ForgeRock Access Management (AM) offers robust support for SAML 2.0, enabling organizations to implement secure Single Sign-On (SSO) across trusted domains. In a SAML setup, the Identity Provider (IDP) authenticates users and issues SAML assertions, while the Service Provider (SP) consumes those assertions to grant access. This blog will guide you step-by-step through setting up both IDP and SP roles using ForgeRock AM. đđ
Understanding SAML Roles in ForgeRock AM
Before diving into configuration, itâs essential to grasp the roles. The IDP authenticates users and provides identity assertions. The SP relies on the IDP to authenticate users and accepts the assertions to authorize access. ForgeRock AM can act as either or both in a federation setup. Understanding the metadata exchange and establishing trust between IDP and SP is fundamental to the configuration process.
Setting Up the SAML2 Module
Begin by enabling the SAML2 module. In the ForgeRock AM admin console, go to Realms > [your realm] > Authentication > Modules, and add a new module of type SAML2. Configure necessary parameters like entityID, response signing preferences, and attribute mapping rules. This module allows AM to handle SAML requests and is essential for both IDP and SP configurations.
Creating the IDP Entity Provider
Navigate to Applications > Federation > Entity Providers, then click Add Identity Provider. Input the required Entity ID, define SSO service URLs, configure signing/encryption keys, and map user profile attributes to be included in assertions. Once saved, export the metadata XMLâthis file contains public keys, endpoints, and settings the SP will use to trust and communicate with the IDP.
Creating the SP Entity Provider
In the same section, choose Add Service Provider. Define the SP Entity ID, ACS (Assertion Consumer Service) URL, and attribute mapping. If the IDP metadata is available, import it here to reduce manual setup. Configure SP settings such as assertion signature requirements and destination URLs. After configuration, export the SP metadata and provide it to the IDP.
Establishing a Circle of Trust (COT)
The Circle of Trust ensures both the IDP and SP recognize each other. Go to Applications > Federation > Circles of Trust, create a new circle, and add the IDP and SP entities to it. This grouping is essentialâSAML assertions are only accepted between entities within the same COT.
Testing SP-Initiated and IDP-Initiated SSO
To test SP-Initiated SSO, use the URL format:
https://<SP-Host>/am/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&spEntityID=<SP-ID>&idpEntityID=<IDP-ID>
This initiates a SAML request from the SP to the IDP. For IDP-Initiated SSO, configure the IDP to directly send an assertion to the SP’s ACS endpoint. Monitor logs (e.g., amSAML2) to verify correct assertion generation and response processing.
Implementing Security Best Practices
Ensure all SAML communications use HTTPS. Always sign assertions, and consider encrypting sensitive data. Regularly rotate certificates and update metadata. Also, configure access policies in ForgeRock AM to control who can initiate SAML SSO, and apply fine-grained controls for attribute release.
Advanced Options: SLO, JIT, Attribute Queries
ForgeRock AM supports Single Logout (SLO), which lets users log out from all federated systems at once. You can also enable Just-In-Time (JIT) provisioning to create user accounts upon first login and support attribute queries for dynamic information retrieval. These features enhance the federation experience but require both IDP and SP to support them.
Deployment Considerations and Federation Strategy
When deploying in production, consider whether your ForgeRock AM instance will act as a central IDP, SP, or both. If federating with external partners, define processes for onboarding metadata and managing trust. Document all configuration steps and establish monitoring for SAML flows to detect issues early.
đĄ Questions for Further Exploration:
- How do you plan to manage trust and certificate rotation across multiple federation partners?
- Should you use dynamic metadata exchange or rely on static files for your environment?
- How will you audit and monitor SAML authentication events for security compliance?
With the right configuration and planning, ForgeRock AM can power secure and scalable federated authentication experiences across your enterprise and beyond.