+

Search Tips   |   Advanced Search

Import SAML identity provider (IdP) partner metadata using wsadmin

Before we can use this command, configure the Security Assertion Markup Language (SAML) trust association interceptor (TAI) with at least one SSO partner using the addSAMLTAISSO command. If we create our own trust store, then it must be specified in the sso_<ID>.sp.trustStore entry. If we do not specify the sp.trustStore property, the default truststore is used. All the certificates of the identity provider (IdP) and service provider are saved in the same truststore.

We can use wsadmin-line utility to import the SAML IdP partner to the SAML TAI in the security configuration for WebSphere Application Server. This command will import the following IdP partner data:

Avoid trouble: If any of the previous properties are missing, the command logs a warning message.gotcha

  1. Start the WAS.

  2. Start wsadmin utility from the app_server_root/bin directory by entering the command: wsadmin -lang jython.

  3. At the wsadmin prompt, enter the following command: 
    AdminTask.importSAMLIdpMetadata('-idpMetadataFileName /tmp/idpdata.xml
                                 -idpId 1 -ssoId 1 -signingCertAlias idpcert')

    We can use the following parameters with this command:

    Parameter Description
    -ssoId Optional if we have only one SSO service provider partner. If we have more than one SSO service provider partner, this parameter is required. It is the identifier for the group of custom properties associated with the SSO service provider partner. This parameter is specified as an integer.
    -idpId Optional. It is the IdP identifier for the group of custom properties that are to be defined with this command. If the parameter is not specified, an unused identifier is assigned. This parameter is specified as an integer.
    -signingCertAlias Optional if we do not have a signing certificate. If we have a signing certificate, this parameter is required. This parameter specifies the alias we want the certificate to be named in the current keystore. This parameter is specified as a Boolean.
    -idpMetadataFileName Required. Specify the fully-qualified file name for the SAML IdP partner metadata. This parameter is specified as a String.
    -securityDomainName This parameter specifies the name of the security domain of interest. If a value for this parameter is not specified, the command uses the global security configuration. This parameter is specified as a String.


Results

The IdP partner properties are now added to the SAML TAI for this WebSphere Application Server.


Example

The following example imports the SAML IdP partner 1 metadata to the global security SAML TAI SSO service provider partner 1 with a signing certificate alias name idp1CertAlias:

The following example imports the SAML IdP partner 1 metadata to the security domain myDomain1 SAML TAI SSO service provider partner 1 with a signing certificate alias name idp1CertAlias: 

AdminTask.iportSAMLIdpMetadata('-idpMetadataFileName /tmp/myIdPmetadata.xml
                                -ssoId 1 -idpId 1 -signingCertAlias idp1CertAlias -securityDomainName myDomain1')