Configure UI connection

Use the Configure UI connection page to specify how browsers can connect to the Activator user interface. Browser connections can be via HTTP, HTTPS or both. You can also work on this page to set up Single Sign On (SSO) and Single Log-off (SLO) user browser connections.

To open the Configure UI connection page, go to the System management page and click the Configure UI connection link in the Related tasks list.

HTTP UI connections are typically made through port 6080. HTTPS connections are typically made using port 6443. You can modify the ports required for both HTTP and HTTP/S access.

If you select to use HTTPS, you must add a server certificate as described in the procedure below. You have options to:

  • Use a self-signed or CA certificate
  • Import a certificate and private key from a file
  • Retrieve a certificate from a certificate authority

This certificate secures the connection between browsers and the server. If you select HTTPS and require client authentication, you must add the client's trusted root certificate.

This topic includes the following sections:

Configure HTTPS

Use this procedure to configure the server for browser log on to the user interface via HTTPS.

  1. Click System management on the toolbar to open the System management page.
  2. Click the task Configure UI connection near the bottom of the page to open the Configure UI connection page.
  3. When you open this page for the first time, connection via HTTP is configured by default. You can accept the default or add the configuration for connecting via HTTPS. You cannot disable connections via HTTP until you have configured HTTPS. Once HTTPS has been configured, you can return to this page and select to have browsers connect via HTTP or HTTPS, or both.
  4. On the General tab, select UI connections made via HTTPS. Port 6443 is displayed by default, however you can change the number as your situation requires.
  5. Optionally, select the Override SSL and TLS cipher suites option for overriding a cipher suite.
  6. Select this option, and use the Add and Remove buttons to specificy the cipher suites that are supported for the embedded server. If none are selected, all cipher suites are supported by default. The default is less secure than specifying only certain cipher suites.
  7. The default order in the Available column is the preferred order of use. Once ciphers are moved to the Selected column, you can arrange the order. Activator uses the ciphers in the order they are listed.
  8. Of the many algorithms for encrypting data and computing the message authentication code, there are varying levels of security. Some provide the highest levels of security, but require a large amount of computation for encryption and decryption. Others are less secure, but provide rapid encryption and decryption. The length of the key used for encryption affects the level of security. The longer the key, the more secure the data.
  9. The option for overriding cipher suites enables you to select the level of security that suits your needs and enables communicating with others who might have different security requirements. For example, when an SSL connection is established, the client and server exchange information about the cipher suites they have in common. Then they communicate using the common cipher suite that offers the highest level of security. If they do not have a cipher suite in common, secure communication is not possible.
  10. In versions of Activator earlier than 5.9, cipher suite configuration was handled by a file named sslciphersuites.xml. As data in that file is saved in the database, the custom cipher suite configuration is retained upon upgrading and is displayed in the Selected list under the check box in the user interface. The sslciphersuites.xml file is no longer used.
Note Changes to this configuration apply globally to all users who log in via HTTPS.
  1. Click Save.
  2. Select the Personal certificates tab and click Add a certificate to open the certificate wizard.
  3. You can add a self-signed or a CA certificate. The certificate has a public-private key pair. The certificate is used to secure connections between browsers and the server.
  4. If you choose to add a self-signed certificate, you can accept all default values in the certificate wizard.
  5. The steps for adding a server certificate are the same as adding a certificate for a community. See Add a certificate for more information.
  6. After you add a certificate, the General tab displays again.
  7. Select the Personal certificates tab again. The certificate you added in an earlier step is listed. You can click the certificate’s name to display details.
  8. If there is more than one certificate, select the certificate you want as the default and click Save.
  9. On the General tab, check again that UI connections made via HTTPS is selected.
  10. If you are configuring HTTPS and selected Require client authentication, select the Trusted roots certificates tab and add a trusted root certificate.
  11. With this option, the server requires the user's browser to send a certificate back to the HTTPS server. The HTTPS server must trust the certificate returned by the browser client. If a browser user has a CA-issued certificate for authentication, you must at least trust the root CA certificates. If a browser user has a self-signed certificate, the user must export the certificate and public key to a file and give you the file. You then must import the certificate file.
  12. If you are configuring SSO single logout (SLO) using HTTP-POST binding, select the option: UI connections via SSO with SAML HTTP POST Binding over HTTPS, and select the port you use. By default this option uses the same port as the HTTPS port.
  13. If you want to specifically determine which cipher suites are supported for HTTPS UI connections to this Activator server, select Override SSL and TLS cipher suites, and then use the Add and Remove buttons to specify the cipher suites that can be used.
  14. If you do not select this option, all cipher suites are supported by default for this connection.
  15. Keeping the default cipher list is less secure than specifying a restricted set of cipher suites.
  16. The default order in the "Available" column is the preferred order of use. Once ciphers are moved to the "Selected" column, you can arrange the order. Activator uses the ciphers in the order listed.
  17. To complete the configuration you must do one of the following:
    • Restart the server.
    • or,
    • Restart all nodes and the user interface. Go to the System management page and click Stop all nodes. On the Stop all nodes page, click Restart all nodes and Yes, include the user interface. Click Stop/restart. Note that restarting the user interface ends your browser session.
  18. Inform users of the URL needed to connect from a browser to the user interface. If you use the suggested port of 6443, the URL is:
  19. https://<host>:6443/ui
  20. Where <host> is the fully-qualified domain name or IP address of the computer running the server.

