13.6. Configuring OpenAM as Both SAML 2.0 Service Provider & OAuth 2.0 Authorization Server

As described in Section 13.1.1.5, “SAML 2.0 Bearer Assertion Profiles”, OpenAM as OAuth 2.0 authorization server can handle the profile where a SAML 2.0 assertion borne by the client functions as an authorization grant to get an access token. This lets a client get an access token when a resource owner completes SAML 2.0 Web Single Sign-On.

You can configure OpenAM as both SAML 2.0 service provider and OAuth 2.0 authorization server, using an built-in adapter class to POST assertions returned to the service provider to the access token endpoint of the authorization server. This allows clients to send a resource owner to the identity provider for SAML 2.0 web SSO, get an assertion at the service provider, and retrieve an access token from the authorization server. In other words, once this scenario is configured, the client must only direct the resource owner to start web SSO as described in Using SAML 2.0 Single Sign-On & Single Logout, and then retrieve the access token on success or handle the error condition on failure.

Procedure 13.4. To Get an Access Token From SAML 2.0 Web SSO

For this scenario to work, the following conditions must be met.

  • The client must make the resource owner understand that by authenticating to the SAML 2.0 identity provider the resource owner grants the client access to the protected resources. OpenAM does not present the resource owner with an authorization decision.

  • The SAML 2.0 identity provider issuing the assertion must sign the assertion, and must correctly handle the name ID for the subject.

  • OpenAM as relying party must request that assertions are signed, must verify the signatures on assertions, must correctly handle name IDs from the issuer, and must use the built-in org.forgerock.restlet.ext.oauth2.flow.OAuth2Saml2GrantSPAdapter adapter class in the service provider configuration to POST assertions to the OAuth 2.0 authorization service.

  • The OAuth 2.0 authorization service and SAML 2.0 service provider must be configured together on the same OpenAM server.

  • An OAuth 2.0 client configuration on OpenAM with the same name as the service provider entity ID must be set up on OpenAM.

  • The OAuth 2.0 client initiating the process must be able to consume the access token and to handle errors if necessary.

Follow these steps. The test configuration hints in this procedure let you prepare configuration to test with the demo user created in OpenAM by default.

  1. Make sure the SAML 2.0 identity provider signs assertions and that name IDs are correctly configured to map resource owner accounts.

    When configuring OpenAM as a hosted identity provider follow these steps.

    1. Make sure the Signing Key is properly configured on setup.

      For a test configuration, select the test certificate shown in the Common Tasks > Create Hosted Service Provider wizard.

    2. Make sure name IDs are properly configured.

      For a test configuration, in the OpenAM console under Federation > Entity Providers > IDP name > NameID Value Map, add urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified=cn and then Save your work.

    For more detail on configuring OpenAM as a SAML 2.0 identity provider, see Configuring Identity Providers.

  2. Configure OpenAM as service provider.

    1. Set up a hosted service provider in OpenAM console under Common Tasks > Create Hosted Service Provider, keeping track of the name, such as https://www.sp.example:8443/openam, and selecting Use default attribute mapping from Identity Provider.

      For details on configuring OpenAM as a SAML 2.0 service provider, see Configuring Service Providers.

    2. Under Federation > Entity Providers > SP name > Assertion Content > Request/Response Signing, check Assertions Signed.

    3. For a test configuration, in Federation > Entity Providers > SP name > Assertion Content > NameID Format List, remove all but urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified, and then Save your work.

    4. In Federation > Entity Providers > SP name > Assertion Processing > Adapter, add org.forgerock.restlet.ext.oauth2.flow.OAuth2Saml2GrantSPAdapter, and then Save your work.

      This is the adapter class that POSTs the SAML 2.0 assertion to the OAuth 2.0 access token endpoint.

    5. Use the wizard under Common Tasks > Register Remote Identity Provider to import the identity provider metadata.

  3. Make sure the identity provider imports the metadata for your service provider.

    If your service provider is at https://www.sp.example:8443/openam, then the metadata can be accessed at https://www.sp.example:8443/openam/saml2/jsp/exportmetadata.jsp.

  4. On the service provider OpenAM server, set up the OAuth 2.0 authorization server as described in Section 13.2, “Configuring the OAuth 2.0 Authorization Service”.

    For a test configuration, set the realm to /, and accept the defaults.

  5. On the service provider and authorization server OpenAM server, set up an OAuth 2.0 client profile with the same name as the service provider under Access Control > realm > Agents > OAuth 2.0 Client > New...

    For example, if the service provider name is https://www.sp.example:8443/openam, then that is also the name of the OAuth 2.0 client profile.

    You can make additional changes to the client profile if necessary. See Section 13.3, “Registering OAuth 2.0 Clients With the Authorization Service” for details.

  6. Test your configuration.

    1. Logout of all OpenAM servers.

    2. Initiate SAML 2.0 Web SSO.

      For example, if your identity provider is at https://www.idp.example:8443/openam with meta alias /idp and your service provider is at https://www.sp.example:8443/openam, then browse to the following URL (without line breaks or spaces). 

      http://www.idp.example:8443/openam/saml2/jsp/idpSSOInit.jsp
 ?metaAlias=/idp&spEntityID=http://www.sp.example:8443/openam

      For other configurations, see Using SAML 2.0 Single Sign-On & Single Logout.

    3. Login to the identity provider.

      For OpenAM, login with user name demo and password changeit.

    4. Login to the service provider.

      For OpenAM, login with user name demo and password changeit.

    5. See the resulting access token on successful login.

      The result looks something like this, all on one line.

      {
    "expires_in": 59,
    "token_type": "Bearer",
    "access_token": "f0f731e0-6013-47e3-9c07-da598157a85f"
}