Importing SAML identity provider (IdP) partner metadata using the wsadmin command-line utility

Before you begin

Before you can use this command, you must configure the Security Assertion Markup Language (SAML) trust association interceptor (TAI) with at least one single sign-on (SSO) partner using the addSAMLTAISSO command. If you create your own trust store, then it must be specified in the sso_<ID>.sp.trustStore entry. If you do not specify the sp.trustStore property, the default truststore is used. All the certificates of the identity provider (IdP) and service provider are saved in the same truststore.

About this task

You can use the wsadmin command-line utility to import the SAML IdP partner to the SAML TAI in the security configuration for WebSphere Application Server. This command will import the following IdP partner data:
  • Entity ID
  • Signing Certificate
  • SingleSignOnService HTTP-POST binding
Evitar Problemas Evitar Problemas: If any of the previous properties are missing, the command logs a warning message.gotcha

Procedure

  1. Start the WebSphere Application Server.
  2. Start the wsadmin command utility from the app_server_root/bin directory by entering the command: wsadmin -lang jython.
  3. At the wsadmin prompt, enter the following command:
    AdminTask.importSAMLIdpMetadata('-idpMetadataFileName /tmp/idpdata.xml
                                     -idpId 1 -ssoId 1 -signingCertAlias idpcert')
    You can use the following parameters with this command:
    Table 1. importSAMLIdpMetaData parameters
    Parameter Description
    -ssoId This parameter is optional if you have only one SSO service provider partner. If you have more than one SSO service provider partner, this parameter is required. It is the identifier for the group of custom properties that are associated with the SSO service provider partner. This parameter is specified as an integer.
    -idpId This parameter is optional. It is the IdP identifier for the group of custom properties that are to be defined with this command. If the parameter is not specified, an unused identifier is assigned. This parameter is specified as an integer.
    -signingCertAlias This parameter is optional if you do not have a signing certificate. If you have a signing certificate, this parameter is required. This parameter specifies the alias that you want the certificate to be named in the current keystore. This parameter is specified as a Boolean.
    -idpMetadataFileName This parameter is required. Specify the fully-qualified file name for the SAML IdP partner metadata. This parameter is specified as a String.
    -securityDomainName This parameter specifies the name of the security domain of interest. If a value for this parameter is not specified, the command uses the global security configuration. This parameter is specified as a String.

Results

The IdP partner properties are now added to the SAML TAI for this WebSphere Application Server.

Example

The following example imports the SAML IdP partner 1 metadata to the global security SAML TAI SSO service provider partner 1 with a signing certificate alias name idp1CertAlias:
AdminTask.importSAMLIdpMetadata('-idpMetadataFileName /tmp/myIdPmetadata.xml 
                                 -ssoId 1 -idpId 1 -signingCertAlias idp1CertAlias')
The following example imports the SAML IdP partner 1 metadata to the security domain myDomain1 SAML TAI SSO service provider partner 1 with a signing certificate alias name idp1CertAlias:
AdminTask.iportSAMLIdpMetadata('-idpMetadataFileName /tmp/myIdPmetadata.xml
                                -ssoId 1 -idpId 1 -signingCertAlias idp1CertAlias -securityDomainName myDomain1')

Ícone que indica o tipo de tópico Tópico de Tarefa



Ícone de registro de data e hora Última atualização: July 9, 2016 7:57
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=cord&product=was-nd-mp&topic=twbs_importsamlidpmetadata
Nome do arquivo: twbs_importsamlidpmetadata.html