Configure the UI

Use the Configure UI connection page to:

  • Specify how browsers connect to the Axway Activator Server
  • Configure user Single Sign On (SSO) and Single Sign Off

Browser connections

Users connect to Activator using a browser which opens by default via HTTPS and is secured accordingly. Use the following address to access the Activator UI:
https://<hostname>:6443/ui

A self-signed certificate for the HTTPS UI server it is generated at startup time. You should change the self-signed certificate and use a certificate issued by CA.

Configure Single Sign On (SSO)

You can work on the Configure UI connection page to set up Single Sign On (SSO) and Single Log-off (SLO) for user browser connections.

Open the Configure UI connection page

To open the Configure UI connection page, go to the System management page and click the Configure UI connection link in the Related tasks list.

In Activator, HTTPS port 6443 is available by default. As an option, you can enable HTTP after logging into the Activator UI, from Configure UI connection-> UI connections made via HTTP. See Configure HTTP.

HTTPS/HTTP connections

HTTPS connections are required if you are implementing Single Sign On (SSO).

HTTPS connections are typically made using port 6443 and are secured by default. You can modify the ports required for both HTTPS and HTTP access.

If you configure Activator UI access over HTTPS only, access to the HTTP port (default 6080) is forbidden for UI access.

When you use HTTPS, you must add a server certificate as described in the following procedures. You have options to:

  • Use a self-signed, as configured by default, or replace it with a CA certificate
  • Import a certificate and private key from a file
  • Retrieve a certificate from a certificate authority

This certificate secures the connection between browsers and the server. If you select HTTPS and also select the option Require client authentication, you must add the client's trusted root certificate.

Username and password handling

Activator user names are not encrypted. Although, all user passwards are encrypted if they are stored to a disk or database.

The following Activator passwords are encrypted when stored to a disk or database. During the UI connection authentication phase, these passwords are exchanged over the network over an encrypted communications channel:

  • All user passwords

Configure HTTP

To enable the browser to log on using HTTP, use the following procedure:

  1. Click System management on the toolbar to open the System management page.
  2. Click the task Configure UI connection near the bottom of the page to open the Configure UI connection page.
  3.  

  4. When you open this page for the first time, the secure connection via HTTPS is configured by default. You can accept the default or add the configuration for connecting via HTTP. You cannot disable connections via HTTPS until you have configured HTTP. After HTTP has been configured, you can return to this page.
  5. On the General tab, select UI connections made via HTTP. Port 6080 is displayed by default; however, you can change the number as your situation requires.
  1. Click Save.
  2. Restart the server to complete the configuration.
  3. Inform users of the URL needed to connect from a browser to the user interface. If you use the suggested port of 6080, the URL is:
  4. http://<host>:6080/ui
  5. Where <host> is the fully-qualified domain name or IP address of the computer running the server.

Configure HTTPS

Use this procedure to configure the server so browsers can log on to the user interface via HTTPS.

If you changed the default configuration from HTTPS to HTTP, and then decide you want HTTPS again, you can configure HTTPS using the following procedures.

  1. Click System management on the toolbar to open the System management page.
  2. Click the task Configure UI connection near the bottom of the page to open the Configure UI connection page.
  3. On the General tab, select UI connections made via HTTPS. Port 6443 is displayed by default, however you can change the number as your situation requires.
  4. Optionally, select the Override SSL and TLS cipher suites option for overriding a cipher suite.
  5. Select this option, and use the Add and Remove buttons to specify the cipher suites that are supported for the embedded server. If none are selected, all cipher suites are supported by default. The default is less secure than specifying only certain cipher suites.
  6. The default order in the Available column is the preferred order of use. Once ciphers are moved to the Selected column, you can arrange the order. Activator uses the ciphers in the order they are listed.
  7. Ciphers provide varying levels of security. Some provide the highest levels of security, but require a large amount of computation for encryption and decryption. Others are less secure, but provide rapid encryption and decryption. The length of the key used for encryption affects the level of security. The longer the key, the more secure the data.
  8. Use the option override option to select the level of security that suits your needs and enables communicating with others who might have different security requirements. For example, when an SSL connection is established, the client and server exchange information about the cipher suites they have in common. Then they communicate using the common cipher suite that offers the highest level of security. If they do not have a cipher suite in common, secure communication is not possible.
  1. Click Save.
  2. Select the Personal certificates tab and click Add a certificate to open the certificate wizard.
  3. You can add a self-signed or replace it with a CA certificate. The certificate has a public-private key pair. The certificate is used to secure connections between browsers and the server.
  4. If you choose to add a self-signed certificate, you can accept all default values in the certificate wizard.
  5. The steps for adding a server certificate are the same as adding a certificate for a community. See Add a certificate for more information.
  6. After you add a certificate, the General tab displays again.
  7. Select the Personal certificates tab again. The certificate you added in an earlier step is listed. You can click the certificate’s name to display details.
  8. If there is more than one certificate, select the certificate you want as the default and click Save.
  9. On the General tab, check again that UI connections made via HTTPS is selected.
  10. If you are configuring HTTPS and selected Require client authentication, select the Trusted roots certificates tab and add a trusted root certificate.
  11. With this option, the server requires the user's browser to send a certificate back to the HTTPS server. The HTTPS server must trust the certificate returned by the browser client. If a browser user has a CA-issued certificate for authentication, you must at least trust the root CA certificates. If a browser user has a self-signed certificate, the user must export the certificate and public key to a file and give you the file. You then must import the certificate file.
  12. Restart the server to complete the configuration.
  13. Inform users of the URL needed to connect from a browser to the user interface. If you use the suggested port of 6443, the URL is:
  14. https://<host>:6443/ui
  15. Where <host> is the fully-qualified domain name or IP address of the computer running the server.

