This tutorial expands on the Tutorial With
WordPress by showing you how to configure OpenIG
as a SAML2 Federation endpoint to log the user into WordPress. When you
complete this tutorial you will have configured OpenAM to send a SAML2
assertion to OpenIG and configured OpenIG to validate the assertion and to
use the mail and employeenumber
attribute values from the assertion to log the user into WordPress.
Follow the Tutorial With WordPress, and make sure you can login to WordPress before continuing this tutorial.
For this sample and the test URIs, OpenAM is configured on
http://www.idp.com:8888/openam. You can of course use any
configuration, but be sure to substitute the proper values for the test
URLs.
Use the OpenAM Console task wizard to create a Fedlet with the Name
gateway and the Destination URL
http://demo.forgerock.com:8080/saml. Configure the
Attributes Mapping to contain the mail and
employeenumber attributes.
Create a user with mail attribute
george and
employeenumber costanza.
Download the Federation
to WordPress Sample Config File and copy it to
$HOME/.ForgeRock/OpenIG/config.json, overwriting the
config.json from the WordPress tutorial.
Assuming Fedlet.zip from the previous step is
found in $HOME/openam/myfedlets/Fedlet.zip extract the
Fedlet configuration files using the following commands:
$ cd $HOME/openam/myfedlets $ unzip Fedlet.zip $ jar xvf Fedlet.war conf
Create a $HOME/.ForgeRock/SAML/ directory,
and copy the Fedlet configuration to the new directory.
$ mkdir $HOME/.ForgeRock/SAML $ cp conf/* $HOME/.ForgeRock/SAML $ ls $HOME/.ForgeRock/SAML FederationConfig.properties idp-extended.xml sp-extended.xml fedlet.cot idp.xml sp.xm
For IDP initiated SSO click this link
For SP initiated SSO either browse to http://demo.forgerock.com:8080/wordpress/ and click the login link, or click this link
To understand what is happening behind the scenes, take a look at
$HOME/.ForgeRock/OpenIG/config.json. The HandlerServlet
is no longer the entry point to OpenIG processing. If you look for the
servletObject at the end of the file you see the HandlerServlet has been
replaced by the DispatchServlet. The DispatchServlet provides an internal
routing mechanism based on the incoming URI. The DispatchServlet looks at
the incoming URI and dispatches to the FederationServlet when the SAML URI
is found, otherwise it dispatches to the HandlerServlet as in the previous
sample. This allows the FederationServlet to process the incoming assertion,
set the attributes from the assertion in the HTTPSession, which then allows
the normal chain of filter processing, through the HandlerServlet, to pick up
the credentials and log the user into the target application.