PingFederate – Identity Provider
OpenAM – Service Provider with Coarse grained authorization capability
- Create a SP connection in PingFederate to OpenAM and register PingFederate as remote identity provider in OpenAM Circle of Trust
- Create two users in Data store of PingFederate. In this example, Active Directory
- Use the pseudonym identity mapping between IdP and SP
- Install and configure policy agent according to http://openam.forgerock.org/openam-documentation/openam-doc-source/doc/agent-install-guide/
- Create two local user accounts in OpenAM dummy, dummy2 and set the mail attribute
- Install the agentapp sample application provided by OpenAM
- Create an access policy in OpenAM with filter condition about the user’s mail address
- Initiate IdP initiated SSO from PingFederate and mention the target resource as the web application protected by OpenAM(In this example, agentapp)
- Input the two AD users credentials created above and validate the authorization check
- For the initial SSO request, OpenAM re-authenticates the user to map the remote User to the local user profile
Note: Cookies
can be used for verifying SSO enablement for subsequent requests
- Verify the above mentioned psudonym user identifier from the OpenAM Federation.log file