Switch HTTPS off and on

Once connections via HTTP or HTTPS have been added, you can return to the Configure UI connection page and select to allow browser connections via both HTTP and HTTPS, or HTTP only.

If you change the configuration, click Save. You must also restrat the server.

Configure SSO SAML

This topic describes SSO configuration in the Activator user interface. The SSO connection is always over secured (HTTPS). The cipher settings that are configured for HTTPS apply when a user attempts to connect via the SSO port. See Configure HTTPS.

For general information about the SSO functionality, see Single sign-on.

For an example of a configuration of Activator with an IdP, see Example SSO IdP configuration.

SSO SAML configuration prerequisites

General prerequisite:

  • A SAML Identity Provider (IdP) must be installed and running on your network.

To complete the configuration of the Identity Provider application:

  • The public certificate from the Service Provider (Activator) for validating the signature of the SAML Requests. This is the certificate that has been added to the Identity provider certificates tab of the Configure UI connection page and has been selected as the signing certificate in the SSO SAML Configuration Details page.
  • The Activator assertion consumer URL:
    https://<interchange>/ui/core/SsoSamlAssertionConsumer
  • The Interchange Metadata URL (optional):
    https://<interchange>/ui/core/SamlSsoMetadata
  • This URL is useful if the Identity Provider implements the usage of Metadata Profiles.
  • The Interchange Logout Service endpoint URL (optional):
    https://<interchange>/ui/core/SsoSamlLogoutRequest
  • Required only if the support for SLO is supported and implemented by the IdP.

To configure Activator:

  • A private certificate to decrypt assertions from the IdP
  • The public certificate from the IdP for validating the signature of the SAML Response and/or the signature of the assertions
  • The HTTP POST SSO Binding URL to the IdP
  • The signing algorithm the IdP will use (SHA1 or SHA256)

To configure Single Log Out (SP or IdP initiated) in Activator, you must provide the following IdP URLs:

  • HTTP Redirect Single Logout Service Response endpoint URL (IdP-initiated logout)
  • HTTP POST Binding Single Logout Service endpoint URL (SP-initiated logout)
  • HTTP POST Single Logout Service endpoint Response URL (IdP-initiated logout)
  • Logout redirect URL. Users are navigated to this URL users after initiating the logout.
  • For more information on HTTP-Redirect and HTTP-POST binding configuration, see SSO SAML configuration fields and options.

To enable the SSO SAML connection in Activator

  1. Make sure that HTTPS is enabled. See Configure HTTPS.
  2. Select the option UI connections via SSO with SAML HTTP Post Binding over HTTPS.
  3. Accept the default HTTPS SAML Port (6643) or enter an alternative port number.
  4. Click SAML Configuration to open the SSO SAML configuration details page.
  5. Complete the tabs and fields, described below.
  6. Click Save.
  7. Restart Activator.

SSO SAML configuration fields and options

The SSO SAML configuration details page displays the following tabs, fields, and options.

General Configuration tab

Identity Provider section

  • Identity provider HTTP POST URL – The URL for sending identification requests to the IdP.
  • Single logout service – (Optional) Single logout provides for the simultaneous termination of all user sessions for the browser that initiated the logout. Closing all user sessions prevents unauthorized users from gaining access to resources at the SPs. Activator supports both HTTP-Redirect and HTTP-POST binding for single logout.
    • Response location (HTTP-Redirect) – Specify the IdP’s Single Logout Service endpoint URL. This is the URL where the IdP receives the LogoutResponse in the case of an IdP-initiated logout with HTTP.
    • Location (HTTP-POST) – Specify the IdP’s Single Logout Service endpoint URL. This is the URL for sending LogoutRequests in the case of an SP-initiated logout with HTTP POST binding.
    • Response location (HTTP-POST) – Specify the IdP’s Single Logout Service endpoint URL. This is the URL where the IdP receives the LogoutResponse in the case of an IdP-initiated logout with HTTP POST binding.
  • Identity provider certificate – Specify the public certificate from the IdP used to validate the signature of the SAML Response and/or the signature of the assertions. Items in the drop-down list are the certificates previously added to the Identity provider certificates tab of the Configure UI connection page.

