Import SAML identity provider (IdP) partner metadata using wsadmin.sh

Import SAML identity provider (IdP) partner metadata using wsadmin.sh

Before we can use this command, configure the SAML trust association interceptor (TAI) with at least one single sign-on (SSO) partner using the addSAMLTAISSO command. If we create our own trust store, then it must be specified in the sso_<ID>.sp.trustStore entry. If we do not specify the sp.trustStore property, the default truststore is used. All the certificates of the identity provider (IdP) and service provider are saved in the same truststore.
Use the wsadmin command-line utility to import the SAML IdP partner to the SAML TAI in the security configuration for WAS. This command will import the following IdP partner data:

Entity ID
Signing Certificate
SingleSignOnService HTTP-POST binding

If any of the previous properties are missing, the command logs a warning message.

Tasks

Start the WAS appservers.
Run:
cd app_server_root/bin directory
./wsadmin -lang jython

At the wsadmin prompt, enter:
AdminTask.importSAMLIdpMetadata('-idpMetadataFileName /tmp/idpdata.xml -idpId 1 -ssoId 1 -signingCertAlias idpcert')

Use the following parameters with this command:

Parameter Description
-ssoId Optional if we have only one SSO service provider partner. If we have more than one SSO service provider partner, this parameter is required. Identifier for the group of custom properties associated with the SSO service provider partner. Integer.
-idpId Optional. It is the IdP identifier for the group of custom properties that are to be defined with this command. If the parameter is not specified, an unused identifier is assigned. Integer.
-signingCertAlias Optional if we do not have a signing certificate. If we have a signing certificate, this parameter is required. Specify the alias that we want the certificate to be named in the current keystore. Boolean.
-idpMetadataFileName Required. Specify the fully-qualified file name for the SAML IdP partner metadata. This parameter is specified as a String.
-securityDomainName Name of the security domain of interest. If not specified, the command uses the global security configuration. This parameter is specified as a String.

The IdP partner properties are now added to the SAML TAI for this WAS.

Example
Import the SAML IdP partner 1 metadata to the global security SAML TAI SSO service provider partner 1 with a signing certificate alias name idp1CertAlias:
AdminTask.importSAMLIdpMetadata('-idpMetadataFileName /tmp/myIdPmetadata.xml -ssoId 1 -idpId 1 -signingCertAlias idp1CertAlias')

Import the SAML IdP partner 1 metadata to the security domain myDomain1 SAML TAI SSO service provider partner 1 with a signing certificate alias name idp1CertAlias:
AdminTask.iportSAMLIdpMetadata('-idpMetadataFileName /tmp/myIdPmetadata.xml -ssoId 1 -idpId 1 -signingCertAlias idp1CertAlias -securityDomainName myDomain1')

Parameter	Description
-ssoId	Optional if we have only one SSO service provider partner. If we have more than one SSO service provider partner, this parameter is required. Identifier for the group of custom properties associated with the SSO service provider partner. Integer.
-idpId	Optional. It is the IdP identifier for the group of custom properties that are to be defined with this command. If the parameter is not specified, an unused identifier is assigned. Integer.
-signingCertAlias	Optional if we do not have a signing certificate. If we have a signing certificate, this parameter is required. Specify the alias that we want the certificate to be named in the current keystore. Boolean.
-idpMetadataFileName	Required. Specify the fully-qualified file name for the SAML IdP partner metadata. This parameter is specified as a String.
-securityDomainName	Name of the security domain of interest. If not specified, the command uses the global security configuration. This parameter is specified as a String.