OpenAM overall comprehension and SAML

Question

I'm implementing a SSO solution with SAML using OpenAM. I'm a very beginner on theses technologies and I need some clarifications.

My progress

For the moment, I have installed a Tomcat hosting OpenAM as an IdP. Another Tomcat fits as my SP. The WebAgent is installed on it. When trying to reach a protected part of the SP, I am redirected to the IdP logging page. Once my credentials entered, I am finally redirected to the resource. That seems to work well.

My questions

• My architecture is just based on a simple SSO, doesn't it ?

• How do I activate the SAMLv2 ?

• Does OpenAM have to be install on all servers in the circle of trust to allow SAML ? I mean, it seems natural on the IdP, but do I need to put and configure the opensso.war on the SPs ?

• The choosen scenario is IdP-Initiated SSO. If the client reaches the IdP Authenticate WS, will it have the SAML assertion ?

Thanks in advance

Answer 1

• When using agents, you are actually relying on a more proprietary SSO and not SAML. To be precise: Liberty ID-FF messages wrapped in SAML 1.1
• The web agents will never talk using SAMLv2, so you will need to have some sort of SAML SP implementation (Java fedlet/.NET fedlet/SimpleSAMLPHP/Shibboleth SP/etc). To enable SAMLv2 federation you may as well follow the documentation ( http://docs.forgerock.org/en/openam/10.0.0/admin-guide/index.html#chap-federation )
• If Authenticate WS means /openam/identity/authenticate REST/JAX-WS endpoint, then the answer is no, but if you correctly initiate a SAMLv2 login on the IdP (by using the idpssoinit endpoint), then the assertion will be presented to the SP, where the SP implementation can perform the necessary validations and extract the actual data out of the assertion.