Home‎ > ‎SSO Single Sign-On‎ > ‎

Adapting existing system to connect to OpenAM via SAML using OneLogin developed client

This guide shows how to adapt existing institutional systems to a SAML federated environment. The access management solution used on this example is OpenAM. OpenAM uses SAML as default authentication protocol.

Please replace every openam.sso.appsedudemo.com with OpenAM domain and sso.appsedudemo.com with your domain where your application is installed.


  • Java web server (i.e. Tomcat)

  • OpenAM

  • Google Apps domain

  • Web server (i.e. Apache)


  • If you don´t have OpenAM installed please follow the Installing OpenAM guide.
  • Copy to your web server folder the OneLogin SAML Toolkit as described on this page Adapting existing systems to a SAML federation developing a client using OneLogin SAML toolkit
  • Extract the private key and public certificate from the OpenAM keystore, located at /var/lib/tomcat7/conf/keystore you can follow this guide (default alias: test, default password: changeit). Copy the fingerprint, it will be used on the settings file.
  • Go to demo folder and change on settings file the following values with your OpenAM server values.
  • Settings demo:

    $spBaseUrl = 'http://sso.appsedudemo.com/php-saml'; //or http://<your_domain>

    $settingsInfo = array (
        'debug' => true,
        'strict' => false,
        'sp' => array (
            'entityId' => $spBaseUrl.'/demo1/metadata.php',
            'assertionConsumerService' => array (
                'url' => $spBaseUrl.'/demo1/index.php?acs',
            'singleLogoutService' => array (
                'url' => $spBaseUrl.'/demo1/index.php?sls',
            'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
        'idp' => array (
            'entityId' => 'http://openam.sso.appsedudemo.com:8080/openam/saml2/jsp/exportmetadata.jsp?entityid=http://openam.sso.appsedudemo.com:8080/openam&realm=/sp-google-idp-ldap',
            'singleSignOnService' => array (
                'url' => 'http://openam.sso.appsedudemo.com:8080/openam/SSORedirect/metaAlias/sp-google-idp-ldap/idp',
            'singleLogoutService' => array (
                'url' => 'http://openam.sso.appsedudemo.com:8080/openam/UI/Logout?goto=http://openam.sso.appsedudemo.com:8080/openam/UI/Login?realm=sp-google-idp-ldap',
            'certFingerprint' => 'DE:F1:8D:BE:D5:47:CD:F3:D5:2B:62:7F:41:63:7C:44:30:45:FE:33',

  • After extracting the key and certificate (private and public) copy to your web server directory on /php-saml/certs as sp.key and sp.crt .
  • On OpenAM admin console Register a Remote Service Provider
  • On metadata URL write the metadata file URL like this http://sso.appsedudemo.com/php-saml/demo1/metadata.php
  • Write a Circle of trust name
  • Indicate which fields will be synced when users log in (example mail mail, uid uid)
  • The configuration si Done, now you can test running the following URL http://sso.appsedudemo.com/php-saml/demo1/