Skip to main content
Version: Cloud

Configure ForgeRock with SAML

DISCLAIMER


This page contains third-party references. We strive for our content to always be up-to-date, however, the content referring to external vendors may change independently of Omada. If you spot any inconsistency, please report it to our Helpdesk.

Prerequisites

  • Install JDK and Apache Tomcat Container.

    • DK version 8.0 is required as some of the ForgeRock pages do not support Java version 11.0.

  • Download ForgeRock Access Management platform .WAR file and upload it via the Tomcat App Manager.

Configure ForgeRock and SAML

Follow these steps to configure ForgeRock with SAML:

  1. In ForgeRock AM system run the Create Hosted Identity Provider task.

  2. Create new a circle of trust with the metadata name set to URL of the ForgeRock AM system.

  3. Select the Register a Remote Service Provider option.

  4. Provide a SAML metadata file either by either uploading the file or providing an URL of the metadata file location.

The SAML metadata file can be generated with an online tool, e.g., SAML tool.

A sample SAML .xml file has the following form:

<?xml version="1.0"?>

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2019-03-15T14:00:17Z" cacheDuration="PT604800S" entityID="Omada">

  <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:8080/AM-eval-6.5.0.1/saml2/jsp/spSingleLogoutInit.jsp" />

    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>

    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://enterpriseserver/logon.aspx" index="1" />

  </md:SPSSODescriptor>

</md:EntityDescriptor>

  1. Make sure that urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress is added to the NameID format section of the OmadaSP.

  2. Verify that the IdpIssuer and IdpAudience in the tblCustomerAuth are set to the name of the circle of trust.