- Log in to your OpenAM account.
- Set up a hosted Service Provider with the following settings:
- Metadata – metadata is not required if you have no metadata for providers
- Metadata name – must be unique
- Circle of trust to which M-Pin SSO will belong as an IdP – you can choose from the existing circles of trust or create a new one.
- Attribute mapping enabled
- Set up a remote Identity Provider with the following settings:
- SAML2 Identity Provider metadata file – found under Global Settings > SAML Metadata
- Auto Federation – enabled
- The account mapper configured to use the Name ID as the User ID
- Attribute Map – email=UID
- Auto Federation Attribute – email
- (Optional) The SSO redirect URL – the URL to which users will be redirected after successful SSO login
- Download the SAML metadata file for the service provider created above. For details on how to configure these settings and download the metadata file, refer to the OpenAM user documentation.
In the M-Pin SSO web console:
Under Integration, click on the + button next to OpenAM profiles.
The Add OpenAM profile page is displayed.
- Complete the required fields and save the profile. Settings:
- Name: (required) – name of the profile, e.g. Sample OpenAM Profile
- LDAP Profile: – if you have any LDAP profiles configured, they will be available in this drop-down
- Recipient URL: – IAM client application end point to which the M-Pin SSO SAML response is returned
- Metadata: (required) – the SAML metadata file of the service provider configured in your OpenAM account.
After saving, the profile is displayed on the OpenAM profiles page.
From this point on, when your users visit the OpenAM service and enter an email address belonging to the profile just set up, OpenAM will detect that single sign-on is enabled and a password will no longer be necessary.