9.4. Config.json Sample

The following sample configuration is from the tutorial on federating WordPress. The sample configuration receives a SAML assertion from OpenAM and then logs the user into WordPress using the user name and password from the assertion.

The following excerpt of the Federation Service JSON is from the OpenIG config.json file. All fields are mandatory except logoutURI. The logoutURI is only necessary if your configuration uses the single logout feature. 

{
    "name": "FederationServlet",
    "type": "org.forgerock.openig.saml.FederationServlet",
    "config": {
        "assertionMapping": {
            "userName":"uid",
            "password":"userPassword" 
        },
        "subjectMapping":"subjectName",
        "sessionIndexMapping":"sessionIndex",
        "redirectURI":"/login",
        "logoutURI":"/logout"
        "assertionConsumerEndpoint":"fedletapplication",
        "SPinitiatedSSOEndpoint":"SPInitiatedSSO",
        "singleLogoutEndpoint":"fedletSlo"
   }
}
name

Name of the Federation Service within the OpenIG runtime. This value should not be modified.

type

Classname of the Federation Servlet. This value should not be modified.

asertionMapping

The assertionMapping defines how to transform the attributes from the incoming assertion to attribute value pairs in the session. Each entry in the assertionMapping is of the form attributeName:assertionName. The attributeName represents the name of the attribute set in the session. The assertionName is used to fetch the value from the incoming assertion, which becomes the value in the session. The following statements correspond to the sample shown above.

If the incoming assertion contains the statement:

uid = jojo
userPassword = 123456789

Then the following values are set in the session:

userName = jojo
password = 123456789

Notice that you must also modify attributeMap in the $HOME_DIR/.ForgeRock/SAML/sp-extended.xml to match the assertion mapping configured in the IDP metadata.

subjectMapping

The value contained in the assertion subject is set as the value of the attribute subjectName in the session.

redirectURI

The redirectURI should be set to the page the Form-Filter recognizes as the login page for the target application. This is how OpenIG and the Federation service work together to provide single sign-on. When OpenIG detects the target application's login page, it redirects to the Federation Service. Once the Federation Service validates the SAML exchanges with the IDP and sets the required session attributes, it redirect back to the target application's login page. This allows the Form-Filter to finish the job of logging in the user by retrieving the necessary user data from the session and creating a login form for the application.

logoutURI

The logoutURI should be set to the URI which logs the user out of the target application. This attribute is only needed if your application uses the single log-out feature of the Identity Provider.

assertionConsumerEndpoint

The default value of fedletapplication is the same as the Fedlet. If you modify this attribute you must change the metadata to match.

SPinitiatedSSOEndpoint

The default value is SPInitiatedSSO. If you modify this attribute you must change the metadata to match.

singleLogoutEndpoint

The default value of fedletSLO is the same as the Fedlet. If you modify this attribute you must change the metadata to match.