Switch between HTTP and HTTPS

Once connections via HTTPS have been configured, you can return to the UI configuration page and select to allow browser connections via HTTP or HTTPS, or both.

If you change the configuration, click Save. You also must do one of the following:

  • Restart the server.
  • or,
  • Restart all nodes and the user interface. Go to the System management page and click Stop all nodes. On the Stop all nodes page, click Restart all nodes and Yes, include the user interface. Click Stop/restart. Note that restarting the user interface ends your browser session.

Configure SSO SAML

For general information about the SSO functionality, see Single Sign-On. The SSO connection is always secured (HTTPS). The cipher settings that are configured for HTTPS apply when a user attempts to connect via the SSO port. See Configure HTTPS.

SSO SAML configuration prerequisites

General prerequisite:

  • A SAML Identity Provider (IdP) must be installed and running on your network.

To complete the configuration of the Identity Provider application:

  • The public certificate from the Service Provider ( Activator) for validating the signature of the SAML Requests. This is the certificate that has been added in the Personal certificates tab of the Configure UI connection page and has been selected as the signing certificate in the SSO SAML Configuration Details page.
  • The Activator assertion consumer URL:
    https://<interchange>/ui/core/SsoSamlAssertionConsumer
  • The Interchange Metadata URL (optional):
    https://<interchange>/ui/core/SamlSsoMetadata
  • This URL is useful if the Identity Provider implements the usage of Metadata Profiles.
  • The Interchange Logout Service endpoint URL (optional):
    https://<interchange>/ui/core/SsoSamlLogoutRequest
  • Required only if the support for SLO is supported and implemented by the IdP.

To configure Activator :

  • A private certificate to decrypt assertions from the IdP.
  • The public certificate from the IdP for validating the signature of the SAML Response and/or the signature of the assertions.
  • The HTTP POST SSO Binding URL to the IdP.
  • The signing algorithm the IdP will use (SHA1 or SHA256).

To configure Single Log Out (SP or IdP initiated) in Activator, you will need to provide the following IdP URLs :

  • HTTP Redirect Binding Single Logout Service endpoint URL (SP-initiated logout)
  • HTTP Redirect Single Logout Service Response endpoint URL (IdP-initiated logout)
  • HTTP POST Binding Single Logout Service endpoint URL (SP-initiated logout)
  • HTTP POST Single Logout Service endpoint Response URL (IdP-initiated logout)
  • Logout redirect URL. Users are navigated to this URL users after initiating the logout.
  • For more information on HTTP-Redirect and HTTP-POST binding configuration, see SSO SAML configuration fields and options.

To enable the SSO SAML connection in Activator

  1. Make sure that HTTPS is enabled. See Configure HTTPS.
  2. Select the option UI connections via SSO with SAML HTTP Post Binding over HTTPS.
  3. Accept the default HTTPS SAML Port (6643) or enter an alternative port number.
  4. Click SAML Configuration to open the SSO SAML configuration details page.
  5. Complete the tabs and fields, described below.
  6. Click Save.
  7. Restart Activator.

SSO SAML configuration fields and options

The SSO SAML configuration details page displays the following tabs, fields, and options.

General Configuration tab

Identity Provider section

  • Identity provider HTTP POST URL – The URL for sending identification requests to the IdP.
  • Single logout service – (Optional) Single logout provides for the simultaneous termination of all user sessions for the browser that initiated the logout. Closing all user sessions prevents unauthorized users from gaining access to resources at the SPs. Activator supports both HTTP-Redirect and HTTP-POST binding for single logout.
    • Location (HTTP-Redirect)B2Bi does not currently support SP-initiated logout with Redirect binding. This functionality is scheduled for addition to a future release.
    • Response location (HTTP-Redirect) – Specify the IdP’s Single Logout Service endpoint URL. This is the URL where the IdP receives the LogoutResponse in the case of an IdP-initiated logout with HTTP.
    • Location (HTTP-POST) – Specify the IdP’s Single Logout Service endpoint URL. This is the URL for sending LogoutRequests in the case of an SP-initiated logout with HTTP POST binding.
    • Response location (HTTP-POST) – Specify the IdP’s Single Logout Service endpoint URL. This is the URL where the IdP receives the LogoutResponse in the case of an IdP-initiated logout with HTTP POST binding.
  • Identity provider certificate – Specify the public certificate from the IdP used to validate the signature of the SAML Response and/or the signature of the assertions. Items in the drop-down list are the certificates previously added to the Identity Provider certificates tab of the CnHttpsSamlSsoServer embedded server definition.

