Implementing coarse grained authorization along with Identity Federation in OpenAM

PingFederate – Identity Provider

OpenAM – Service Provider with Coarse grained authorization capability

• Create a SP connection in PingFederate to OpenAM and register PingFederate as remote identity provider in OpenAM Circle of Trust
• Create two users in Data store of PingFederate. In this example, Active Directory

• Use the pseudonym identity mapping between IdP and SP

• Install and configure policy agent according to http://openam.forgerock.org/openam-documentation/openam-doc-source/doc/agent-install-guide/

• Create two local user accounts in OpenAM dummy, dummy2 and set the mail attribute

• Install the agentapp sample application provided by OpenAM
• Create an access policy in OpenAM with filter condition about the user’s mail address

• Initiate IdP initiated SSO from PingFederate and mention the target resource as the web application protected by OpenAM(In this example, agentapp)
• Input the two AD users credentials created above and validate the authorization check
• For the initial SSO request, OpenAM re-authenticates the user to map the remote User to the local user profile

          Note: Cookies can be used for verifying SSO enablement for subsequent requests

• Verify the above mentioned psudonym user identifier from the OpenAM Federation.log file

Federation establishment with PingFederate IdP and OpenAM SP

• Create a Hosted SP in OpenAM and check "Use Name ID as User ID"  in Account Mapper

 

• Configure Identity Provider role in PingFederate

• Export the metadata from OpenAM using ssoadm.jsp and create SP connection in PingFederate

• Export metadata from PingFederate and create a remote identity provider in OpenAM

• Verify the SP and IDP in Circle of Trust and Initiate IdP initiated SSO from PingFederate and verify the SAML assertion in OpenAM Federation.log file
   
   Note: The Name ID sent from IDP (PingFederate) should match the local account user ID