Access Management 7.2.2

Web or Java agents SSO and SLO

You can use web agents and Java agents in a SAML v2.0 Federation deployment.

Configuring agents to work alongside AM when performing SAML v2.0 single sign-on and single logout involves altering the URLs the agents use for logging in unauthenticated users, and logging users out.

Use web or Java agents with a SAML v2.0 service provider

This procedure applies when AM is configured as an IDP in one domain, and a web or Java agent protects resources on behalf of a second AM server, configured as an SP, on a second domain.

  1. Install the web or Java agent, as described in the Web Agents documentation or the Java Agents documentation.

    The following steps will guide you to configure the agent through the AM admin UI. If your agent is not using the centralized configuration mode, make the changes to the noted properties in the configuration file of the agent instead: agent.conf for the web agent or AgentConfiguration.properties for the Java agent.

  2. When using web agents:

    • In the AM admin UI of the SP, go to Realms > Realm Name > Applications > Agents > Web > Agent Name > AM Services.

    • When using integrated mode SSO:

      • Set the AM Login URL List property (com.sun.identity.agents.config.login.url) to the authentication chain that contains the SAML2 Authentication Module, or the authentication tree that contains the SAML2 Authentication node. For example:

        https://www.sp.com:8443/openam/XUI/#login/&service=mySAMLTree
    • When using standalone mode SSO:

      • Set the AM Login URL List property (com.sun.identity.agents.config.login.url) to the URL of the SP-initiated SSO JSP file, including the parameters necessary for initiating SSO. For example:

        https://www.sp.com:8443/openam/saml2/jsp/spSSOInit.jsp
        ?metaAlias=/sp
        &idpEntityID=https%3A%2F%2Fwww.idp.com%3A8443%2Fopenam
      • Add the URL of the SP-initiated SLO JSP file to the AM Logout URL property (com.sun.identity.agents.config.logout.url). For example:

        https://www.sp.com:8443/openam/saml2/jsp/spSingleLogoutInit.jsp
        ?binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
        &RelayState=http%3A%2F%2Fwww.sp.com
    • Save your changes.

  3. Set the Enable Custom Login Mode (org.forgerock.openam.agents.config.allow.custom.login) property to 1.

  4. Disable the Invalidate Logout Session property (org.forgerock.agents.config.logout.session.invalidate set to false).

  5. When using Java agents:

    • In the AM admin UI of the SP, go to Realms > Realm Name > Applications > Agents > Java > Agent Name > AM Services.

    • When using integrated mode SSO:

      • Set the AM Login URL List property (com.sun.identity.agents.config.login.url) to the authentication chain that contains the SAML2 Authentication Module, or the authentication tree that contains the SAML2 Authentication node. For example:

        https://www.sp.com:8443/openam/XUI/#login/&service=mySAMLTree
    • When using standalone mode SSO:

      • Set the AM Login URL List property (com.sun.identity.agents.config.login.url) to the URL of the SP-initiated SSO JSP file, including the parameters necessary for initiating SSO. For example:

        https://www.sp.com:8443/openam/saml2/jsp/spSSOInit.jsp
        ?metaAlias=/sp
        &idpEntityID=https%3A%2F%2Fwww.idp.com%3A8443%2Fopenam
      • Add the URL of the SP-initiated SLO JSP file to the AM Logout URL property (com.sun.identity.agents.config.logout.url). For example:

        https://www.sp.com:8443/openam/saml2/jsp/spSingleLogoutInit.jsp
        ?binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
        &RelayState=http%3A%2F%2Fwww.sp.com
    • Enable the Enable Custom Login Mode property (set the org.forgerock.openam.agents.config.allow.custom.login to true).

    • Enable the Convert SSO Tokens Into OIDC JWTs property (set the org.forgerock.agents.accept.ipdp.cookie.enabled to true).

    • Save your changes.