---
title: Unsigned/unencrypted SAML v2.0 assertions
description: This example sets up federation using AM as the identity provider with unsigned/unencrypted assertions.
component: pinggateway
version: 2026
page_id: pinggateway:gateway-guide:federation-setup-filter
canonical_url: https://docs.pingidentity.com/pinggateway/2026/gateway-guide/federation-setup-filter.html
revdate: 2025-10-15T18:45:22Z
---
# Unsigned/unencrypted SAML v2.0 assertions
This example sets up federation using AM as the identity provider with unsigned/unencrypted assertions.
1. Set up the network:
Add `sp.example.com` to your `/etc/hosts` file:
```none
127.0.0.1 localhost am.example.com ig.example.com app.example.com sp.example.com
```
Traffic to the application is proxied through PingGateway, using the host name `sp.example.com`.
2. Configure a Java Fedlet:
| | |
| - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| | The SAML library component validates the SP's AssertionConsumerService Location against the incoming IdP SAML Assertion, based on the request information, including the port. In `sp.xml`, always specify the port in the Location value of `AssertionConsumerService`, even when using defaults of 443 or 80, as follows:```xml
``` |
Learn about Java Fedlets in the AM documentation on [Creating and configuring the Fedlet](https://docs.pingidentity.com/pingam/8.1/am-saml2/create-configure-fedlet.html).
1. Copy and unzip the fedlet zip file, `Fedlet-8.1.0.zip`, delivered with the AM installation, into a local directory.
```console
$ unzip $HOME/openam/Fedlet-8.1.0.zip
```
Output
```none
Archive: Fedlet-8.1.0.zip
creating: conf/
inflating: README
inflating: conf/FederationConfig.properties
inflating: conf/fedlet.cot-template
inflating: conf/idp-extended.xml-template
inflating: conf/sp-extended.xml-template
inflating: conf/sp.xml-template
inflating: fedlet.war
```
2. In each file, search and replace the following properties:
| Replace this | With this |
| ------------------------------------------------------------- | -------------------------------------------------------------- |
| `IDP_ENTITY_ID` | `openam` |
| `FEDLET_ENTITY_ID` | `sp` |
| `FEDLET_PROTOCOL://FEDLET_HOST:FEDLET_PORT/FEDLET_DEPLOY_URI` | `https://sp.example.com:8443/home/saml` |
| `fedletcot` and `FEDLET_COT` | `Circle of Trust` |
| `sp.example.com:8443/home/saml/fedletapplication` | `sp.example.com:8443/home/saml/fedletapplication/metaAlias/sp` |
3. Save the files as .xml, without the `-template` extension, so that the directory looks like this:
```
conf
├── FederationConfig.properties
├── fedlet.cot
├── idp-extended.xml
├── sp-extended.xml
└── sp.xml
```
By default, AM as an IdP uses the NameID format `urn:oasis:names:tc:SAML:2.0:nameid-format:transient` to communicate about a user. For information about using a different NameID format, refer to [Non-transient SAML v2.0 NameID format](federation-non-transient-name.html).
3. Set up AM:
1. In the AM admin UI, select [icon: address-card, set=fa]Identities, select the user `demo`, and change the last name to `Ch4ng31t`. Note that, for this example, the last name must be the same as the password.
2. Select Applications > Federation > Circles of Trust, and add a circle of trust called `Circle of Trust`, with the default settings.
3. Set up a remote service provider:
1. Select Applications > Federation > Entity Providers, and add a remote entity provider.
2. Drag in or import `sp.xml` created in the previous step.
3. Select Circles of Trust: `Circle of Trust`.
4. Set up a hosted identity provider:
1. Select Applications > Federation > Entity Providers, and add a hosted entity provider with the following values:
* Entity ID: `openam`
* Entity Provider Base URL: `http://am.example.com:8088/openam`
* Identity Provider Meta Alias: `idp`
* Circles of Trust: `Circle of Trust`
2. Select Assertion Processing > Attribute Mapper, map the following SAML attribute keys and values, and then save your changes:
* SAML Attribute: `cn`, Local Attribute: `cn`
* SAML Attribute: `sn`, Local Attribute: `sn`
3. In a terminal, export the XML-based metadata for the IdP:
```console
$ curl -v \
--output idp.xml \
"http://am.example.com:8088/openam/saml2/jsp/exportmetadata.jsp?entityid=openam"
```
The `idp.xml` file is created locally.
4. Set up PingGateway:
1. Set up PingGateway for HTTPS, as described in [Configure PingGateway for TLS (server-side)](../installation-guide/securing-connections.html#server-side-tls).
2. Copy the edited fedlet files, and the exported `idp.xml` file into the PingGateway configuration, at `$HOME/.openig/SAML`.
```console
$ ls -l $HOME/.openig/SAML
```
Output
```
FederationConfig.properties
fedlet.cot
idp-extended.xml
idp.xml
sp-extended.xml
sp.xml
```
3. Make sure PingGateway connects to the sample application over HTTPS with a route to access static resources.
Learn more in [Using the sample application](../getting-started/start-sampleapp.html).
4. Add the following route to PingGateway:
* Linux
`$HOME/.openig/config/routes/saml-filter.json`
* Windows
`%appdata%\OpenIG\config\routes\saml-filter.json`
```json
{
"name": "saml-filter",
"baseURI": "https://app.example.com:8444",
"condition": "${find(request.uri.path, '^/home')}",
"handler": {
"type": "Chain",
"config": {
"filters": [
{
"name": "SamlFilter",
"type": "SamlFederationFilter",
"config": {
"assertionMapping": {
"name": "cn",
"surname": "sn"
},
"subjectMapping": "sp-subject-name",
"redirectURI": "/home/saml-filter"
}
},
{
"name": "SetSamlHeaders",
"type": "HeaderFilter",
"config": {
"messageType": "REQUEST",
"add": {
"x-saml-cn": [ "${toString(session.name)}" ],
"x-saml-sn": [ "${toString(session.surname)}" ]
}
}
}
],
"handler": "ReverseProxyHandler"
}
}
}
```
Source: [saml-filter.json](../_attachments/config/routes/saml-filter.json)
Notice the following features of the route:
* The route matches requests to `/home`.
* The SamlFederationFilter extracts `cn` and `sn` from the SAML assertion, and maps them to the SessionContext, at `session.name[0]` and `session.surname[0]`.
* The HeaderFilter adds the session name and surname as headers to the request so that they are displayed by the sample application.
5. Restart PingGateway.
5. Test the setup:
1. In your browser's privacy or incognito mode, go to .
2. Log in to AM as user `demo`, password `Ch4ng31t`. The request is redirected to the sample application.
| | |
| - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| | If a request returns an HTTP 414 URI Too Long error, consider the information in [URI Too Long error](../maintenance-guide/troubleshooting.html#troubleshoot-HTTP414). |