Administer > System security > SAML Single Sign-On > SAML SSO setup > Configure SAML SSO using the standalone IdM > Task 5: Configure a tenant and specify the ADFS metadata URL

Task 5: Configure a tenant and specify the ADFS metadata URL

A tenant is a data space in IdM. IdM user authentication is based on a tenant. For Service Manager users, a tenant must be specified in a .json file.

The federation metadata URL of the identity provider (that is, ADFS) is required for you to add the IdM service as a relying party trust later.

To configure a tenant and specify the ADFS metadata URL, follow these steps:

  1. Locate the <idm-service>\WEB-INF\classes\seeded\samples\com.hpe.tenant1__1.3.2.1__Add_Update_Saml_Configuration.json.template file.

  2. Copy the file to the seeded directory (<idm-service>\WEB-INF\classes\seeded\) and then remove the .template extension from the file name.

  3. Open the com.hpe.tenant1__1.3.2.1__Add_Update_Saml_Configuration.json file in a text editor.

    Note The file has already a sample tenant named IdmDemoOrg1 defined. You may want to update it to your own tenant name.

  4. Update this file so that its content resembles the following example (in this example, a tenant name of IDM-SM is specified):

    [{
                    "operation": "ADD_OR_UPDATE",
                    "type": "organization",
                    "attributes": {
                                    "name": "IDM-SM",
                                    "displayName": " IDM-SM ",
                                    "type": "CONSUMER"
                                    }
    },
    {
                    "operation":"UPDATE",
                    "type":"samlConfiguration",
                    "names":{
                                    "organizationName":"IDM-SM",
                                    "samlConfigurationName":"IdmDemoSamlConfiguration1"
                                    }, 
                                    "attributes":{
                                                    "displayName":"IdmDemoSamlConfiguration1-XX"
                                    }
    },
    {
                    "operation":"ADD",
                    "type":"samlConfiguration",
                    "names":{
                                    "organizationName":"IDM-SM"
                                    },
                                    "attributes":{
                                                    "name":"IdmDemoSamlConfiguration1",
                                                    "displayName":"IdmDemoSamlConfiguration1",
                                                    "entityUrl":"https://adfsserverhost.adfs.com/federationmetadata/2007-06/federationmetadata.xml",
                                                    "roleName": "SamlRole",
                                                    "attrName": "SamlAttr"
                                                    }
    },
    
    {
                    "operation": "ADD_OR_UPDATE",
                    "type": "organizationMetadata",
                    "names": {
                                    "organizationName": "IDM-SM"
                                    },
                                    "attributes": {
                                                    "key": "idm.auth.flow",
                                                    "value": "seeded,database_user,ldap,ad,jaas,saml"
                                                    }
    }              
    ]
    
    • Specify the same organization name for both the name attribute in the ADD_OR_UPDATE operation and the organizationName attribute in the ADD operation.
    • For the ADD_OR_UPDATE operation, the name and displayName attributes are mandatory.
    • For the Add operation, the organizationName, name, and displayName attributes are mandatory. The name attribute serves as the unique key for your SAML configuration.
    • The federation metadata URL of ADFS uses this format: https://<ADFS host>/federationmetadata/2007-06/federationmetadata.xml

    • You must include "idmTransportUser" in the seeded file as it is used for the Idm-client intgreation and make sure that "idm.auth.flow" includes "saml" in the value.

    Note that when the IdM service is started, the content of the .json file is loaded into IdM. Once the tenant is already created, you cannot update the organization name (the name and organizationName attributes), unless you want to create a new tenant. However, you can update the entityUrl attribute of the existing tenant. Make sure the content of the updated .json file resembles the following example:

    [
        {
            "operation":"ADD_OR_UPDATE",
            "type":"organization",
            "attributes":{
                "name":"IDM-SM"
            }
    },
        {
            "operation":"UPDATE",
            "type":"samlConfiguration",
            "names":{
                "organizationName":"IDM-SM",
                "samlConfigurationName":"IdmSamlConfiguration2"
            }, 
            "attributes":{
                "displayName":"IdmDemoSamlConfiguration2",
                "entityUrl":"https://mynewhost/2007-06/federationmetadata.xml"
            }
        }    
    ]
    

Caution After making any updates to the .json file, you must do the following:

  1. Rename the file to increase its version number. For example, rename it from com.hpe.tenant1__1.3.2.1__Add_Update_Saml_Configuration.json to com.hpe.tenant1__1.3.2.2__Add_Update_Saml_Configuration.json. If you do not increase the version number, when the IdM service is restarted, the updated content will not be loaded and hence your changes will not take effect.
  2. Restart the IdM service for the changes to take effect.

Note After you have completed the IdM service deployment and setup, you will also need to specify the same tenant on the Service Manager side. For details, search for SAML Single Sign-On setup in the Service Manager Help Center.

Next, you need to create a database and configure the database connection for the IdM service.