Before you begin

About this task

The following steps use IBM Tivoli Federated Identity Manager version 6.2.2.

Procedure

  1. Determine which point of contact to use. Any point of contact can be used as long as the prerequisites of that specific point of contact are satisfied.

    For example, IBM WebSphere®:

  2. Import a keystore.

    You need a keystore for signing responses.

    For example:

Configure IBM Tivoli Federated Identity Manager

Procedure

  1. Create a Federation.

    The steps below focus on pages that require specific information. For other pages not listed here, use the default selections.

    1. Enter the federation name. Choose any unique value.

      For example:

    2. In Federation Protocol, select SAML 2.0.

      For example:

    3. In the Point of Contact Server screen, specify the point of contact server: https://[server_name]:[secure_application_server_port] .
    4. In the Profile Selection screen, leave the default: Basic Web Browser SSO, Single Logout.
    5. In the Signature Options screen, check the option: Require signature on incoming SAML message and assertion. For outgoing SAML message and assertions, you can choose any option but for security, select: All Outgoing SAML messages and assertions are signed.

      For example:

    6. In the Encryption Options screen, load your keystore if needed.
    7. In SAML Message Settings and SAML Assertion Settings, keep the default selections.
    8. In Identity Mapping Options, select any identity mapping XSL that works with SAML.

      You can find XSL mapping samples in the IBM Tivoli Federated Identity Manager installation directory under /examples/mapping_rules/ip_saml_20_email_nameid.xsl. For additional details, refer to: http://www-01.ibm.com/support/knowledgecenter/SS4J57_6.2.2.6/com.ibm.tivoli.fim.doc_6226/config/concept/xslformappingrules.html

  2. Export the Federation(identity provider metadata file).
    For example:
  3. Start Platform Application Center with the command pmcadmin start if it is not started.
  4. Import the identity provider XML file into Platform Application Center with the command pmcadmin saml enable -idp exported_idp_file.

    For example:

    pmcadmin saml enable -idp /usr/share/myfile
  5. Restart Platform Application Center with the commands pmcadmin stop then pmcadmin start.
  6. Import the Platform Application Center service provider metadata file into IBM Service Provider metadata file into IBM Tivoli Federated Identity Manager. Use the same selections as in Step 1.