Connecting OpenSSO IDP with SimpleSAMLphp SP

Giving OpenSSO a go? I recommend OpenSSO Enterprise 8.0. For the web container, Glassfish Enterprise V2.1 seems to work well for me.

I had various problems with OpenSSO Express 7 and Glassfish V3 Prelude. Your luck may vary here.

If you are deploying OpenSSO on Glassfish, don’t forget to change the following JVM settings:

  1. -client to -server
  2. -Xmx512m to -Xmx1024m
  3. I had various problems logging in and getting redirected to the login page. Try adding -Dcom.iplanet.am.cookie.c66Encode=true to your JVM settings

Next, deploy OpenSSO. I normally deploy to /opensso, but that’s just me.

After deploying configure OpenSSO. I normally pick Custom configuration, and for the purpose of this Demo, I install both the configuration and user information into the inbuilt data store. Finish configuration and log in.

Next head to Create Hosted Identity Provider. Leave all the settings default except change the signing key to Test. Give your Circle of Trust a name. Under attribute mapping, I normally enter cn=cn. We can add other settings, and it’s better to have a SAML assertion with something in it (since SimpleSAMLphp will reject empty assertions).

Install SimpleSAMLphp as a SP. Once set up you should be able to go to:

http://webserver/simplesaml/saml2/sp/metadata.php

And have your SP metadata.

In OpenSSO click Register Remote Identity Provider. Enter the URL above in the box for the metadata URL in OpenSSO. Select the circle of trust to add this to. Click configure.

Next go to:

http://webserver/opensso/saml2/jsp/exportmetadata.jsp

And copy that XML. Head to:

http://webserver/simplesaml/admin/metadata-converter.php

And paste the OpenSSO IDP metadata into that box and click Parse.

Take the result and copy into:

<simpleSAMLphp>\metadata\saml20-idp-remote.php

You’ll have to change the top line from:

'http://webserver/opensso' => array (

To:

$metadata['http://webserver/opensso'] = array (

And don’t forget to change the comma at the end of the block you just pasted into a semicolon. Save saml20-idp-remote.php.

Head back to OpenSSO. Click the Test Federation Connectivity link. Select your circle of trust. Click Start Test. You can use the username “demo” and the password “changeit”.

The test should work correctly. If it does you’ve got SAML connectivity between an OpenSSO IDP and a SimpleSAMLphp SP.

Some things could go wrong though, so we need to think about what’s happening here:

  1. Is the OpenSSO IDP configured correctly?
  2. Is the SimpleSAMLphp SP configured correctly?
  3. Does the OpenSSO IDP trust the SimpleSAMLphp SP?
  4. Does the SimpleSAMLphp SP trust the OpenSSO IDP?

The problem is one of those four things. Good luck.