Use CLI commands to configure a SAML 2.0 service provider federation by creating a response file and creating a service provider federation.
wsadmin>$AdminTask manageItfimFederation { -operation createResponseFile
-fimDomainName fimspdomain -protocol SAML2_0 -role sp -fileId
/downloads/saml20_sp_properties.xml }
The following confirmation message shows: FBTADM001I Command completed successfully
Configuration item | Description | Your value | CLI Properties or Names |
---|---|---|---|
Federation name | The unique name of the federation. (Required) | Any name For example, saml20sp |
FedName |
Company name | The name of the company that is associated with the federation. (Required) | Any name For example, SP Company Name |
CompanyName |
Company URL | A URL for a website of the company that is associated with the federation. (Required) | URL of the website of your company | CompanyUrl |
Provider ID | A URL or URN that uniquely identifies the provider. By default Tivoli Federated Identity Manager uses the URL of the point of contact server with the federation name and the protocol name, such as /saml20, appended to it. |
URL For example, for a federation named saml_fed: https://sp.example.com/FIM/sps/saml_fed/saml20 |
ProviderId |
Point of Contact Server URL | The URL of the point of contact server with the federation name and the protocol name, such as /saml20, appended to it. (Required) | A URL For example, for a federation named saml_fed: https://sp.example.com/FIM/sps/saml_fed/saml20 |
BaseUrl |
Select Signing Key Keystore in Tivoli Federated Identity Manager key service, where the key is stored. |
Enter a
signing key for the service provider. If you also select to sign any
other messages the specified signing key is used to sign them. (Required) Note: Before
you complete this task, create the key and import it into the appropriate
keystore in the Tivoli Federated
Identity Manager key service.
|
Keystore name: Key alias name: This
data is provided in the format of
For example,
|
SigningKeyIdentifier |
Single sign-on | The URL to which the Service Provider sends authentication requests. | True or false. Default: false. You must enable at least one property. For example, set SsoPostEnabled to true. |
SsoPostEnabled SsoArtifactEnabled SsoRedirectEnabled |
Select Encryption Key Keystore in Tivoli Federated Identity Manager key service, where the key is stored. |
A public/private key pair used in encryption. Your partner uses the public key to encrypt data to you. Use the private key to decrypt data that your partner sends to you. You must specify the key pair to use. Note: Before you complete
this task, create the key and import it into the appropriate keystore
in the Tivoli Federated
Identity Manager key service.
|
Keystore name: Key alias name: This
data is provided in the format of
For example,
|
EncryptionKeyIdentifier |
Single Logout Profile | The URL that the partner contacts to use the
Single Logout profile. To enable single logout, set at least one property to true. Then, you can choose which binding and provider to use to initiate single logout. |
True or false. Default: false. You must enable at least one property to enable the single logout profile for the federation. For example, set SloSPPostEnabled to true. |
SloIPArtifactEnabled SloIPPostEnabled SloIPRedirectEnabled SloIPSOAPEnabled SloSPArtifactEnabled SloSPPostEnabled SloSPRedirectEnabled SloSPSOAPEnabled |
Artifact Resolution Service list | The Artifact Resolution Service is a SOAP endpoint on the service provider point of contact server where artifacts are exchanged for SAML messages. By default, Tivoli Federated Identity Manager configures one SOAP endpoint for the Artifact Resolution Service. You can optionally define additional SOAP endpoints. |
Specify the assertion resolution service URL,
the URL index, and set to true if the endpoint is used as the default.
Otherwise, set to false. For example, https://sp.example.com/FIM/sps/saml_fed/saml20/soap;0;true |
ArtifactResolutionServiceList |
Identity mapping options An XSL transformation (XSLT) file containing mapping rules |
The type of identity mapping to use. Use an XSLT file for identity mapping, and have the file ready to use for the federation. (Required) | XSLT File that corresponds to the SP role for SAML 2.0 federations: /opt/IBM/FIM/examples/mapping_rules/sp_saml_20.xsl | MappingRuleFileName |
wsadmin>$AdminTask manageItfimFederation { -operation create
-fimDomainName fimspdomain -fileId
/downloads/saml20_sp_properties.xml }
The following confirmation message shows: FBTADM001I Command completed successfully