Service Provider section

  • Service providerActivator ID for communications with the IdP.
  • Metadata URL – (text display) The URL that is displayed exposes the following Activator configuration settings. You can use the metadata configuration information to provision the IdP environment to provide Single Logout Service:
    • SSO Service Provider certificate used by Activator to sign log-off requests and responses to the IdP.
    • Single Logout Service for HTTP-POST binding, where the IdP sends the LogoutRequest and LogoutResponse to Activator.
    • Single Logout Service for HTTP-Redirect binding, where the IDP sends the LogoutRequest and LogoutResponse to Activator.
    • Assertion Consumer Service HTTP-POST binding for the Activator endpoint that consumes assertions.
    • Assertion Consuming Service requested attribute names.
  • Assertion Consumer Service – (text display) The Activator endpoint URL for consuming assertions.
  • Single logout service
    • Location (HTTP - Redirect/HTTP - POST) – (text display) The Activator Single Logout Service endpoint. This is where the IdP sends the LogoutRequest to Activator.
    • Response location (HTTP - Redirect/HTTP - POST) – (text display) This field displays the SP’s Single Logout Service endpoint. This is where the IdP sends the LogoutResponse to Interchange.
  • Logout redirect URL – The URL of the IdP logout page.
  • Service provider certificateActivator certificate (select from drop-down list). Activator uses this certificate to sign the authentication requests sent to the Identity Provider. The drop-down list displays certificates that have been previously added to the Identity provider certificates tab of the Configure UI connection page.
  • Signing algorithm for login and logout – Select either SHA1 or SHA256.
  • Sign authentication requests sent to Identity Provider – Select this option if the IdP requires signing of authentication requests.
  • Reject responses with assertions that are not encrypted – Select this option to require encryption of responses from the IdP.

User Attributes tab

Use the radio buttons on this tab to define how Activator obtains user attributes from the Identity Provider. Activator compares the values that it retrieves to its defined users.

Select an assertion option for each of the following user attributes:

  • User ID
  • Username
  • Useremail

The assertion options are for these user attributes:

  • Assertion from subject identifier
  • Assertion from assertion attribute

Activator receives the SAML subject identifier with the specified assertion subject identifier or assertion attributes from the Identity Provider. The Service Provider uses the assertion subject identifier or another assertion attribute to retrieve the user identifier.

Roles Mapping tab

Every attribute has its own unique representation in a SAML attribute assertion, to ensure that there are no misinterpretations or communication failures. SAML exchanges rely on consistent attribute naming to deliver information about users in a mutually understood way between the IdP and the SP.

Use the mapping wizard, available on this tab, to map predefined Activator roles to the roles defined in the Identity Provider. This is how you align the roles and permissions that you create in Activator with the SAML assertion attributes.

Procedure:

  1. On the Roles Mapping tab, click Add a new role mapping to open the Map SSO roles wizard.
  2. Complete the fields:
    • Role name – From the drop-down list, select the name of the Activator role you want to map to a SAML assertion attribute.
    • Mapped to SAML Assertion attribute – Complete the fields to fully identify the assertion attribute to be mapped to the selected Activator role:
      • Name
      • Friendly name
      • Value
  3. Click Finish.
  4. Repeat the steps for each role you want to map.

Manage IdP certificates

For an example of a configuration of Activator with an IdP, see Example SSO IdP configuration.

Use the Identity provider certificates tab of the Configure UI connection page to manage the certificates that Activator uses to sign the SAML messages that are sent from Activator to the IdP. On this tab, you can perform the following procedures:

  • Import an IdP certificate to use for signing the SAML messages sent to the IdP.
  • Remove IDP certificates, for example, if the certificate is not in use or is disabled.

Import an IdP certificate

Prerequisite:

You must first obtain the public certificate from the IdP for validating the signature of the SAML Response and/or the signature of the assertions.

Procedure:

  1. On the Configure UI connection page, select the Identity provider certificates tab.
  2. From the Related tasks list, click Add an identity provider certificate to open the Add a certificate wizard.
  3. On the Add a certificate page of the wizard, select Import a certificate from a file, and click Next.
  4. On the Locate the certificate file page of the wizard, use the Browse... tool to select the certificate file to use.
  5. Click Next to view the certificate details.
  6. Optionally enter a meaningful name in the certificate Name field. This name can help you tell one certificate from another.
  7. Click Finish to import the certificate.

Delete an IdP certificate

  1. On the Configure UI connection page, select the Identity provider certificates tab.
  2. From the list of certificates, on the line of the certificate you want to remove, click Delete.

Control the IdP session validation behavior

The System properties page enables system administrators to configure a certain number of Activator trading engine parameters. One of the tunable properties on this page is:

sso.saml.reauthenticateOnSessionTimeout

If the property is set to "true":

By default this property is set to "true". As long as the IdP session is valid, the session of the Activator user is refreshed and kept valid as well.

If the property is set to "false":

If you set the property to false, when the Activator user session expires, Activator forces a logout of the user to invalidate both the Activator and IdP user sessions.

Caution   Incorrectly modifying values on this page can severely degrade product behavior. Do not modify values on this page without explicit guidance from Axway support.

To access the System Properties page, point your browser to https://<hostname>:6443/ui/core/SystemProperties.

Related Links