In reading about SAML 2.0, I see SAML 2.0 federation does not require any sort of permanent or even persistent connection between accounts at the identity provider and the service provider. If however you do want to make permanent connections for a list of identity provider and service provider accounts, then the
ssoadm bulk federation commands can help.
Before You Start
Before you can run the bulk federation commands, first establish the relationship between accounts, and also set up the providers including installation of the
Consider a case where the identity provider is at idp.example.org and the service provider is at sp.example.com. A demo user account has the Universal ID, id=demo,ou=user,dc=example,dc=org, on the identity provider. That maps to the Universal ID, id=demo,ou=user,dc=example,dc=com, on the service provider.
ssoadm command then needs a file that maps local user IDs to remote user IDs, one per line, separated by the vertical bar character
|. Each line of the file looks like this:
In this example, starting on the service provider side, the line for the demo user reads:
All the users’ accounts mapped in your file must exist at the identity provider and the service provider when you run the commands to link them.
Linking Federated Accounts in Bulk
After everything is set up, you can link the accounts using the
ssoadm bulk federation commands.
- Prepare the data with the
This example starts on the service provider side.
$ cat /tmp/user-map.txt id=demo,ou=user,dc=example,dc=com|id=demo,ou=user,dc=example,dc=org $ ssoadm do-bulk-federation --metaalias /sp \ --remoteentityid http://idp.example.org:8080/openam \ --useridmapping /tmp/user-map.txt \ --nameidmapping /tmp/name-map.txt \ --adminid amadmin --password-file /tmp/pwd.txt \ --spec saml2 Bulk Federation for this host was completed. To complete the federation, name Id mapping file should be loaded to remote provider.
- Copy the name ID mapping output file to the other provider.
$ scp /tmp/name-map.txt idp.example.org:/tmp/name-map.txt firstname.lastname@example.org's password: name-map.txt 100% 177 0.2KB/s 00:00
- Import the name ID mapping file with the
In this example, this step takes place on the identity provider side.
$ ssoadm import-bulk-fed-data \ --adminid amadmin --password-file /tmp/pwd.txt \ --metaalias /idp --bulk-data-file /tmp/name-map.txt Bulk Federation for this host was completed.
The accounts are now linked.