portal> > NameID Format.

  • Remove the transient and persistent NameID formats.

  • Click Save.

The following table lists the required parameters for a successful integration:

ParameterDescriptionUsage

Entity ID

Assertion Consumer Service URL (Service Provider)

The Entity ID is the audience URI for setting up the basic SAML configuration, and the ACS URL directs your IdP where to send the SAML response after authenticating a user. 

In OpenAM, you may skip these parameters and create your own signing key and import the certificate into the truststore used by Open AM. For more information, refer to the ForgeRock documentation.

N/A
Metadata File (Service Provider)The Metadata File is an XML file that contains the service provider information you need to set up the remote service provider in Open AM.
  • In the SERVICE PROVIDER DETAILS section of the Create Authentication Profile dialog on the Infoblox Portal, click Download to download the Metadata file.
  • Upload the metadata file when configuring remote service provider in the Register Service Provider window.
Metadata URL (IdP)The IdP Metadata URL directs you to the XML file that contains the IdP information you need to set up the connection with the IdP. You do not need to enter other details separately if you can obtain the XML file.
  • In Open AM, use the exportmetadata.jsp function to export the metadata. For more information, see the ForgeRock documentation.
  • Enter the export value in the Metadata URL field in the IDENTITY PROVIDER DETAILS section of the Create Authentication Profile dialog on the Infoblox Portal.
Issuer (IdP)The IdP Issuer is the Entity Provider Name.
  • In Open AM, navigate to the SAML 2.0 application -> Sign-On -> View Setup Instructions, and then copy Identity Provider Issuer.
  • Enter the copied value in the Issuer field in the IDENTITY PROVIDER DETAILS section of the Create Authentication Profile dialog on the Infoblox Portal.
SSO URL (IdP)The IdP SSO URL redirects the service provider to Open AM to authenticate and sign on the user.
  • In Open AM, navigate to Applications -> Federation -> Entity Providers -> Entity Providers -> <realm_name> -> Services -> IDP Service Attributes -> Single Sign On Service -> POST.
  • Enter the value in the SSO URL field in the IDENTITY PROVIDER DETAILS section of the Create Authentication Profile dialog on the Infoblox Portal.
Signing Certificate (IdP)The IdP Signing Certificate ensures that data is coming from the expected IdP and service provider. The certificate is used to sign SAML requests, responses, and assertions from the service to relying applications.
  • In Open AM, use the keytool command to retrieve the certificate from the keystore in PEM format. For more information, see the ForgeRock documentation. You can also use the signing key file that you created and imported to the truststore.
  • In the IDENTITY PROVIDER DETAILS section of the Create Authentication Profile dialog on the Infoblox Portal, click Select file for Signing Certificate to locate the downloaded certificate.

OpenID Connect Authentication

To integrate OpenID Connect with OpenAM or ForgeRock Identity Platform as the IdP, you must complete the following prerequisites:

  • Create the 'groups' claim attribute, as follows:

Navigate to Realms -> </CaptivePortalInfoblox> -> Scripts -> OIDC Claims Script. 

    1. Edit claimAttributes list and include line. 
      1. "groups": userProfileClaimResolver.curry("isMemberof"),
    2. Edit scopeClaimsMap and add:
      1.  “groups”: [“groups”],
    3. Click ‘Validate’.
    4. If no errors found, click ‘Save Changes’.

Navigate to Realms -> </CaptivePortalInfoblox> -> Services -> OAuth2 Provider -> Advanced

    1. Edit ‘Supported Scopes’ with “groups|Your group membership information”.
    2. Click ‘Save’.

Navigate Realms > /CaptivePortalTest > Services > OAuth2 Provider > OpenID Connect.

Edit ‘Supported Claims’ with “groups|Group membership”.

Click ‘Save’.

  • Deploy OpenID Connect for SSO using the AM console and configure the hosted identity provider and remote service provider. For more information, refer to the ForgeRock documentation.
  • When using a non-root realm with a name such as /CaptivePortalInfoblox, any API endpoint will contain the following path: /realms/root/realms/CaptivePortalInfoblox. When using root realm (‘/’), all API endpoints will contain the following path /realms/root.
  • When configuring hosted identity provider, select a signing key that you have created or imported. Do not leave this blank Also, choose the circle of trust for the Identify Provider and remember the name because the service provider must be in the same circle of trust.
  • When configuring the remote service provider, upload the service provider metadata file that you downloaded from the Infoblox Portal. In addition, add attribute mapping where the name in the assertion must be ‘groups’ and the Local Attribute name must be the one that stores the group information. Lastly, remove the transient and persistent NameID formats.

The following table lists the required parameters for a successful integration:

ParameterDescriptionUsage
Login Redirect URI (Client)The Login Redirect URI determines where the authorization server redirects the user once the application successfully authorizes and grants an authorization code or access token.
  • Copy the Login Redirect URI from the CLIENT DETAILS section of the Create Authentication Profile dialog on the Infoblox Portal.
  • Enter the copied value in the Login Redirect URIs in the OpenID Connect application.
Client ID (Client)The Client ID is the ID for logging in to the IdP client.
  • In Open AM, navigate to the OpenID Connect application -> General ->  Client ID, and then click Copy to clipboard.
  • Enter the copied value in the Client ID field in the CLIENT DETAILS section of the Create Authentication Profile dialog on the Infoblox Portal.
Client Secret (Client)The Client Secret is the password for logging in to the IdP client.
  • In Open AM, navigate to the OpenID Connect application -> General ->  Client Secret, and then click Copy to clipboard.
  • Enter the copied value in the Client Secret field in the CLIENT DETAILS section of the Create Authentication Profile dialog on the Infoblox Portal.
Issuer (IdP)The Issuer is a discovery URI  that defines the unique identifier for the identity provider.
  • In Open AM, configure OpenID Connect Discovery and retrieve the identity provider URI.
  • Enter the discovery URI in the Issuer field in the IDENTITY PROVIDER DETAILS section of the Create Authentication Profile dialog on the Infoblox Portal.