Install the SAML2 add-on in the eXo Platform package named $PLATFORM_IDP, as in Step 1 of eXo Platform as SAML2 SP.

Edit the $PLATFORM_IDP/standalone/configuration/gatein/exo.properties file to have the following SSO configurations (see Configuration overview for details):

# SSO
gatein.sso.enabled=false
gatein.sso.valve.enabled=true
gatein.sso.valve.class=org.gatein.sso.saml.plugin.valve.PortalIDPWebBrowserSSOValve
gatein.sso.saml.config.file=/WEB-INF/conf/sso/saml/picketlink-idp.xml
gatein.sso.idp.url=http://www.idp.com:8080/portal/dologin
gatein.sso.idp.listener.enabled=true
gatein.sso.sp.domains=sp.com
gatein.sso.sp.host=www.sp.com
# WARNING: This bundled keystore is only for testing purposes. You should generate and use your own keystore in production!
gatein.sso.picketlink.keystore=/sso/saml/jbid_test_keystore.jks

In which, gatein.sso.sp.domains is a comma-separated list of domains that will be trusted by this IDP. gatein.sso.sp.host accepts only one value here. If you want more SP applications, you need to manually edit the /WEB-INF/conf/sso/saml/picketlink-idp.xml file (inside standalone/deployments/platform.ear/exo.portal.web.portal.war) and add the ValidatingAlias element for each of them:

<ValidatingAlias Key="${gatein.sso.sp.host}" Value="servercert"/>

<ValidatingAlias Key="your.host.x" Value="servercert"/>

<ValidatingAlias Key="your.host.y" Value="servercert"/>

You also need to install your own keystore as instructed in Generating and using your own keystore.