Install the SAML2 add-on in the eXo Platform package named $PLATFORM_IDP, as in Step 1 of eXo Platform as SAML2 SP.

Edit the file $PLATFORM_IDP/standalone/configuration/gatein/exo.properties (for Jboss) and $PLATFORM_IDP/gatein/conf/exo.properties (for Tomcat) to have the following SSO configurations (see Configuration overview for details):

# SSO
gatein.sso.enabled=false
gatein.sso.valve.enabled=true
gatein.sso.valve.class=org.gatein.sso.saml.plugin.valve.PortalIDPWebBrowserSSOValve
gatein.sso.saml.config.file=${exo.conf.dir}/saml2/picketlink-idp.xml
gatein.sso.idp.url=http://www.idp.com:8080/portal/dologin
gatein.sso.idp.listener.enabled=true
gatein.sso.sp.domains=sp.com
gatein.sso.sp.host=www.sp.com
# WARNING: This bundled keystore is only for testing purposes. You should generate and use your own keystore in production!
gatein.sso.picketlink.keystore=${exo.conf.dir}/saml2/jbid_test_keystore.jks

In which, gatein.sso.sp.domains is a comma-separated list of domains that will be trusted by this IDP. gatein.sso.sp.host accepts only one value here. If you want more SP applications, you need to manually edit the file $PLATFORM_IDP/standalone/configuration/gatein/saml2/picketlink-idp.xml (for Jboss) and $PLATFORM_IDP/gatein/conf/saml2/picketlink-idp.xml (for Tomcat) and add the ValidatingAlias element for each of them:

<ValidatingAlias Key="${gatein.sso.sp.host}" Value="servercert"/>

<ValidatingAlias Key="your.host.x" Value="servercert"/>

<ValidatingAlias Key="your.host.y" Value="servercert"/>

You also need to install your own keystore as instructed in Generating and using your own keystore.