Single Sign-On (SSO) using SAML (Security Assertion Markup Language) simplifies user authentication by allowing seamless access to multiple applications with a single login. ForgeRock, a leading identity and access management (IAM) platform, provides robust support for SAML-based SSO. This guide covers configuring ForgeRock as an Identity Provider (IdP), uploading Service Provider (SP) metadata, selecting the appropriate NameID format, and demonstrating the authentication flow with HTTP Archive (HAR) captures.
1. Provider Configuration
ForgeRock as an Identity Provider (IdP)
To set up ForgeRock as an IdP for SAML SSO:
-
Access the ForgeRock AM Console:
- Log in to the ForgeRock Access Management (AM) admin interface.
-
Create a Circle of Trust:
- Navigate to Realms > Your Realm > Services > SAML2.
- Create a Circle of Trust (a logical grouping of trusted IdPs and SPs).
-
Configure the SAML2 Provider:
- Under Identity Provider, configure the following:
- Entity ID: A unique identifier for the ForgeRock IdP (e.g.,
urn:forgerock:idp). - Assertion Consumer Service (ACS) URL: The SP’s endpoint for receiving SAML responses.
- Single Logout (SLO) URL (optional): The SP’s logout endpoint.
- Entity ID: A unique identifier for the ForgeRock IdP (e.g.,
- Under Identity Provider, configure the following:
-
Define Attribute Mappings:
- Map user attributes (e.g.,
email,username) to SAML claims.
- Map user attributes (e.g.,
Service Provider (SP) Configuration
The SP (your application) must be configured to trust ForgeRock:
- Entity ID: A unique identifier for the SP (e.g.,
urn:example:sp). - ACS URL: Where ForgeRock sends SAML assertions (e.g.,
https://app.example.com/saml/acs). - Signing Certificate: Upload ForgeRock’s public certificate to verify SAML responses.
2. SP Metadata Upload
SAML relies on metadata files (XML) to exchange configuration details between the IdP and SP.
ForgeRock IdP Metadata
-
Obtain ForgeRock’s Metadata:
- Access the metadata URL (e.g.,
https://forgerock.example.com/saml2/metadata). - Alternatively, download it from the AM Console under SAML2 Provider > Export Metadata.
- Access the metadata URL (e.g.,
-
Upload to the SP:
- Provide the metadata to the SP’s admin console (e.g., upload to Azure AD, Okta, or a custom app).
SP Metadata for ForgeRock
-
Generate SP Metadata:
- Use tools like
opensamlor your SP’s admin panel to generate metadata. - Ensure it includes:
- Entity ID
- ACS URL
- Public Key (for signing/encryption)
- Use tools like
-
Upload to ForgeRock:
- In the AM Console, navigate to SAML2 > Service Providers.
- Import the SP’s metadata or manually configure the SP.
3. NameID Format Selection
The NameID is a unique identifier for the user in SAML assertions. ForgeRock supports multiple formats:
| Format | Description | Example |
|---|---|---|
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress |
User’s email address | [email protected] |
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent |
Persistent, non-reassignable ID | a1b2c3d4 |
urn:oasis:names:tc:SAML:2.0:nameid-format:transient |
Temporary, session-specific ID | abcd1234 |
Configuration in ForgeRock:
- Navigate to SAML2 Provider > NameID Format.
- Select the desired format (e.g.,
emailAddressfor simplicity). - Ensure the SP is configured to accept the same format.
4. Flow Demonstration (with HAR Capture)
Below is the step-by-step SAML SSO flow, illustrated with HAR snippets:
Step 1: User Accesses the SP
- The user visits the SP (e.g.,
https://app.example.com). - The SP generates a SAML
AuthnRequestand redirects to ForgeRock’s SSO URL.
HAR Snippet (SP Redirects to ForgeRock):
GET /saml2/SSO?SAMLRequest=... HTTP/1.1
Host: forgerock.example.com
Step 2: ForgeRock Authenticates the User
- If not logged in, ForgeRock displays a login page.
- After authentication, ForgeRock generates a SAML
Responsewith theNameIDand attributes.
HAR Snippet (SAML Response):
<saml2:Assertion>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
[email protected]
</saml2:NameID>
<saml2:AttributeStatement>
<saml2:Attribute Name="email" Value="[email protected]"/>
</saml2:AttributeStatement>
</saml2:Assertion>
Step 3: SP Validates the Assertion
- The SP verifies the SAML signature using ForgeRock’s public key.
- If valid, the user is granted access.
HAR Snippet (SP Processes SAML Response):
POST /saml/acs HTTP/1.1
Host: app.example.com
Body: SAMLResponse=...&RelayState=...
Conclusion
Configuring SAML SSO with ForgeRock involves setting up the IdP and SP, exchanging metadata, selecting the right NameID format, and ensuring secure assertion handling. By analyzing HAR captures, administrators can troubleshoot issues and optimize the authentication flow.
For further details, refer to the ForgeRock SAML Documentation.