Service Provider section

  • Service providerActivator ID for communications with the IdP.
  • Metadata URL – (Read only) The URL that is displayed in this field exposes the following Activator configuration settings. You can use the metadata configuration information to provision the IdP environment to provide Single Logout Service:
    • SSO Service Provider certificate used by Activator to sign log-off requests and responses to the IdP.
    • Single Logout Service for HTTP-POST binding, where the IdP sends the LogoutRequest and LogoutResponse to Activator.
    • Single Logout Service for HTTP-Redirect binding, where the IDP sends the LogoutRequest and LogoutResponse to Activator.
    • Assertion Consumer Service HTTP-POST binding for the Activator endpoint that consumes assertions.
    • Assertion Consuming Service requested attribute names.
  • Assertion Consumer Service – The Activator endpoint URL for consuming assertions.
  • Single logout service
    • Location (HTTP - Redirect/HTTP - POST) – (Read-only) This field displays the Activator Single Logout Service endpoint. This is where the IdP sends the LogoutRequest to Activator.
    • Response location (HTTP - Redirect/HTTP - POST) – (Read-only) This field displays the SP’s Single Logout Service endpoint. This is where the IdP sends the LogoutResponse to Interchange.
  • Logout redirect URL – The URL of the IdP logout page.
  • Service provider certificateActivator certificate (select from drop-down list). Activator uses this certificate to sign the authentication requests sent to the Identity Provider. The drop-down list displays certificates that have been previously added to the "personal certificates" in the CnHttpsSamlSsoServer embedded server definition.
  • Sign requests sent to Identity Provider – Select this option if the IdP requires signing of authentication requests.
  • When you select this option you must also select the signing algorithm from the list of available algorithms. Options are SHA1 or SHA256.
  • Reject responses with assertions that are not encrypted – Select this option to require encryption of responses from the IdP.

User Attributes tab

Use the radio buttons on this tab to define how Activator obtains user attributes from the Identity Provider. Activator compares the values that it retrieves to its defined users.

Select an assertion option for each of the following user attributes:

  • User ID
  • Username
  • Useremail

The assertion options are for these user attributes:

  • Assertion from subject identifier
  • Assertion from assertion attribute

Activator receives the SAML subject identifier with the specified assertion subject identifier or assertion attributes from the Identity Provider. The Service Provider uses the assertion subject identifier or another assertion attribute to retrieve the user identifier.

Roles Mapping tab

Every attribute has its own unique representation in a SAML attribute assertion, to ensure that there are no misinterpretations or communication failures. SAML exchanges rely on consistent attribute naming to deliver information about users in a mutually understood way between the IdP and the SP.

Use the mapping wizard, available on this tab, to map predefined Activator roles to the roles defined in the Identity Provider. This is how you align the roles and permissions that you create in Activator with the SAML assertion attributes.

Procedure:

  1. On the Roles Mapping tab, click Add a new role mapping to open the Map SSO roles wizard.
  2. Complete the fields:
    • Role name – From the drop-down list, select the name of the Activator role you want to map to a SAML assertion attribute.
    • SAML Assertion attribute – Complete the fields to fully identify the assertion attribute to be mapped to the selected Activator role:
      • Name
      • Friendly name
      • Value
  3. Click Finish.
  4. Repeat the steps for each role you want to map.
  5.  

Manage IdP certificates

Use the Identity provider certificates tab of the Configure UI connection page to manage the certificates that Activator uses to sign the SAML messages that are sent from Activator to the IdP. On this tab, you can perform the following procedures:

  • Import an IdP certificate to use for signing the SAML messages sent to the IdP.
  • Remove IDP certificates, for example, if the certificate is not in use or is disabled.

Import an IdP certificate

Prerequisite:

You must first obtain the public certificate from the IdP for validating the signature of the SAML Response and/or the signature of the assertions.

Procedure:

  1. On the Configure UI connection page, select the Identity provider certificates tab.
  2. From the Related tasks list, click Add a certificate to open the Add a certificate wizard.
  3. On the Add a certificate page of the wizard, select Import a certificate from a file, and click Next.
  4. On the Locate the certificate file page of the wizard, enter the certificate file name and location (you can use the browse tool).
  5. Click Next to view the certificate details.
  6. Optionally enter a meaningful name in the certificate Name field. This name can help you tell one certificate from another.
  7. Click Finish to import the certificate.

Delete an IdP certificate

  1. On the Configure UI connection page, select the Identity provider certificates tab.
  2. From the list of certificates, on the line of the certificate you want to remove, click Delete.

Related topics

Related Links